Does anyone have a copy of a working config.pm they'd be willing to share so I can see where I shot myself in the foot and move forward? ----- Message from jdavis@standard.k12.ca.us --------- Date: Tue, 06 Oct 2009 15:19:20 -0700 From: Jefferson Davis Reply-To: "User questions and discussions about OTRS." Subject: [otrs] customer ldap auth not working To: "otrs@otrs.org"

Here are the relevant portions of Config.pm. Sorry if too verbose for the list. Admin interface allows me to query the ldap tree, but cannot login as a customer, would very much like to find out what I'm doing wrong here.

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.example.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'ou=users,dc=example,dc=com'; $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid'; # for ldap posixGroups objectclass (just uid) $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (full user dn) # $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=manager,dc=example,dc=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '<password>';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(mail=*@*)';

# in case you want to add a suffix to each customer login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. # $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'Customer::AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

# CustomerUser # (customer user ldap backend and settings) $Self->{CustomerUser} = { Name => 'LDAP', Module => 'Kernel::System::CustomerUser::LDAP', Params => { # ldap host Host => 'ldap.example.com', # ldap base dn BaseDN => 'ou=users,dc=example,dc=com', # search scope (one|sub) SSCOPE => 'sub', # # The following is valid but would only be necessary if the # # anonymous user does NOT have permission to read from the LDAP tree UserDN => 'cn=manager,dc=example,dc=com', UserPw => '<password>', # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' AlwaysFilter => '(mail=*@*)', # if your frontend is e. g. iso-8859-1 and the charset of your # ldap server is utf-8, use this options (if not, ignore it) # SourceCharset => 'utf-8', # DestCharset => 'iso-8859-1', # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) Params => { port => 389, timeout => 120, async => 0, version => 3, }, }, # customer uniq id CustomerKey => 'uid', # customer # CustomerID => 'mail', CustomerUserListFields => ['givenName', 'mail'], CustomerUserSearchFields => ['uid', 'givenName', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], # show not own tickets in customer panel, CompanyTickets CustomerUserExcludePrimaryCustomerID => 0, # add a ldap filter for valid users (expert setting) # CustomerUserValidFilter => '(!(description=gesperrt))', # admin can't change customer preferences AdminSetPreferences => 0, # # cache time to life in sec. - cache any database queris # CacheTTL => 0, Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ], [ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ], # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ], # [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ], # [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ], # [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ], ], };

$Self->{UserSyncLDAPMap} = {

# DB -> LDAP

Firstname => 'givenName',

Lastname => 'sn',

Email => 'mail',

};

$Self->{UserSyncLDAPGroups} = [

'users',

];

# ---------------------------------------------------- # # ---------------------------------------------------- # # # # End of your own config options!!! # # # # ---------------------------------------------------- # # ---------------------------------------------------- # }

}

-- Jefferson K Davis Technology and Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 661.392.2110

---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.

----- End message from jdavis@standard.k12.ca.us ----- -- Jefferson K Davis Technology and Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 661.392.2110 ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.