Hi all! Boring subject, but I'm in despair. After several days epic battle with LDAP's, docs, lists (all messages here), configs and so on I'm totally stuck with this. Short pre-history: - LDAP server is M$ Actite Directory, Windows 2000 server; - Linux distribution, RedHat 8.0 (all paches applied); - OTRS v1.2.2 (last one) - Apache Web server 2.0.40 - local DB authentication with no problems; Configuration part from Config.pm: $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; # pretty trivial, local DB config is commented $Self->{'AuthModule::LDAP::Host'} = 'heb-hdo-dc-03.hebros.bg'; # my W2K server, DC and LDAP server) $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=hebros,dc=bg'; # My baseDN, why there is different sintaxis? What is correct one "dc" or "ou"/"o"? $Self->{'AuthModule::LDAP::UID'} = 'uid'; # I'm not sure is this correct, but left untouched Error: When I've restart Apache and go to Customer-User URL (customer.pl script): this error apear: ******* Server error! The server encountered an internal error and was unable to complete your request. Error message: Need Customer::AuthModule::LDAPHost in Kernel/Config.pm at /opt/otrs/Kernel/cpan-lib/CGI/Carp.pm line 301, <DATA> line 225. If you think this is a server error, please contact the webmaster Error 500 ******** Ones again: when local authentication occure, everithing is OK. Any ideas? Any help will be very appreciated! This is my first attemp to link OTRS with LDAP server and I'm afraid, that this is only a begining. -- Best regards, Vladimir Gerdjikov Communication and NOS Manager, HebrosBank Head Office, +359 32/903435, +359 888 578 458 KeyID:BC821E9B from http://wwwkeys.uk.pgp.net Fingerprint: 503C 54EE C1B0 B446 DD84 5A3A 4E05 4D62 BC82 1E9B
On Monday, March 15, 2004 4:14 PM
Vladimir Gerdjikov
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=hebros,dc=bg'; # My baseDN, why there is different sintaxis? What is correct one "dc" or "ou"/"o"?
This is nothing you set here, but merely reflect here. Means, this is the name of your LDAP directory tree entry point. The syntax is different from a fully qualified domain name in the DNS, because we're dealing here with directory servers, which simply follow a different naming scheme than domain name servers. An ADS is somewhat of a hybrid between the two, although in it's bones, it's an LDAP, communicating and relying heavily on (its own maybe) DNS.
$Self->{'AuthModule::LDAP::UID'} = 'uid'; # I'm not sure is this correct, but left untouched
Error: When I've restart Apache and go to Customer-User URL (customer.pl script): this error apear: Ones again: when local authentication occure, everithing is OK.
Any ideas? Any help will be very appreciated! This is my first attemp to link OTRS with LDAP server and I'm afraid, that this is only a begining.
Were those the only settings you did for LDAP? You're not even half way through. I'd suggest, you really re-read the examples from our doc server: Customer User Backend http://doc.otrs.org/1.2/en/html/customer-user-backend.html#AEN775 Customer User Auth Backend http://doc.otrs.org/1.2/en/html/customer-auth-backend.html#AEN788 To be complete - this is for the agents, from LDAP with love :) http://doc.otrs.org/1.2/en/html/user-auth-backend.html#AEN736 Just follow them thoroughly, leaving not a bit aside when trying to copy examples to your Config.pm. You may also try to thoroughly follow the advices given in the various messages on this list mentioning 'active' and 'directory'. Or best: both. There must be some. S-} hth, Robert Kehl -- ((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg http://www.otrs.de/ :: Tel. +49 (0)6172 4832388
Robert Kehl wrote:
Just follow them thoroughly, leaving not a bit aside when trying to copy examples to your Config.pm.
You may also try to thoroughly follow the advices given in the various messages on this list mentioning 'active' and 'directory'. Or best: both. There must be some. S-}
10x for your replay. Of course, this is not everything from my config. I'm sorry, my mistake, I've not post everything (I'm afraid this will be large and unreadable post). And yes, I've done everything described in manuals and read everything in this list (searching LDAP, "directory", "active" adn so on), but with negative result. Now complete story. Here is my full LDAP coniguration: # ***** # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) # $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'Customer::AuthModule'} = Kernel::System::CustomerAuth::LDAP'; #$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.example.com'; #$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com'; #$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid'; $Self->{'AuthModule::LDAP::Host'} = 'heb-hdo-dc-03.hebros.bg'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=hebros,dc=bg'; $Self->{'AuthModule::LDAP::UID'} = 'uid'; # $Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # non Anonumous login, searching $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS,ou=Service Users,ou=HeadOffice,dc=hebros,dc=bg'; CustomerUser (customer user ldap backend and settings) $Self->{CustomerUser} = { Name => 'LDAP Source', Module => 'Kernel::System::CustomerUser::LDAP', Params => { # ldap host Host => 'heb-hdo-dc-03.hebros.bg', # ldap base dn BaseDN => 'dc=hebros,dc=bg', # search scope (one|sub) SSCOPE => 'sub', # The following is valid but would only be necessary if the # anonymous user does NOT have permission to read from the LDAP tree UserDN => 'cn=OTRS,ou=Service Users,ou=HeadOffice,dc=hebros,dc=bg', UserPw => 'XXXXXXX', # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' AlwaysFilter => '', # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) Params => { port => 389, version => 3, }, }, # customer uniq id CustomerKey => 'uid', # customer # CustomerID => 'mail', CustomerUserListFields => ['uid', 'cn', 'mail'], CustomerUserSearchFields => ['uid', 'cn', 'mail'], CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'uid', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; # *** My AD structure is (AD server is heb-hdo-dc-03.hebros.bg): root | +-> hebros.bg | +-> HeadOffice | +-> Service Users | +-> OTRS I think string: cn=OTRS,ou=Service Users,ou=HeadOffice,dc=hebros,dc=bg is correct enough. We disable anonymous search in AD. I think BaseDN is "dc=hebros,dc=bg". Am I on the right way? I have no experiеnce with LDAP servers, but when I config my email client to work with LDAP directory (with string above), everithing is OK (with this BaseDN). Is there somethig Active Directory specific in sintax? -- Best regards, Vladimir Gerdjikov Communication and NOS Manager, HebrosBank Head Office, +359 32/903435, +359 888 578 458 KeyID:BC821E9B from http://wwwkeys.uk.pgp.net Fingerprint: 503C 54EE C1B0 B446 DD84 5A3A 4E05 4D62 BC82 1E9B
On Tuesday, March 16, 2004 7:25 AM
Vladimir Gerdjikov
# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) # $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
OTRS doesn't AUTH against LDAP with this setting. Ok for you.
