[otrs] User LDAP authentication

7 Jan 2009

      Hello,

I have User LDAP authentication working using Novell's eDirectory as
the backend but want to make the addition of requiring group membership.
 When I enable the group code: 
     $Self->{'AuthModule::LDAP::GroupDN'} =
'cn=HelpDeskAgents,ou=office,o=protected';
I get the following error:
User: blw authentication failed, no LDAP group entry
foundGroupDN='cn=HelpDeskAgents,ou=office,o=protected',
Filter='(memberUID=cn=blw,ou=OFFICE,o=protected)'! (REMOTE_ADDR:
10.xx.xx.xx).

Here is the relevant config.pm code:
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'vos1.protected.protected.us';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=office,o=protected';
    $Self->{'AuthModule::LDAP::UID'} = 'cn';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} =
'cn=HelpDeskAgents,ou=office,o=protected';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUID';
    # for ldap posixGroups objectclass (just uid)
    # $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    # for non ldap posixGroups objectclass (with full user dn)
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthModule::LDAP::SearchUserDN'} =
'cn=ldapproxy,o=protected';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'protected';

    # in case you want to add always one filter to each ldap query,
use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

    # in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    # $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

    # Net::LDAP new params (if needed - for more info see perldoc
Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

My group, HelpDeskAgents, has the posixGroup extensions and I have
tried both the posixGroups and the non ldap posixGroups but get the same
results.  Currently I'm set for non ldap posixGroups.

Here is a command line ldapsearch against the same LDAP directory for
the group HelpDeskAgents:
ldapsearch -h vos1.protected.protected.us -p 389 -D
cn=ldapproxy,o=protected -W -b "ou=office,o=protected" -x
"(&(objectClass=Group)(cn=HelpDeskAgents))"
Enter LDAP Password:

# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (&(objectClass=Group)(cn=HelpDeskAgents))
# requesting: ALL
#

# HelpDeskAgents, OFFICE, PROTECTED
dn: cn=HelpDeskAgents,ou=OFFICE,o=PROTECTED
uamPosixWorkstationList: cn=UNIX Workstation -
SERVERNAME,ou=OFFICE,o=PROTECTED
gidNumber: 601
equivalentToMe: cn=blw,ou=OFFICE,o=PROTECTED
objectClass: groupOfNames
objectClass: Top
objectClass: posixGroup
objectClass: uamPosixGroup
member: cn=blw,ou=OFFICE,o=PROTECTED
cn: HelpDeskAgents
ACL: 2#entry#[Root]#member
ACL: 2#entry#[Public]#gidNumber
ACL: 2#entry#[Public]#uamPosixWorkstationList
ACL: 2#entry#[Public]#member
ACL: 1#entry#[Public]#cn
ACL: 2#entry#[Public]#uamPosixPAMServiceExcludeList

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Any assistance would be greatly appreciated.

Thanks,

Bart

[otrs] User LDAP authentication

Bart Wallace