Re: [otrs] OTRS LDAP Agent Authentication

3 Aug 2009

      Hi Michiel,

Thank you for your quick response, I thought the LDAP sync was a performance
enhancement rather than a necessity, cheers for pointing that out.

Unfortunately I'm still having issues with it, it seems my OTRS installation
is very sensitive to that extra bit of code, I just implemented the below
and I was unable to even get into the logon page. Therefore to prevent any
major damage I thought I would post it to see where I'm going wrong:

    # agent data sync against ldap
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'UID';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS
Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myotrspassword';
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    [...]

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first
agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

Any thoughts as to what I'm doing wrong?

Thanks,

David

On Mon, Aug 3, 2009 at 8:25 PM, Michiel Beijen  wrote:
...
You'd need to also configure LDAPSync (and, map attributes from LDAP to
OTRS) in order for the accounts to automatically synchronize. See the part
under "AuthSyncModule" in the Manual:
http://doc.otrs.org/2.4/en/html/x1826.html
Kind regards,
--
Michiel Beijen
Software Consultant
+31 6 - 457 42 418
Bee Free IT + http://beefreeit.nl
On Mon, Aug 3, 2009 at 21:06, David Holder  wrote:
...
Hi Chaps,
I'm trying to authenticate agents on my OTRS implementation (OTRSforwin)
by adopting the LDAP template like so: (Windows Server 2003 Active Directory
domain controller)
########## Start of LDAP Config ##########
# This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS
Admins,dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
    #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    # for non ldap posixGroups objectclass (with full user dn)
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS
LDAP Searcher,dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';
# in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc
Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };
Output from Log File:
[Mon Aug  3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User:
David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok
(REMOTE_ADDR: 127.0.0.1).
[Mon Aug  3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680]
No UserID found for 'David Holder'!
[Mon Aug  3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680]
No UserID found for 'David Holder'!
[Mon Aug  3 19:51:40 2009][Notice][Kernel::System::User::GetUserData]
Panic! No UserData for user: 'David Holder'!!!
Does anyone have any ideas what is wrong with my config?
Your help is most appreciated.
David
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/