I really hope someone can helpout here..
Trouble with Authentication of Active directory in
Customer.pl section
I have tried almost any option I can think of to
authenticate against Active directory
What works:
I can authenticate against ldap in the agent section. This
works. I use the sAMAccount for authentication.
What doesn’t work:
I can’t authenticate against ldap in the customer
section…
What is going wrong??
By using ethereal/wireshark I can see the ldap server is
being used to in the agent authentication. But in the customer section
I see that although that ldap authenticates but
doesn’t do a lookup for the attempted login.
I am trying to use the same details for the agent section
and the customer Base DN does this matter?
It should regardless do a lookup no?
Further more I have create a local customer user named mike,
and this user can still authenticate.
Also when I create a new user on customer.pl it does check
the ldap and sees the user exists when I use the sAMAccountName during
registration.
Small side question;
In the agent ldap section we I need to make a mapping for
name, lastname, email for the mysql database.
I am a little suppriced the customer section doesn’t
have this option as such.
I have posted my current config below,
Thanks for helping out J
Ruben
#
--------------------------------------------------- #
# authentication
settings
#
# (enable what you need, auth against
otrs db, #
# against LDAP directory, agains HTTP
basic auth #
# or against Radius
server)
#
#
--------------------------------------------------- #
# This is the auth. module againt the
otrs db
# $Self->{'AuthModule'} =
'Kernel::System::Auth::DB';
# $Self->{'AuthModule::DB::CryptType'}
= 'crypt';
# (take care that Net::LDAP is
installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} =
'172.30.2.3';
$Self->{'AuthModule::LDAP::BaseDN'} =
'ou=UserOffice,ou=COMPANYNAMEUsers,dc=nl,dc=COMPANYNAME,dc=local';
$Self->{'AuthModule::LDAP::UID'} =
'sAMAccountName';
# # $Self->{'AuthModule::LDAP::GroupDN'} =
'';
# # $Self->{'AuthModule::LDAP::AccessAttr'} =
'';
# $Self->{'AuthModule::LDAP::UserAttr'}
= 'UID';
# $Self->{'AuthModule::LDAP::UserAttr'}
= 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'testuser';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'p@ssword';
$Self->{'AuthModule::LDAP::AlwaysFilter'} =
'';
#
$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
#
$Self->{'AuthModule::LDAP::UserLowerCase'} = 0;
# Net::LDAP new params (if needed - for
more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} =
{
port => 3268,
timeout =>
120,
async => 0,
version => 3,
};
# UserSyncLDAPMap
# (map if agent should create/synced from
LDAP to DB after login)
$Self->{UserSyncLDAPMap} = {
# DB -> LDAP
Firstname =>
'givenName',
Lastname =>
'sn',
Email =>
'mail',
};
#
--------------------------------------------------- #
# customer authentication
settings
#
# (enable what you need, auth against
otrs db, #
# against a LDAP directory, against HTTP
basic #
# authentication and against Radius
server) #
#
--------------------------------------------------- #
# This is the auth. module againt the
otrs db
# $Self->{'Customer::AuthModule'} =
'Kernel::System::CustomerAuth::DB';
#
$Self->{'Customer::AuthModule::DB::Table'} = 'customer_user';
#
$Self->{'Customer::AuthModule::DB::CustomerKey'} = 'login';
# $Self->{'Customer::AuthModule::DB::CustomerPassword'}
= 'pw';
#
$Self->{'Customer::AuthModule::DB::DSN'} =
"DBI:mysql:database=customerdb;host=customerdbhost";
#
$Self->{'Customer::AuthModule::DB::User'} = "some_user";
# $Self->{'Customer::AuthModule::DB::Password'}
= "some_password";
# This is an example configuration for an
LDAP auth. backend.
# (take care that Net::LDAP is
installed!)
$Self->{'Customer::AuthModule'} =
'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'}
= '172.30.3.2';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'ou=UserOffice,ou=COMPANYNAMEUsers,dc=nl,dc=COMPANYNAME,dc=local';
$Self->{'AuthModule::LDAP::UID'} =
'sAMAccountName';
#$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
# The following is valid but would only
be necessary if the
# anonymous user do NOT have permission
to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
'cn=testuser,ou=UserOffice,ou=COMPANYNAMEUsers,dc=nl,dc=COMPANYNAME,dc=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'p@ssword';
# in case you want to add always one
filter to each ldap query, use
# this option. e. g. AlwaysFilter =>
'(mail=*)' or AlwaysFilter => '(objectclass=user)'
#
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to
each customer login name, then
# you can use this option. e. g. user
just want to use user but
# in your ldap directory exists
user@domain.
#
$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for
more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 3268,
timeout =>
120,
async => 0,
version => 3,
};
# This is example configuration to auth.
agents against a radius server
# $Self->{'Customer::AuthModule'} =
'Kernel::System::Auth::Radius';
# $Self->{'Customer::AuthModule::Radius::Host'}
= 'radiushost';
#
$Self->{'Customer::AuthModule::Radius::Password'} = 'radiussecret';
#
--------------------------------------------------- #
#
#
#
Start of config
options!!!
