Nikunj Patel wrote:
I begun testing OTRS 1.2.2 about a week back and I am really happy to see this product. Its really amazingly to work with and it encourages one to try to push it to the limits. Hence, I tried to use active directory for authenticating the users against it.
While going through the documentation for LDAP, it was mentioned that users had to be in the database before they can be authenticated against. I tried to set up the system but it simply refuses to acknowledge my LDAP users.
That is not correct. They only have to be in the LDAP database. Not the OTRS database. If the user is not in the OTRS database, but is in the LDAP database and you have LDAP Auth configured properly, then on the first login in you will get a message "User Account Activated, Please Retry". OTRS creates a local DB user for you on the fly. Once the user is created on the system, you still have to go in and assign group permissions to the users. OTRS doesn't manage permissions based off of LDAP groups and that is why it creates a local DB user as well. It still uses LDAP to authenticate the initial login, but then the DB user with its permissions take over once the user is authenticated.
I was also confused with some of the things mentioned about LDAP.
a. It says that the users have to be added in the system manually but previous versions (<1.1) used to add users automatically. Why was that support removed ?
I don't know about this.
b. It seems that only customers are tried to be authenticated against the Active Directory but not the Agents. Am I right or is that another setting in config.pm that I missed out for some reason ?
There are two separate sets of settings you have to put in Config.pm. One instructs OTRS to authenticate agents, the others tells it to authenticate customers. I use both. See chapters 9 and 10 in the manual. It fully explains how to set up LDAP for both users (chapter 9) and customers (chapter 10). Chapter 10 can be a little confusing so I will give you a brief overview. The section "Customer User Backend" refers to code that will query an LDAP DB for customer information. It will use this information to populate your address book, search lists, customer info, etc. The section "Customer Auth Backend" refers to code that will be used to authenticate customers when they try to login. Read through the two chapters and see what you can get set up. Then post back with specifics and I (we) will be glad to help.
c. Full Active Directory support is expected in version 2. What is the time frame for version 2 to come out ?
Hey, I want to know more about this too!
d. When I looked in the \otrs\Kernel\System\Auth directory, I found two modules or files named LDAP.pm and LDAPNew.pm. Do I need to rename one of the modules or something ?
You don't need to know a thing about them. They do all the background work and do it beautifully.
d. I added a customer called test in the database and I have a user test in the Active directory. When I try to login as the customer test, I get an error authenticating user. Entry does not exist. The settings in my Config.pm file are: # This is the auth. module againt the otrs db #$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::DB'; # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; #$Self->{'Customer::AuthModule::LDAP::Host'} = '141.161.77.106'; $Self->{'Customer::AuthModule::LDAP::Host'} = '141.161.250.11'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=ha,dc=georgetown,dc=edu'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'SAMAccountName';
The entry in my error log is: [Wed Apr 21 08:51:02 2004][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: test login failed, no LDAP entry found!BaseDN='
', Filter='(SAMAccountName=test)', (REMOTE_ADDR: ). Any more settings or changes that I need to do to authenticate against the LDAP ? Something that I missed.
Do you have these two line? $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'yourname'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'yourcredentials'; These are needed for permission to query Active Directory. It does not allow anonymous binds. Think in terms of your gui. Who can access and manage Active Directory through the interface? Only the domain admin. Why would a perl script asking for the information be any different? If that is all setup correctly and you are still getting errors, then your problem lies in your supplied data. Either a host name, BaseDN, filter, attribute, etc is incorrect. Active Directory uses quite a few different settings than standard LDAP and so not everthying will mesh exactly with what is written in the manual. The best way to figure out what Active Directory is to get Softerra LDAP Browser. Connect it to your AD and then browse through it. It shows you the entire LDAP structure of AD (names, objects, DN, CN, OU, DC, etc). It is absolutely fantastic for trying to figure out how Microsoft set the AD up. Hth, Tyler Hepworth