Problem with authenticating Active Directory via LDAP
Ok, I've been working on this issue for 3 days, but I can't make it work. I want my agents and customers to autheticate via LDAP (that is actualy our Win2003 server Active Directory) Do I need to manualy setup ldap on otrs server (I am running openSUSE 10.2 with openLDAP) ? Is there any configuration needed to enable authenticating from active directory ? This is what I have in Kernel/Config.pm : #we want to use LDAP for Auth $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myAD.company-bih.corp'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=company-bih,dc=corp'; #DO I NEED TO CHANGE THIS sAMAccountName TO SOMETHING ELSE ? $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; # WHAT USER DO I NEED TO ENTER AS SEARCHUSERDN ? IS THAT USER FROM AD, OR FROM SUSE? OR FROM OTRS DB ? # WHAT I USE IS MY ACTIVE DIRECTORY USER #The username and password of the user you setup to access LDAP information in AD $Self->{'AuthModule::LDAP::SearchUserDN'} ='CN=devuser,OU=Users,DC=company-bih,DC=corp'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'devpwd'; #We want our Customer/users to Auth using LDAP $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'myAD.company-bih.corp'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} ='OU=Users,DC=company-bih,DC=corp'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} ='CN=devuser,OU=Users,DC=agrokor-bih,DC=corp'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} ='devpwd'; $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => 'myAD.company-bih.corp', BaseDN => 'OU=Users,DC=company-bih,DC=corp', SSCOPE => 'sub', UserDN =>'CN=devuser,OU=Users,DC=agrokor-bih,DC=corp', UserPw => 'devpwd', }, CustomerKey => 'sAMAccountName', CustomerID => 'userPrincipalName', CustomerUserListFields => ['displayName', 'userPrincipalName'], CustomerUserSearchFields => ['displayName', 'userPrincipalName'], CustomerUserPostMasterSearchFields => userPrincipalName, CustomerUserNameFields => ['givenName', 'sn'], #the following must map to valid fields in your AD(givenname,sn,sAMAccountName,...) Map => [ [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'userPrincipalName', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'userPrincipalName', 0, 1, 'var' ], ], }; #OK now lets have our agents use LDAP $Self->{'AuthModule::LDAP::GroupDN'} ='CN=devuser,OU=Users,DC=company-bih,DC=corp'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; $Self->{'Customer::AuthModule::LDAP::GroupDN'} ='CN=devuser,OU=Users,DC=company-bih,DC=corp'; $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; # UserSyncLDAPMap # (map if agent should create/synced from LDAP to DB after login must match your AD) $Self->{UserSyncLDAPMap} = { # DB -> LDAP Firstname => 'givenName', Lastname => 'sn', Email => 'userPrincipalName', }; # UserSyncLDAPGroups # (If "LDAP" was selected for AuthModule, you can specify # initial user groups for first login.) $Self->{UserSyncLDAPGroups} = [ 'users', ]; But i Get following errors in log file (and it repeats all the time in log file): Oct 25 12:36:29 otrs OTRS-CGI-10[30148]: [Error][Kernel::System::CustomerUser::LDAP::new][Line:151]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece Oct 25 12:54:23 otrs OTRS-CGI-10[30220]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece Can anyone help me with this ?
Dejan Miklavcic wrote:
Ok, I've been working on this issue for 3 days, but I can't make it work. I want my agents and customers to autheticate via LDAP (that is actualy our Win2003 server Active Directory) Do I need to manualy setup ldap on otrs server (I am running openSUSE 10.2 with openLDAP) ? Is there any configuration needed to enable authenticating from active directory ? ...........
But i Get following errors in log file (and it repeats all the time in log file): Oct 25 12:36:29 otrs OTRS-CGI-10[30148]: [Error][Kernel::System::CustomerUser::LDAP::new][Line:151]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece Oct 25 12:54:23 otrs OTRS-CGI-10[30220]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Can anyone help me with this ? Hi Dejan,
First of all, you must create user account for otrs in Active directory. You do not need to install LDAP manually. A week ago I enabled LDAP authentication for both agents and customers. My LDAP server is Windows server 2003 and OTRS is running on FreeBSD. Am sending you copy of working Conpig.pm file. I hope this will help you. Second, by enabling LDAP authentication for agents you would not log in as root@localhost (actually admin user). So you need to add user who has admin privileges befor enable LDAP authentication. Also this users' name must be exist in your AD tree. #----------------------------------------------------- # # LDAP for agents # #----------------------------------------------------- # #Enable LDAP authentication for Agents $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'domain.xxx.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxx,DC=com'; $Self->{'AuthModule::LDAP::UID'} = 'CN'; $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=Technic,DC=xxx,DC=com'; $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap, DC=xxx, DC=com'; #otrs_ldap is an user for LDAP search $Self->{'AuthModule::LDAP::SearchUserPw'} = '*****; $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'domain.xxx.com'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxx, DC=com'; $Self->{'AuthSyncModule::LDAP::UID'} = 'CN'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap,DC=xxx, DC=com'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '*****'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ]; # ---------------------------------------------------- # # # # LDAP configuration for customers # # # # ---------------------------------------------------- # $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'domain.xxx.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=xxx,DC=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap, DC=xxx,DC=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '*****'; #CustomerUser #(customer user database backend and settings) $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => 'domain.xxx.com', BaseDN => 'DC=xxx,DC=com', SSCOPE => 'sub', UserDN =>'CN=otrs_ldap, DC=xxx, DC=com', UserPw => '*****', }, # customer unique id CustomerKey => 'sAMAccountName', # customer # CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=otrs_group,DC=xxx,DC=com'; $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; Good luck :) BR, Altangerel .G Plan for the future, because that is where you are going to spend the rest of your life. Mark Twain
participants (2)
-
Altangerel -
Dejan Miklavcic