Kerberos and LDAP Authentication
Hi all, our company network offers Domain (Kerberos) and LDAP authentification. Since the beginning of the OTRS project, we've been using LDAP Auth, but people in Domain would like to enable Kerberos Auth in OTRS. I've succesfully enabled Kerberos in Apache and AuthModule = 'Kernel::System::Auth::HTTPBasicAuth', but now people not in domain are not able to login. I've tried with 2 AuthModules ($Self->{AuthModule1} = 'Kernel::System::Auth::HTTPBasicAuth' and $Self->{AuthModule2} = 'Kernel::System::Auth::LDAP'), but OTRS never gets to the LDAP Auth Has anyone tried such a configuration? Anyone has a hint? Kind regards, Juan Clavero
On Nov 9, 2012, at 11:46 AM, Juan Manuel Clavero Almirón
Hi all, our company network offers Domain (Kerberos) and LDAP authentification. Since the beginning of the OTRS project, we've been using LDAP Auth, but people in Domain would like to enable Kerberos Auth in OTRS.
I've succesfully enabled Kerberos in Apache and AuthModule = 'Kernel::System::Auth::HTTPBasicAuth', but now people not in domain are not able to login.
I've tried with 2 AuthModules ($Self->{AuthModule1} = 'Kernel::System::Auth::HTTPBasicAuth' and $Self->{AuthModule2} = 'Kernel::System::Auth::LDAP'), but OTRS never gets to the LDAP Auth
Has anyone tried such a configuration? Anyone has a hint?
Do you have any errors in your log? Did you configured the Auth::Sync::Module or are the agents already created? -Roy -- Roy Kaldung e-mail: roy@kaldung.com
Hi Roy,
before changing the config, auth and sync were LDAP. I changed auth to Kerberos, but sync was still LDAP.
Un saludo,
Juan Clavero Almirón
Gestiò d’Identitats, Firma i Custòdia
Oficina de Tecnologies, Informació i Comunicacions (OTIC)
Servei de Salut de les Illes Balears
C/ de les Escoles, s/n - 07181 Bendinat - Mallorca
Telf. +34 971.42.65.30
-----Mensaje original-----
De: Roy Kaldung [mailto:roy@kaldung.com]
Enviado el: viernes, 09 de noviembre de 2012 17:42
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] Kerberos and LDAP Authentication
On Nov 9, 2012, at 11:46 AM, Juan Manuel Clavero Almirón
Hi all, our company network offers Domain (Kerberos) and LDAP authentification. Since the beginning of the OTRS project, we've been using LDAP Auth, but people in Domain would like to enable Kerberos Auth in OTRS.
I've succesfully enabled Kerberos in Apache and AuthModule = 'Kernel::System::Auth::HTTPBasicAuth', but now people not in domain are not able to login.
I've tried with 2 AuthModules ($Self->{AuthModule1} = 'Kernel::System::Auth::HTTPBasicAuth' and $Self->{AuthModule2} = 'Kernel::System::Auth::LDAP'), but OTRS never gets to the LDAP Auth
Has anyone tried such a configuration? Anyone has a hint?
Do you have any errors in your log? Did you configured the Auth::Sync::Module or are the agents already created? -Roy -- Roy Kaldung e-mail: roy@kaldung.com
On Nov 12, 2012, at 8:06 AM, Juan Manuel Clavero Almirón
Hi Roy, before changing the config, auth and sync were LDAP. I changed auth to Kerberos, but sync was still LDAP.
Check your sync parameter. With mod_auth_kerb you'll get the samaccountname with or without - depends on your configuration - the domain in uppercase. Do you sync against the samaccountname? -Roy -- Roy Kaldung e-mail: roy@kaldung.com
Hi Roy,
yes, I do sync against the samaccountname. I capture it from the kerb login using HTTPBasicAuth::ReplaceRegExp
But that's not the problem: the problem is for the users that cannot do kerberos authentification. I need them to be able to do LDAP auth using OTRS login page, as they did before. Instead, they just get a 'forbidden' error and doesn't get any login page.
Kind regards,
Juan Clavero
-----Mensaje original-----
De: Roy Kaldung [mailto:roy@kaldung.com]
Enviado el: martes, 13 de noviembre de 2012 18:47
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] Kerberos and LDAP Authentication
On Nov 12, 2012, at 8:06 AM, Juan Manuel Clavero Almirón
Hi Roy, before changing the config, auth and sync were LDAP. I changed auth to Kerberos, but sync was still LDAP.
Check your sync parameter. With mod_auth_kerb you'll get the samaccountname with or without - depends on your configuration - the domain in uppercase. Do you sync against the samaccountname? -Roy -- Roy Kaldung e-mail: roy@kaldung.com
It's not really an OTRS issue as Apache is the one handling the actual
authentication. The problem is you can't have a fallback when using
Apache Kerberos authentication (many people have tried [and failed]
google "apache kerberos ldap fallback"). If you fail Kerberos
authentication then Apache will deny you access to any resources.
Steve
On 14 November 2012 12:33, Juan Manuel Clavero Almirón
Hi Roy, yes, I do sync against the samaccountname. I capture it from the kerb login using HTTPBasicAuth::ReplaceRegExp
But that's not the problem: the problem is for the users that cannot do kerberos authentification. I need them to be able to do LDAP auth using OTRS login page, as they did before. Instead, they just get a 'forbidden' error and doesn't get any login page.
Kind regards, Juan Clavero
Hi Steven,
I was afraid this would be the answer: OR kerberos OR OTRS auth...
well, we can't have it all, can we?
Kind regards,
Juan Clavero
-----Mensaje original-----
De: Steven Carr [mailto:sjcarr@gmail.com]
Enviado el: miércoles, 14 de noviembre de 2012 16:58
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] Kerberos and LDAP Authentication
It's not really an OTRS issue as Apache is the one handling the actual authentication. The problem is you can't have a fallback when using Apache Kerberos authentication (many people have tried [and failed] google "apache kerberos ldap fallback"). If you fail Kerberos authentication then Apache will deny you access to any resources.
Steve
On 14 November 2012 12:33, Juan Manuel Clavero Almirón
Hi Roy, yes, I do sync against the samaccountname. I capture it from the kerb login using HTTPBasicAuth::ReplaceRegExp
But that's not the problem: the problem is for the users that cannot do kerberos authentification. I need them to be able to do LDAP auth using OTRS login page, as they did before. Instead, they just get a 'forbidden' error and doesn't get any login page.
Kind regards, Juan Clavero
participants (3)
-
Juan Manuel Clavero Almirón -
Roy Kaldung -
Steven Carr