Robert and or anyone that can assist. 2
quick questions…
Thanks for any help offered. I have been
chasing this issue for well over a month.
Mike Holland
From: otrs-bounces@otrs.org
[mailto:otrs-bounces@otrs.org] On Behalf Of Robert
Aldridge
Sent: Monday, September 24, 2007
11:43 AM
To: User questions and discussions
about OTRS.org
Subject: Re: [otrs] Re: LDAP
Authentication using Microsoft Active Directoryserver
Edward,
Thanks for the suggestion. I copied your configuration and now have both
agents and customers successfully logging in with authentication against our AD
server.
Thanks!!!
Robert
On 9/24/07, Edward
Kovarski <edward.kovarski@groupkae.com>
wrote:
Robert,
I would suggest trying to simplify the configurations by removing the
AlwaysFilter and specifying the root of your Active Directory as the
BaseDN. Once it authenticates properly you can start customizing and
narrowing the BaseDN scope.
Here is an excerpt from Config.pm which I just
tested on our dev
environment as we don't use the customer interface in production. It
properly authenticated and pulled in all the proper values into OTRS...
# --- Customer ---
$Self->{'Customer::AuthModule'} =
'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = ' ad.groupkae.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'ou=Customer,dc=ad,dc=groupkae,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} =
'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'}
=
'ldap@ad.groupkae.com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'}
= 'password';
$Self->{CustomerUser} = {
Module =>
'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'ad.groupkae.com',
BaseDN =>
'ou=Customer,dc=ad,dc=groupkae,dc=com',
SSCOPE => 'sub',
UserDN =>'ldap@ad.groupkae.com',
UserPw => 'password',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn',
'mail'],
CustomerUserSearchFields => ['sAMAccountName',
'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
[ 'UserFirstname', 'Firstname',
'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1,
'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName',
1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1,
'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail',
0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber',
1, 0, 'var' ],
],
};
On 24-Sep-07, at 10:42 AM, Robert Aldridge wrote:
> Thanks for the suggestion, Edward. Changing the SearchUserDN to
> <username>@<domain> continues to work for the agent
login. I still
> haven't been able to get the customer login working. Any hints?
> Here's my current LDAP portion of Config.pm:
>
> $Self->{'AuthModule'} =
'Kernel::System::Auth::LDAP';
> $Self->{'AuthModule::LDAP::Host'} = ' ldapserver.domain.com ';
> $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Group
of
> Users,dc=domain,dc=com';
> $Self->{'AuthModule::LDAP::UID'} =
'sAMAccountName';
> $Self->{'AuthModule::LDAP::SearchUserDN'} = ' OTRS@domain.com';
> $Self->{'AuthModule::LDAP::SearchUserPw'} =
'********';
>
> $Self->{'Customer::AuthModule'} =
> 'Kernel::System::CustomerAuth::LDAP';
> $Self->{'Customer::AuthModule::LDAP::Host'} = '
> ldapserver.domain.com';
> $Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'ou=Group of
> Users,dc=domain,dc=com';
> $Self->{'Customer::AuthModule::LDAP::UID'} =
'sAMAccountName';
> $Self->{'Customer::AuthModule::LDAP::SearchUserDN'}
= '
> OTRS@domain.com';
>
$Self->{'Customer::AuthModule::LDAP::SearchUserPW'} = '********';
>
> $Self->{CustomerUser} = {
> Module =>
'Kernel::System::CustomerUser::LDAP',
> Params => {
> Host => ' ldapserver.domain.com',
> BaseDN => 'ou=Group of
Users,dc=domain,dc=com',
> SSCOPE => 'sub',
> AlwaysFilter =>
'(&(sAMAccountName=*)(mail=*))',
> UserDN => 'OTRS@domain.com',
> UserPW => '********',
> },
> CustomerKey => 'sAMAccountName',
> CustomerID => 'mail',
> CustomerUserListFields =>
['sAMAccountName', 'cn', 'mail'],
> CustomerUserSearchFields =>
['sAMAccountName', 'cn', 'mail'],
> CustomerUserPostMasterSearchFields
=> ['mail'],
> CustomerUserNameFields =>
['givenname', 'sn'],
> Map => [
> # note: Login, Email and
CustomerID needed!
