Re: [otrs] ORTS, LDAP and AD groups

ah, got it. Thanks for your help!! On 6/12/07, Matthew Joyce wrote:

Sorry much *appreciated*. However, I have not been able to login as a customer yet. I used you kindly provided config, and really the only parts I changed are those which pertain to my setup.

ldaphost,ldapuser,ldapuserpw, basedn, agent group dn, and user group dn.

I can login as an Agent, but not as a customer. Here's the log output....

I login... Kernel::System::Auth::LDAP::Auth] User: mjoyce (CN=Matt Joyce,OU=IT,OU=Operations,OU =xxxx,DC=xxxx,DC=xxxx) authentication ok (REMOTE_ADDR: xxx.xxx.xxx.xxx).

I logout.... [Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 10ac457be93b8d79 1d1529f8552d0b0c13.

I try as customer... [Notice][Kernel::System::Auth::LDAP::Auth] User: mjoyce.test authentication failed, no LDAP group entry foundGroup DN='cn=OTRS-Agents,ou=Groups,dc=xxxx,dc=xxxx', Filter='(member=CN=mjoyce.test,OU=IT,OU=Operations,OU=xxxx,DC=xxx ,DC=xxxx)'! (REMOTE_ADDR: xxx.xxx.xxx.xxx).

To me this seem right my customer account mjoyce.test is not a member of the agent group. But why doesn't it test (and report in the log file) against the customer group.

Have I completely misunderstood something, customers are able to login to login via the web right ?

thanks

On 6/12/07, Matthew Joyce wrote:

...

Much unappreciated Greg, I'm going to work through this today. I have the Agent group working, but not the customer group.

With your setup, are Agents in both groups?

Thanks

On 6/8/07, Greg Horne wrote:

...

Sorry to hear its going slow. Had fun also with getting it to work using AD. You did not include all of your config for LDAP, so I'll just cover a few general things.

Setup a user account that can browse AD's LDAP. (username - OTRS_Account password - whatever) you may want to make it never expire.

Setup two groups, one for Customers and one for Agents.

Make AD users members of the Customers group.

Add AD users to the Agents group that you want to use the system as an agent.

Create a user in OTRS and add to the admin group using the same username that you intend to login to AD with.

Modify your Config.pm file adding the following to allow agents and customers/users to login using LDAP. Modify for your structure. Taken from my setup, add and modify as needed. Just an example: ############## Start of Config.pm ################ <snip>

#we want to use LDAP for Auth $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domainname,dc=win,dc=domain,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; #The username and password of the user you setup to access LDAP information in AD $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs';

#We want our Customer/users to Auth using LDAP $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.domain.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs';

$Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => 'ldap.domain.com', BaseDN => 'OU=Users,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com', SSCOPE => 'sub', UserDN => 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com', UserPw => 'whateverYourPasswordIs', }, CustomerKey => 'sAMAccountName', CustomerID => 'userPrincipalName', CustomerUserListFields => ['displayName', 'userPrincipalName'], CustomerUserSearchFields => ['displayName', 'userPrincipalName'], CustomerUserPostMasterSearchFields => userPrincipalName, CustomerUserNameFields => ['givenName', 'sn'], #the following must map to valid fields in your AD (givenname,sn,sAMAccountName,...) Map => [ [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'userPrincipalName', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'userPrincipalName', 0, 1, 'var' ], ], };

#OK now lets have our agents use LDAP $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=helpdesk_agents,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=helpdesk_customers,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=co m'; $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# UserSyncLDAPMap # (map if agent should create/synced from LDAP to DB after login must match your AD) $Self->{UserSyncLDAPMap} = { # DB -> LDAP Firstname => 'givenName', Lastname => 'sn', Email => 'userPrincipalName', };

# UserSyncLDAPGroups # (If "LDAP" was selected for AuthModule, you can specify # initial user groups for first login.) $Self->{UserSyncLDAPGroups} = [ 'users', ];

<snip> ##################### End of Config.pm ####################

Restart OTRS and try logining in using the username you setup as the admin, but use your AD password. Should work. They login as a customer using the username and password that you put in the customer group in AD.

Have Fun

GEH -----Original Message----- From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org]On Behalf Of Matthew Joyce Sent: Thursday, June 07, 2007 9:40 PM To: otrs Subject: [otrs] ORTS, LDAP and AD groups

Hi all,

I'm having glacial progress with getting otrs (Debian) to authenticate with Active Directory. I've have trawled the archives and I'm still not even sure the setup I'm after can be done.

I have a standard structure of OUs Customer and Agent account are distributed throughout the OUs I'd like to put Agents in a group to distinguish then from Customers The login IDs should be their samAccountName

Group membership can be derived from the group attribute 'member' which contains users DNs.

here's the config... $Self->{'AuthModule::LDAP::UID'} = 'samAccountName'; $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Agents,ou=Groups,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'distinguishedname';

Looking at the log, it seems membership is being tested using the Login ID and failing.

Jun 8 11:37:28 vm-helpdesk OTRS-CGI-10[13668]: [Notice][Kernel::System::Auth::LDAP::Auth] User: mjoyce authentication failed, no LDAP group entry foundGroupDN='cn=OTRS-Agents,ou=Groups,dc=domain,dc=local', Filter='(member=mjoyce)'! (REMOTE_ADDR: x.x.x.x).

Have I misunderstood how this authentication process works ? Can anyone advise me ?

Thanks

Matt _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/

_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/