Re: [otrs] Re: LDAP Authentication using Microsoft ActiveDirectoryserver

Michael, Sorry, I'm working from an Ubuntu box, so I'm not sure how you'd do it with ActivePerl on a Windows Server. Logging in to OTRS via the browser interface, I just use <username> (not or ), though I haven't tried the others to see if they work, also. Robert On 9/24/07, Edward Kovarski wrote:

Haven't used ActivePerl for a while but try this from a command prompt,

ppm install Net::LDAP

Ed

On 24-Sep-07, at 3:37 PM, Michael Holland wrote:

...

This is actually on a Windows Server 2003 box. Any thoughts on how to install NET::LDAP on a Windows box? I'm sorry, I'm not a PERL expert at all.

Thanks.

-----Original Message----- From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Edward Kovarski Sent: Monday, September 24, 2007 2:28 PM To: User questions and discussions about OTRS.org Subject: Re: [otrs] Re: LDAP Authentication using Microsoft ActiveDirectoryserver

Mike,

For Unix, as per http://doc.otrs.org/2.2/en/html/x354.html, you would need Net::LDAP. To install the module via CPAN, you'd type in:

perl -MCPAN -e 'install Net::LDAP'

or, alternatively some Unices allow:

cpan Net::LDAP

To answer your second question, you'd login via "username" or specifically the sAMAccountName LDAP attribute in Active Directory.

Ed

On 24-Sep-07, at 2:57 PM, Michael Holland wrote:

...

Robert and or anyone that can assist. 2 quick questions...

Do you have any instructions on how to install the correct PERL Ldap modules? When you login to OTRS do you use the username or domain\username?

Thanks for any help offered. I have been chasing this issue for well over a month.

Mike Holland

From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Robert Aldridge Sent: Monday, September 24, 2007 11:43 AM To: User questions and discussions about OTRS.org Subject: Re: [otrs] Re: LDAP Authentication using Microsoft Active Directoryserver

Edward,

Thanks for the suggestion. I copied your configuration and now have both agents and customers successfully logging in with authentication against our AD server.

Thanks!!!

Robert

On 9/24/07, Edward Kovarski wrote:

Robert,

I would suggest trying to simplify the configurations by removing the AlwaysFilter and specifying the root of your Active Directory as the BaseDN. Once it authenticates properly you can start customizing and narrowing the BaseDN scope.

Here is an excerpt from Config.pm which I just tested on our dev environment as we don't use the customer interface in production. It properly authenticated and pulled in all the proper values into OTRS...

# --- Customer --- $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = ' ad.groupkae.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Customer,dc=ad,dc=groupkae,dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldap@ad.groupkae.com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

$Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => 'ad.groupkae.com', BaseDN => 'ou=Customer,dc=ad,dc=groupkae,dc=com', SSCOPE => 'sub', UserDN =>'ldap@ad.groupkae.com', UserPw => 'password', },

CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], ], };

On 24-Sep-07, at 10:42 AM, Robert Aldridge wrote:

...

Thanks for the suggestion, Edward. Changing the SearchUserDN to <username>@<domain> continues to work for the agent login. I still haven't been able to get the customer login working. Any hints? Here's my current LDAP portion of Config.pm:

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = ' ldapserver.domain.com '; $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Group of Users,dc=domain,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = ' OTRS@domain.com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = '********';

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = ' ldapserver.domain.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Group of Users,dc=domain,dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = ' OTRS@domain.com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} = '********';

$Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => ' ldapserver.domain.com', BaseDN => 'ou=Group of Users,dc=domain,dc=com', SSCOPE => 'sub', AlwaysFilter => '(&(sAMAccountName=*)(mail=*))', UserDN => 'OTRS@domain.com', UserPW => '********', }, CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], ], };

# UserSyncLDAPMap # (map if agent should create/synced from LDAP to DB after login) $Self->{UserSyncLDAPMap} = { # DB -> LDAP Firstname => 'givenName', Lastname => 'sn', Email => 'mail', };

# UserSyncLDAPGroups # (If "LDAP" was selected for AuthModule, you can specify initial # user groups for first login.) $Self->{UserSyncLDAPGroups} = [ 'users', ];

On 9/21/07, Edward Kovarski < edward.kovarski@groupkae.com> wrote: Robert,

You may also try <username>@<domain> which is the new Microsoft style for specifying users within domains. This is what we use in configuration...