> # var, frontend, storage,
shown, required, storage-type
> # [ 'UserSalutation',
'Title', 'title', 1, 0, 'var' ],
> [ 'UserFirstName',
'Firstname', 'givenname', 1, 1, 'var' ],
> [ 'UserLastName',
'Lastname', 'sn', 1, 1, 'var' ],
> [ 'UserLogin', 'Login',
'sAMAccountName', 1, 1, 'var' ],
> [ 'UserEmail', 'Email',
'mail', 1, 1, 'var' ],
> [ 'UserCustomerID',
'CustomerID', 'mail', 0, 1, 'var' ],
> ],
> };
>
> # UserSyncLDAPMap
> # (map if agent should create/synced from LDAP to
DB after login)
> $Self->{UserSyncLDAPMap} = {
> # DB -> LDAP
> Firstname =>
'givenName',
> Lastname => 'sn',
> Email => 'mail',
> };
>
> # UserSyncLDAPGroups
> # (If "LDAP" was selected for
AuthModule, you can specify initial
> # user groups for first login.)
> $Self->{UserSyncLDAPGroups} = [
> 'users',
> ];
>
>
>
>
> On 9/21/07, Edward Kovarski < edward.kovarski@groupkae.com>
wrote:
> Robert,
>
> You may also try <username>@<domain> which is the new
Microsoft style
> for specifying users within domains. This is what we use in
> configuration...
>
> Ed
>
> On 21-Sep-07, at 2:48 PM, Robert Aldridge wrote:
>
> > Finally got it working...
> >
> > I changed every entry of:
> >
> > 'cn=OTRS Admin,ou=
> >
> > to:
> >
> > 'tsteel\OTRS'
> >
> > and, to pull user data to the local DB, I added:
> >
> > # UserSyncLDAPMap
> > # (map if agent should create/synced from
LDAP to DB after
> login)
> > $Self->{UserSyncLDAPMap} = {
> > # DB -> LDAP
> > Firstname =>
'givenName',
> > Lastname => 'sn',
> > Email => 'mail',
> > };
> >
> > # UserSyncLDAPGroups
> > # (If "LDAP" was selected for
AuthModule, you can specify
> initial
> > # user groups for first login.)
> > $Self->{UserSyncLDAPGroups} = [
> > 'users',
> > ];
> >
> >
> > Perhaps this will help someone else who's trying to set OTRS up
> > with Microsoft Active Directory.
> >
> > Thanks,
> >
> > Robert Aldridge
> >
> >
> >
> > On 9/21/07, Robert Aldridge < bamarob55@gmail.com>
wrote: Hi folks,
> >
> > First let me say that OTRS appears to be a great
product! Kudos to
> > the developers!
> >
> > We are in the process of evaluating our options for a helpdesk/
> > trouble-ticket system. I would really like to give OTRS a
good
> > evaluation, but I'm having some problems. Our chosen
solution must
> > be able to authenticate users (both agents and customers) via
> > Microsoft Active Directory. It appears that this is
possible, but
> > I've yet to have any success. I'll outline the steps I've
taken
> > and solicit any input from the community.
> >
> > OTRS is working fine when authenticating against it's own
> > database. Here's what I've done to try to authenticate
against AD:
> >
> > I edited Kernel/Config.pm and added:
> >
> > <begin additions to Config.pm>
> >
> > $Self->{'AuthModule'} =
'Kernel::System::Auth::LDAP';
> > $Self->{'AuthModule::LDAP::Host'} = ' lincoln.tsteel.com';
> > $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=
> > Mill,dc=tsteel,dc=com';
> > $Self->{'AuthModule::LDAP::UID'} =
'sAMAccountName';
> > $Self->{'AuthModule::LDAP::SearchUserDN'}
= 'cn=OTRS
> > Admin,ou=
> > $Self->{'AuthModule::LDAP::SearchUserPw'}
= 'password';
> >
> > $Self->{'Customer::AuthModule'} =
> > 'Kernel::System::CustomerAuth::LDAP';
> >
$Self->{'Customer::AuthModule::LDAP::Host'} = '
> > lincoln.tsteel.com';
> >
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=
> > - Sheet Mill,dc=tsteel,dc=com';
> > $Self->{'Customer::AuthModule::LDAP::UID'}
= 'sAMAccountName';
> > $Self->{'Customer::AuthModule::LDAP::SearchUserDN'}
= 'cn=OTRS
> > Admin,ou=
> >
