Thanks for your prompt reply Tyler.
I tried a few things and read the documentation chapter 9 and 10 again.
However, I was still not able to get it to work. Please scroll down to see
the things I tried.
----- Original Message -----
From: "Tyler Hepworth"
Nikunj Patel wrote:
I begun testing OTRS 1.2.2 about a week back and I am really happy to see this product. Its really amazingly to work with and it encourages one to try to push it to the limits. Hence, I tried to use active directory for authenticating the users against it.
While going through the documentation for LDAP, it was mentioned that users had to be in the database before they can be authenticated against. I tried to set up the system but it simply refuses to acknowledge my LDAP users.
That is not correct. They only have to be in the LDAP database. Not the OTRS database. If the user is not in the OTRS database, but is in the LDAP database and you have LDAP Auth configured properly, then on the first login in you will get a message "User Account Activated, Please Retry". OTRS creates a local DB user for you on the fly. Once the user is created on the system, you still have to go in and assign group permissions to the users. OTRS doesn't manage permissions based off of LDAP groups and that is why it creates a local DB user as well. It still uses LDAP to authenticate the initial login, but then the DB user with its permissions take over once the user is authenticated.
---- Copied from current doc on site LDAP authentication Chapter 9 ------ ....preferredLanguage: fr comment: technical support Please note, that in version 1.x you have to create a db entry for the ldap user. This is done automatically on first login in versions < 1.1.x. This will be the config option to map the LDAP attributes to database. Default is: # UserSyncLDAPMap ..... -----End copy ---------
I was also confused with some of the things mentioned about LDAP.
a. It says that the users have to be added in the system manually but previous versions (<1.1) used to add users automatically. Why was that support removed ?
I don't know about this.
b. It seems that only customers are tried to be authenticated against the Active Directory but not the Agents. Am I right or is that another setting in config.pm that I missed out for some reason ?
There are two separate sets of settings you have to put in Config.pm. One instructs OTRS to authenticate agents, the others tells it to authenticate customers. I use both. See chapters 9 and 10 in the manual. It fully explains how to set up LDAP for both users (chapter 9) and customers (chapter 10). Chapter 10 can be a little confusing so I will give you a brief overview. The section "Customer User Backend" refers to code that will query an LDAP DB for customer information. It will use this information to populate your address book, search lists, customer info,
etc.
The section "Customer Auth Backend" refers to code that will be used to authenticate customers when they try to login. Read through the two chapters and see what you can get set up. Then post back with specifics and I (we) will be glad to help.
I am sorry if I confused anyone, but I wanted my agents to be authenticated against the Active directory also. As far as I can see in the otrs log file, its trying to use the '[Kernel::System::Auth::DB::Auth]' module. I would like to know if we have a corresponding LDAP module or can I simply use the '[Kernel::System::CustomerAuth::LDAP::Auth]' module and where can I specify that.
c. Full Active Directory support is expected in version 2. What is the time frame for version 2 to come out ?
Hey, I want to know more about this too!
d. When I looked in the \otrs\Kernel\System\Auth directory, I found two modules or files named LDAP.pm and LDAPNew.pm. Do I need to rename one of the modules or something ?
You don't need to know a thing about them. They do all the background
work
and do it beautifully.
d. I added a customer called test in the database and I have a user test in the Active directory. When I try to login as the customer test, I get an error authenticating user. Entry does not exist. The settings in my Config.pm file are: # This is the auth. module againt the otrs db #$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::DB'; # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = '
'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=ha,dc=georgetown,dc=edu'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'SAMAccountName'; The entry in my error log is: [Wed Apr 21 08:51:02 2004][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: test login failed, no LDAP entry found!BaseDN='
', Filter='(SAMAccountName=test)', (REMOTE_ADDR: ). Any more settings or changes that I need to do to authenticate against the LDAP ? Something that I missed. Do you have these two line?
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'yourname'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'yourcredentials';
These are needed for permission to query Active Directory. It does not allow anonymous binds. Think in terms of your gui. Who can access and manage Active Directory through the interface? Only the domain admin. Why would a perl script asking for the information be any different?
I tried putting in the two lines that you mentioned. Also the username and password were for the domain Administrator so it should have worked if it was supposed to. I am able to authenticate against the server using .net so I am sure that it works and is accessible from the install machine. I also tried to put the host name for the host as well as its IP address.
If that is all setup correctly and you are still getting errors, then your problem lies in your supplied data. Either a host name, BaseDN, filter, attribute, etc is incorrect. Active Directory uses quite a few different settings than standard LDAP and so not everthying will mesh exactly with what is written in the manual. The best way to figure out what Active Directory is to get Softerra LDAP Browser. Connect it to your AD and then
browse through it. It shows you the entire LDAP structure of AD (names, objects, DN, CN, OU, DC, etc). It is absolutely fantastic for trying to figure out how Microsoft set the AD up.
Did not find anything useful information about the directory except the tree structure that I could see from the MMC snap-in.
Hth, Tyler Hepworth _______________________________________________ => http://www.otrs.de/
TIA, Nik