Re: [otrs] Re: LDAP Authentication using Microsoft Active Directory server

This is one of mine in case you wanted to compare: # AD/LDAP - working on and may explode at any point (I put this here because our domain admins like to move objects at will). $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'corp.blahblah.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=corp,dc=blahblah,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_svcs,OU=Service Accounts,DC=corp,DC=blahblah,DC=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'corp.blahblah.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=corp,dc=blahblah,dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_svcs,OU=Service Accounts,DC=corp,DC=blahblah,DC=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{CustomerUser} = { Name => 'blahblah AD', Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => 'corp.blahblah.com', BaseDN => 'ou=blahblah Employees,dc=corp,dc=gtsi,dc=com', SSCOPE => 'sub', AlwaysFilter => '(&(sAMAccountName=*)(mail=*))', UserDN => 'CN=otrs_svcs,OU=Service Accounts,DC=corp,DC=blahblah,DC=com', UserPw => 'password', }, CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], ], }; # UserSyncLDAPMap # (map if agent should create/synced from LDAP to DB after login) $Self->{UserSyncLDAPMap} = { # DB -> LDAP Firstname => 'givenName', Lastname => 'sn', Email => 'mail', }; # UserSyncLDAPGroups # (If "LDAP" was selected for AuthModule, you can specify # initial user groups for first login.) $Self->{UserSyncLDAPGroups} = [ 'Domain Users', ]; # UserTable $Self->{DatabaseUserTable} = 'system_user'; $Self->{DatabaseUserTableUserID} = 'id'; $Self->{DatabaseUserTableUserPW} = 'pw'; $Self->{DatabaseUserTableUser} = 'login'; } On 9/21/07 2:48 PM, "Robert Aldridge" wrote:

Finally got it working...

I changed every entry of:

'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';

to:

'tsteel\OTRS'

and, to pull user data to the local DB, I added:

# UserSyncLDAPMap # (map if agent should create/synced from LDAP to DB after login) $Self->{UserSyncLDAPMap} = { # DB -> LDAP Firstname => 'givenName', Lastname => 'sn', Email => 'mail', };

# UserSyncLDAPGroups # (If "LDAP" was selected for AuthModule, you can specify initial # user groups for first login.) $Self->{UserSyncLDAPGroups} = [ 'users', ];

Perhaps this will help someone else who's trying to set OTRS up with Microsoft Active Directory.

Thanks,

Robert Aldridge

On 9/21/07, Robert Aldridge wrote:

...

Hi folks,

First let me say that OTRS appears to be a great product! Kudos to the developers!

We are in the process of evaluating our options for a helpdesk/trouble-ticket system. I would really like to give OTRS a good evaluation, but I'm having some problems. Our chosen solution must be able to authenticate users (both agents and customers) via Microsoft Active Directory. It appears that this is possible, but I've yet to have any success. I'll outline the steps I've taken and solicit any input from the community.

OTRS is working fine when authenticating against it's own database. Here's what I've done to try to authenticate against AD:

I edited Kernel/Config.pm and added:

http://Config.pm >

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = ' lincoln.tsteel.com http://lincoln.tsteel.com '; $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = ' lincoln.tsteel.com http://lincoln.tsteel.com '; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} = 'password';

$Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => ' lincoln.tsteel.com http://lincoln.tsteel.com ', BaseDN => 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com', SSCOPE => 'sub', UserDN => 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com', UserPW => 'password', }, CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields => 'sAMAccountName', 'cn', 'mail', CustomerUserSearchFields => 'sAMAccountName', 'cn', 'mail', CustomerUserPostMasterSearchFields => 'mail', CustomerUserNameFields => 'givenname', 'sn', Map => [ [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], ], };

http://Config.pm >

On my AD box, I ran: ldifde -f users.ldf -d "OU=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com" -r ""

Which returned a listing of all users in the Tuscaloosa - Sheet Mill org unit. Within the users.ldf file (output from the above command), there's an entry for OTRS Admin:

<begin snippet from users.ldf>

dn: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: OTRS sn: Admin givenName: OTRS distinguishedName: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com instanceType: 4 whenCreated: 20070920125829.0Z whenChanged: 20070921135825.0Z displayName: OTRS uSNCreated: 8512826 uSNChanged: 8549454 name: OTRS objectGUID:: po7FpWyIxEWWQeiUc9XMwA== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 128347689772801250 lastLogoff: 0 lastLogon: 128347693211238750 pwdLastSet: 128347667099207500 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAApR5XA/l+DSsgfDsl4xwAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: OTRS sAMAccountType: 805306368 userPrincipalName: OTRS@tsteel.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tsteel,DC=com dSCorePropagationData: 20070921135825.0Z dSCorePropagationData: 20070921135825.0Z dSCorePropagationData: 20070921135825.0Z dSCorePropagationData: 20070921131751.0Z dSCorePropagationData: 16010108151056.0Z lastLogonTimestamp: 128347680934676250

<end snippet from users.ldf>

With this configuration, when I attempt to login as an agent using my username (which I know is valid in AD), it errors out with:

Login failed! Your username or password was entered incorrectly.

And, when I revert the Config.pm http://Config.pm back (so I can log in) and check the system log, I see:

User: raldridge authentication failed, no LDAP entry found!BaseDN='ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com', Filter='(sAMAccountName=raldridge)', (REMOTE_ADDR: 10.1.1.50 http://10.1.1.50 ).

Any help would be greatly appreciated.

Thanks,

Robert Aldridge

_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/

-Andy Lubel --