$Self->{'Customer::AuthModule::LDAP::SearchUserPW'} =
> 'password';
> >
> > $Self->{CustomerUser} = {
> > Module => 'Kernel::System::CustomerUser::LDAP',
> > Params => {
> > Host => ' lincoln.tsteel.com ',
> > BaseDN => 'ou=
> > SSCOPE => 'sub',
> > UserDN => 'cn=OTRS Admin,ou=
> > Mill,dc=tsteel,dc=com',
> > UserPW => 'password',
> > },
> > CustomerKey => 'sAMAccountName',
> > CustomerID => 'mail',
> > CustomerUserListFields =>
'sAMAccountName', 'cn', 'mail',
> > CustomerUserSearchFields => 'sAMAccountName',
'cn', 'mail',
> > CustomerUserPostMasterSearchFields =>
'mail',
> > CustomerUserNameFields => 'givenname',
'sn',
> > Map => [
> > [ 'UserFirstName', 'Firstname', 'givenname',
1, 1, 'var' ],
> > [ 'UserLastName', 'Lastname', 'sn', 1, 1,
'var' ],
> > [ 'UserLogin', 'Login', 'sAMAccountName', 1,
1, 'var' ],
> > [ 'UserEmail', 'Email', 'mail', 1, 1, 'var'
],
> > [ 'UserCustomerID', 'CustomerID', 'mail', 0,
1, 'var' ],
> > ],
> > };
> >
> > <end additions to Config.pm>
> >
> >
> > On my AD box, I ran: ldifde -f users.ldf -d "OU=
> > Mill,dc=tsteel,dc=com" -r "<objectClass=user>"
> >
> > Which returned a listing of all users in the
> > Mill org unit. Within the users.ldf file (output from the
above
> > command), there's an entry for OTRS Admin:
> >
> > <begin snippet from users.ldf>
> >
> > dn: CN=OTRS,OU=
> > changetype: add
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > cn: OTRS
> > sn: Admin
> > givenName: OTRS
> > distinguishedName: CN=OTRS,OU=
> > Mill,DC=tsteel,DC=com
> > instanceType: 4
> > whenCreated: 20070920125829.0Z
> > whenChanged: 20070921135825.0Z
> > displayName: OTRS
> > uSNCreated: 8512826
> > uSNChanged: 8549454
> > name: OTRS
> > objectGUID:: po7FpWyIxEWWQeiUc9XMwA==
> > userAccountControl: 66048
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 128347689772801250
> > lastLogoff: 0
> > lastLogon: 128347693211238750
> > pwdLastSet: 128347667099207500
> > primaryGroupID: 513
> > objectSid::
AQUAAAAAAAUVAAAApR5XA/l+DSsgfDsl4xwAAA==
> > accountExpires: 9223372036854775807
> > logonCount: 0
> > sAMAccountName: OTRS
> > sAMAccountType: 805306368
> > userPrincipalName: OTRS@tsteel.com
> > objectCategory:
> > CN=Person,CN=Schema,CN=Configuration,DC=tsteel,DC=com
> > dSCorePropagationData: 20070921135825.0Z
> > dSCorePropagationData: 20070921135825.0Z
> > dSCorePropagationData: 20070921135825.0Z
> > dSCorePropagationData: 20070921131751.0Z
> > dSCorePropagationData: 16010108151056.0Z
> > lastLogonTimestamp: 128347680934676250
> >
> >
> > <end snippet from users.ldf>
> >
> >
> > With this configuration, when I attempt to login as an agent using
> > my username (which I know is valid in AD), it errors out with:
> >
> > Login failed! Your username or password was entered incorrectly.
> >
> > And, when I revert the Config.pm back
(so I can log in) and check
> > the system log, I see:
> >
> > User: raldridge authentication failed, no LDAP entry found!
> > BaseDN='ou=
> > Filter='(sAMAccountName=raldridge)', (REMOTE_ADDR: 10.1.1.50).
> >
> > Any help would be greatly appreciated.
> >
> > Thanks,
> >
> > Robert Aldridge
> >
> > _______________________________________________
> > OTRS mailing list: otrs - Webpage: http://otrs.org/
> > Archive: http://lists.otrs.org/pipermail/otrs
> > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> > Support or consulting for your OTRS system?
> > => http://www.otrs.com/
>
>
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> Support or consulting for your OTRS system?
> => http://www.otrs.com/
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/