RE: [otrs] LDAP and active directory authentication problems
I am sorry if I confused anyone, but I wanted my agents to be authenticated against the Active directory also. As far as I can see in the otrs log file, its trying to use the '[Kernel::System::Auth::DB::Auth]' module. I would like to know if we have a corresponding LDAP module or can I simply use the '[Kernel::System::CustomerAuth::LDAP::Auth]' module and where can I specify that.
Yes, you can auth your agents as well as your customers. That is what chapter nine talks about. To auth the agents, add the following to your config.pm $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'host.example.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'admin'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,cn=Users,dc=nspnet,dc=net'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; ***By the way, I forgot to mention that the admin name in SearchUserDN has to be a fully qualified name, i.e. admin@example.com (username@basedn). Open the snap-in "Active Directory Users and Computers". You can find this when looking at a user's properties, account tab, next to logon name.
I tried putting in the two lines that you mentioned. Also the username and password were for the domain Administrator so it should have worked if it was supposed to. I am able to authenticate against the server using .net so I am sure that it works and is accessible from the install machine. I also tried to put the host name for the host as well as its IP address.
Okay, here is the perl code extracted from kernel/system/auth/ldap.pm. Put it in a perlscript and run it directly from the console. It should give you a good idea whether you are able to connect or not use strict; use Net::LDAP; $Host = ' '; # Put your ldap server here $Admin = ' '; # Put your admin credentials here (fully qualified) $AdminPass = ' '; # Put your admin password here $Uid = ' '; # Put some user's name here that you want to get info about (does not have to be fully qualified - just the sAMAccountName my $SearchBase = ' '; # Put your searchbase here (dc=example,dc=com) my $Filter = "sAMAccountName=$Uid"; # Leave it just like that my $LDAP = Net::LDAP->new($Host) or die "Failed to connect to LDAP host!"; $LDAP->bind($Admin, password => $AdminPass)) or die "Permission to browse directory denied!"; my $Result = $LDAP->search( base=>$SearchBase, filter=>$Filter ) or die "Failed to retreive user information"; my $UserDN = ''; foreach my $Entry ($Result->all_entries) { $UserDN = $Entry->dn(); } if (!$UserDN) { print "User: $Uid login failed, no LDAP entry found! BaseDN='$SearchBase', Filter='$Filter'"; }
Did not find anything useful information about the directory except the tree structure that I could see from the MMC snap-in.
Fine, don't worry about it then. Hth, Tyler Hepworth
It works !!
I was not able to execute the code as you had supplied and had to change a
few things. Below is the modified piece of code that I used to check the
server. When creating a new LDAP object if I would not provide the port
number, the code gave me an error:
Can't call method on an undefined value at testLDAP.pl line 15, <DATA> line
255.
I tried to figure out what it mean't but no luck. Later after doing some
research, I tried adding the port parameter as a variation and it worked.
The code executes successfully all the way to the end but it is never able
to authenticate anybody. Any user I try, it says:
User: <username> login failed, no LDAP entry found!
BASEDN='...', DC='...'
After going through the perl code (I am not even a beginner in PERL) and
comparing it with the code I had in .net, I found that this code did not
specify the password of the user we are trying to authenticate. We are
providing only one username and password and that is of the person who is
supposed to have access to search through the AD. In my .net code, I never
provide this admin password. However, I always provide the username and
corresponding password that was provided for authentication.
As you pointed out in the code, I tried the fully qualified username for the
SearchDN parameter (I was using only the username before) and IT WORKED !!!
I tested the fact about users being added from the LDAP to the database
automatically on first login and it did not work. The AD user has to be
created as a Customer User before he/she can access the system. I would like
to have the ability to have new users automatically added in the database in
future versions (It apparently was as I pointed out in the documentation) I
was also able to get the agents authenticated against the LDAP server. I had
the entry for Self->('AuthMode') twice in the config file.