$Self->{'Customer::AuthModule'} = Kernel::System::CustomerAuth::LDAP';
Now it does it for the CustomerUsers.
#$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.example.com';
But with which host? Uncomment and adapt this to your needs.
#$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
And which DN? Uncomment and adapt this, too.
#$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
$Self->{'AuthModule::LDAP::Host'} = 'heb-hdo-dc-03.hebros.bg'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=hebros,dc=bg'; $Self->{'AuthModule::LDAP::UID'} = 'uid';
Here you give the necessary informations for AUTHing the _agents_ against LDAP, again - it's commented above, therefore these settings ar useless.Comment them. The rest is OK so far. So, to sum up: Don't mess up the settings for: $Self->{'AuthModule'} $Self->{'Customer::AuthModule'} $Self->{'Customer'} Each of these are capable of reading from an LDAP tree, each are configured independendly from one another.
I think string: cn=OTRS,ou=Service Users,ou=HeadOffice,dc=hebros,dc=bg is correct enough. We disable anonymous search in AD. I think BaseDN is "dc=hebros,dc=bg". Am I on the right way? I have no experiеnce with LDAP servers, but when I config my email client to work with LDAP directory (with string above), everithing is OK (with this BaseDN).
So we take it for good.
Is there somethig Active Directory specific in sintax?
Ask them, please ;) - but there shouldn't be. hth, Robert Kehl -- ((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg http://www.otrs.de/ :: Tel. +49 (0)6172 4832388
Robert Kehl wrote:
On Tuesday, March 16, 2004 7:25 AM
$Self->{'AuthModule::LDAP::Host'} = 'heb-hdo-dc-03.hebros.bg'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=hebros,dc=bg'; $Self->{'AuthModule::LDAP::UID'} = 'uid';
Here you give the necessary informations for AUTHing the _agents_ against LDAP, again - it's commented above, therefore these settings ar useless.Comment them.
The rest is OK so far. So, to sum up:
Don't mess up the settings for: $Self->{'AuthModule'} $Self->{'Customer::AuthModule'} $Self->{'Customer'}
Each of these are capable of reading from an LDAP tree, each are configured independendly from one another.
Yes, I know that. I think, my config is correct. Do you think, there is some misconfigurated? I've problems with authentication for users, but this is my second task. My primary goal is to achieve customer-user login and authentication. p.s. Lines with commnets are only for fullness :) -- Best regards, Vladimir Gerdjikov Communication and NOS Manager, HebrosBank Head Office, +359 32/903435, +359 888 578 458 KeyID:BC821E9B from http://wwwkeys.uk.pgp.net Fingerprint: 503C 54EE C1B0 B446 DD84 5A3A 4E05 4D62 BC82 1E9B
On Tuesday, March 16, 2004 12:02 PM
Vladimir Gerdjikov
I think, my config is correct. Do you think, there is some misconfigurated? I've problems with authentication for users, but this is my second task. My primary goal is to achieve customer-user login and authentication.
Find attached the necessary settings for both tasks. Best wishes, Robert Kehl -- ((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg http://www.otrs.de/ :: Tel. +49 (0)6172 4832388
Robert Kehl wrote:
Find attached the necessary settings for both tasks.
10x, for configs. Everything is more clearer, but I still can't authenticate successeful. Error is: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: otrs login failed, no LDAP entry found!BaseDN='DC=hebros,DC=bg', Filter='(uid=otrs)' I suspect that something is wrong with BaseDN when authenticate, but WHAT?! When I use DB authentication for users, I can search (not so goog, may be additional parameters are necessary, but serch is working), therefore my BaseDN is correct. What about user password? Does password is send in plain text, or password is send with some hash (MD5, SHA-1) to LDAP server (AD in my case). Sorry, but I'm not programmer and can't search through all this pers stuf. This is my first attemt to authenticate someone non windows user through AD and I think that something is missing in my Linux server (PAM module?). -- Best regards, Vladimir Gerdjikov Communication and NOS Manager, HebrosBank Head Office, +359 32/903435, +359 888 578 458 KeyID:BC821E9B from http://wwwkeys.uk.pgp.net Fingerprint: 503C 54EE C1B0 B446 DD84 5A3A 4E05 4D62 BC82 1E9B
participants (2)
-
Robert Kehl -
Vladimir Gerdjikov