Ed

On 21-Sep-07, at 2:48 PM, Robert Aldridge wrote:

...

Finally got it working...

I changed every entry of:

'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';

to:

'tsteel\OTRS'

and, to pull user data to the local DB, I added:

# UserSyncLDAPMap # (map if agent should create/synced from LDAP to DB after login) $Self->{UserSyncLDAPMap} = { # DB -> LDAP Firstname => 'givenName', Lastname => 'sn', Email => 'mail', };

# UserSyncLDAPGroups # (If "LDAP" was selected for AuthModule, you can specify initial # user groups for first login.) $Self->{UserSyncLDAPGroups} = [ 'users', ];

Perhaps this will help someone else who's trying to set OTRS up with Microsoft Active Directory.

Thanks,

Robert Aldridge

On 9/21/07, Robert Aldridge < bamarob55@gmail.com> wrote: Hi folks,

First let me say that OTRS appears to be a great product! Kudos to the developers!

We are in the process of evaluating our options for a helpdesk/ trouble-ticket system. I would really like to give OTRS a good evaluation, but I'm having some problems. Our chosen solution must be able to authenticate users (both agents and customers) via Microsoft Active Directory. It appears that this is possible, but I've yet to have any success. I'll outline the steps I've taken and solicit any input from the community.

OTRS is working fine when authenticating against it's own database. Here's what I've done to try to authenticate against AD:

I edited Kernel/Config.pm and added:

<begin additions to Config.pm>

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = ' lincoln.tsteel.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = ' lincoln.tsteel.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} = 'password';

$Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => ' lincoln.tsteel.com ', BaseDN => 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com', SSCOPE => 'sub', UserDN => 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com', UserPW => 'password', }, CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields => 'sAMAccountName', 'cn', 'mail', CustomerUserSearchFields => 'sAMAccountName', 'cn', 'mail', CustomerUserPostMasterSearchFields => 'mail', CustomerUserNameFields => 'givenname', 'sn', Map => [ [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], ], };

<end additions to Config.pm>

On my AD box, I ran: ldifde -f users.ldf -d "OU=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com" -r ""

Which returned a listing of all users in the Tuscaloosa - Sheet Mill org unit. Within the users.ldf file (output from the above command), there's an entry for OTRS Admin:

<begin snippet from users.ldf>

dn: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: OTRS sn: Admin givenName: OTRS distinguishedName: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com instanceType: 4 whenCreated: 20070920125829.0Z whenChanged: 20070921135825.0Z displayName: OTRS uSNCreated: 8512826 uSNChanged: 8549454 name: OTRS objectGUID:: po7FpWyIxEWWQeiUc9XMwA== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 128347689772801250 lastLogoff: 0 lastLogon: 128347693211238750 pwdLastSet: 128347667099207500 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAApR5XA/l+DSsgfDsl4xwAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: OTRS sAMAccountType: 805306368 userPrincipalName: OTRS@tsteel.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tsteel,DC=com dSCorePropagationData: 20070921135825.0Z dSCorePropagationData: 20070921135825.0Z dSCorePropagationData: 20070921135825.0Z dSCorePropagationData: 20070921131751.0Z dSCorePropagationData: 16010108151056.0Z lastLogonTimestamp: 128347680934676250

<end snippet from users.ldf>

With this configuration, when I attempt to login as an agent using my username (which I know is valid in AD), it errors out with:

Login failed! Your username or password was entered incorrectly.

And, when I revert the Config.pm back (so I can log in) and check the system log, I see:

User: raldridge authentication failed, no LDAP entry found! BaseDN='ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com', Filter='(sAMAccountName=raldridge)', (REMOTE_ADDR: 10.1.1.50).

Any help would be greatly appreciated.

Thanks,

Robert Aldridge

_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/

_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/

_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/

_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/

_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? =http://www.otrs.com/ _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/

_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/