#
#
CustomerUser
stuff
#
#
#
#
--------------------------------------------------- #
# # CustomerUser
# # (customer user database backend and
settings)
$Self->{CustomerUser} = {
Name =>
'Database Backend',
Module =>
'Kernel::System::CustomerUser::DB',
Params => {
#
# if you want to use an external database, add the
#
# required settings
##
DSN => 'DBI:odbc:yourdsn',
##
DSN => 'DBI:mysql:database=customerdb;host=customerdbhost',
##
User => '',
##
Password => '',
Table => 'customer_user',
},
# # customer uniq
id
CustomerKey =>
'login',
# customer #
CustomerID =>
'customer_id',
CustomerValid
=> 'valid_id',
CustomerUserListFields => ['first_name', 'last_name', 'email'],
#
CustomerUserListFields => ['login', 'first_name', 'last_name',
'customer_id', 'email'],
CustomerUserSearchFields => ['login', 'first_name', 'last_name',
'customer_id'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit
=> 250,
CustomerUserPostMasterSearchFields => ['email'],
CustomerUserNameFields => ['salutation', 'first_name', 'last_name'],
CustomerUserEmailUniqCheck => 1,
# # show now own
tickets in customer panel, CompanyTickets
#
CustomerUserExcludePrimaryCustomerID => 0,
# # generate auto
logins
AutoLoginCreation
=> 1,
# generate auto
login prefix
AutoLoginCreationPrefix => 'auto',
# # admin can
change customer preferences
#
AdminSetPreferences => 1,
# # just a read
only source
# ReadOnly =>
1,
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type,
http-link, readonly
[ 'UserSalutation', 'Salutation', 'salutation', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'first_name', 1, 1, 'var',
'', 0 ],
[ 'UserLastname', 'Lastname', 'last_name',
1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username',
'login', 1, 1, 'var', '', 0 ],
[ 'UserPassword', 'Password',
'pw', 0, 0, 'var', '', 0
],
[ 'UserEmail',
'Email',
'email', 0, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email',
'email', 1, 1,
'var', '$Env{"CGIHandle"}?Action=AgentTicketCompose&ResponseID=1&TicketID=$Data{"TicketID"}&ArticleID=$Data{"ArticleID"}',
0 ],
[ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var', '', 0 ],
#
[ 'UserCustomerIDs', 'CustomerIDs', 'customer_ids', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment',
'comments', 1, 0, 'var', '', 0 ],
[ 'ValidID',
'Valid', 'valid_id', 0, 1, 'int', '',
0 ],
],
# default
selections
Selections =>
{
#
UserSalutation => {
#
'Mr.' => 'Mr.',
#
'Mrs.' => 'Mrs.',
#
},
},
};
# CustomerUser
# (customer user ldap backend and
settings)
$Self->{CustomerUser1} = {
Name => 'LDAP
Backend',
Module =>
'Kernel::System::CustomerUser::LDAP',
Params => {
#
ldap host
Host => '172.30.2.3',
#
ldap base dn
BaseDN
=> 'ou=UserTrading, ou=COMPANYNAMEUsers, dc=nl, dc=COMPANYNAME, dc=local',
#
search scope (one|sub)
SSCOPE => 'sub',
#
The following is valid but would only be necessary if the
#
anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'cn=testuser, ou=UserOffice, ou=COMPANYNAMEUsers, dc=nl,
dc=COMPANYNAME, dc=local',
UserPw => 'p@ssword',
#
in case you want to add always one filter to each ldap query, use
#
this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
AlwaysFilter => '',
#
if your frontend is e. g. iso-8859-1 and the charset of your
#
ldap server is utf-8, use this options (if not, ignore it)
SourceCharset => 'utf-8',
DestCharset => 'iso-8859-1',
#
Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 3268,
timeout => 120,
async => 0,
version => 3,
},
},
# customer
uniq id
CustomerKey =>
'sAMAccountName',
# customer #
CustomerID =>
'mail',
CustomerUserListFields => ['sAMAccountName','cn', 'mail'],
CustomerUserSearchFields => ['sAMAcountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show now own
tickets in customer panel, CompanyTickets
#
CustomerUserExcludePrimaryCustomerID => 0,
# # add a ldap filter
for valid users (expert setting)
# #
CustomerUserValidFilter => '(!(description=gesperrt))',
# # admin can't
change customer preferences
#
AdminSetPreferences => 0,
Map => [
#
# note: Login, Email and CustomerID needed!
#
# var, frontend, storage, shown (1=always,2=lite), required, storage-type,
http-link, readonly
#
[ 'UserSalutation', 'Title',
'title', 1, 0,
'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname',
1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname',
'sn',
1, 1, 'var', '', 0 ],
[ 'UserLogin', 'login',
'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email',
'mail', 1, 1,
'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID',
'mail', 0, 1,
'var', '', 0 ],
#
[ 'UserPhone',
'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
#
[ 'UserAddress', 'Address',
'postaladdress', 1, 0, 'var', '', 0 ],
#
[ 'UserComment', 'Comment',
'description', 1, 0, 'var', '', 0 ],
],
};