Now that everything is working, I have one more question. Will I be able to
do Integrated Windows authentication using Apache or will I have to port
OTRS over to IIS for it ?
TIA,
Nik
------ code snippet -------------
use strict;
use Net::LDAP;
my $Host = '...'; # Put your ldap server here
my $Admin = '...'; # Put your admin credentials here (fully qualified)
my $AdminPass = '...'; # Put your admin password here
my $Uid = '...'; # Put some user's name here that you want to get info about
#(does not have to be fully qualified - just the sAMAccountName
my $SearchBase = '...'; # Put your searchbase here (dc=example,dc=com)
my $Filter = "sAMAccountName=$Uid"; # Leave it just like that
my $LDAP = Net::LDAP->new($Host, port=>'389') or die "Failed to connect to
LDAP host!";
$LDAP->bind($Admin, password => $AdminPass) or die "Permission to browse
directory denied!";
my $Result = $LDAP->search( base=>$SearchBase, filter=>$Filter ) or die
"Failed to retreive user information";
my $UserDN = '';
foreach my $Entry ($Result->all_entries) {
$UserDN = $Entry->dn();
}
if (!$UserDN) {
print "User: $Uid login failed, no LDAP entry found!
BaseDN='$SearchBase', Filter='$Filter'";
}
--------------- End code snippet ------------------
----- Original Message -----
From: "Tyler Hepworth"
I am sorry if I confused anyone, but I wanted my agents to be authenticated against the Active directory also. As far as I can see in the otrs log file, its trying to use the '[Kernel::System::Auth::DB::Auth]' module. I would like to know if we have a corresponding LDAP module or can I simply use the '[Kernel::System::CustomerAuth::LDAP::Auth]' module and where can I specify that.
Yes, you can auth your agents as well as your customers. That is what chapter nine talks about. To auth the agents, add the following to your config.pm
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'host.example.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'admin'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,cn=Users,dc=nspnet,dc=net'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
***By the way, I forgot to mention that the admin name in SearchUserDN has to be a fully qualified name, i.e. admin@example.com (username@basedn). Open the snap-in "Active Directory Users and Computers". You can find this when looking at a user's properties, account tab, next to logon name.
I tried putting in the two lines that you mentioned. Also the username and password were for the domain Administrator so it should have worked if it was supposed to. I am able to authenticate against the server using .net so I am sure that it works and is accessible from the install machine. I also tried to put the host name for the host as well as its IP address.
Okay, here is the perl code extracted from kernel/system/auth/ldap.pm. Put it in a perlscript and run it directly from the console. It should give you a good idea whether you are able to connect or not
use strict; use Net::LDAP;
$Host = ' '; # Put your ldap server here $Admin = ' '; # Put your admin credentials here (fully qualified) $AdminPass = ' '; # Put your admin password here
$Uid = ' '; # Put some user's name here that you want to get info about (does not have to be fully qualified - just the sAMAccountName
my $SearchBase = ' '; # Put your searchbase here (dc=example,dc=com) my $Filter = "sAMAccountName=$Uid"; # Leave it just like that
my $LDAP = Net::LDAP->new($Host) or die "Failed to connect to LDAP host!"; $LDAP->bind($Admin, password => $AdminPass)) or die "Permission to browse directory denied!"; my $Result = $LDAP->search( base=>$SearchBase, filter=>$Filter ) or die "Failed to retreive user information"; my $UserDN = ''; foreach my $Entry ($Result->all_entries) { $UserDN = $Entry->dn(); } if (!$UserDN) { print "User: $Uid login failed, no LDAP entry found! BaseDN='$SearchBase', Filter='$Filter'"; }
Did not find anything useful information about the directory except the tree structure that I could see from the MMC snap-in.
Fine, don't worry about it then.
Hth,
Tyler Hepworth _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support oder Consulting für Ihr OTRS System? => http://www.otrs.de/
participants (2)
-
Nikunj Patel -
Tyler Hepworth