New subject: User LDAP authentication

9 Jan 2009

      Christoph,

Thanks for the reply. That was my issue.  I'd seen the 'member'
referenced in a few other postings, but didn't realize that I also
needed to enable the sync for the agents.  Once I put that all together,
I'm working fine.  

It seems though, that this is an all or nothing thing.  In other words,
if I have a local OTRS agent account, when I enable
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP, I am unable to use
that local account as it does not exist in LDAP.  How do you work around
this, or does it matter to you in your installation?

Thanks for the help,

Bart
...
...
...
ohliger@fh-rosenheim.de 01/08 12:39 AM >>>
Bart,
we are also using eDir. I think you have to change the Filter string to

member

    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

The attribut of the group is named member not memberUID.

regards
Christoph

Bart Wallace schrieb:
...
Hello,
I have User LDAP authentication working using Novell's eDirectory as
the backend but want to make the addition of requiring group
membership.
 When I enable the group code: 
     $Self->{'AuthModule::LDAP::GroupDN'} =
'cn=HelpDeskAgents,ou=office,o=protected';
I get the following error:
User: blw authentication failed, no LDAP group entry
foundGroupDN='cn=HelpDeskAgents,ou=office,o=protected',
Filter='(memberUID=cn=blw,ou=OFFICE,o=protected)'! (REMOTE_ADDR:
10.xx.xx.xx).
Here is the relevant config.pm code:
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} =
'vos1.protected.protected.us';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=office,o=protected';
    $Self->{'AuthModule::LDAP::UID'} = 'cn';
# Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} =
'cn=HelpDeskAgents,ou=office,o=protected';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUID';
    # for ldap posixGroups objectclass (just uid)
    # $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    # for non ldap posixGroups objectclass (with full user dn)
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP
tree
    $Self->{'AuthModule::LDAP::SearchUserDN'} =
'cn=ldapproxy,o=protected';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'protected';
# in case you want to add always one filter to each ldap query,
use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter
=>
'(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    # $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc
Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };
My group, HelpDeskAgents, has the posixGroup extensions and I have
tried both the posixGroups and the non ldap posixGroups but get the
same
results.  Currently I'm set for non ldap posixGroups.
Here is a command line ldapsearch against the same LDAP directory
for
the group HelpDeskAgents:
ldapsearch -h vos1.protected.protected.us -p 389 -D
cn=ldapproxy,o=protected -W -b "ou=office,o=protected" -x
"(&(objectClass=Group)(cn=HelpDeskAgents))"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (&(objectClass=Group)(cn=HelpDeskAgents))
# requesting: ALL
#
# HelpDeskAgents, OFFICE, PROTECTED
dn: cn=HelpDeskAgents,ou=OFFICE,o=PROTECTED
uamPosixWorkstationList: cn=UNIX Workstation -
SERVERNAME,ou=OFFICE,o=PROTECTED
gidNumber: 601
equivalentToMe: cn=blw,ou=OFFICE,o=PROTECTED
objectClass: groupOfNames
objectClass: Top
objectClass: posixGroup
objectClass: uamPosixGroup
member: cn=blw,ou=OFFICE,o=PROTECTED
cn: HelpDeskAgents
ACL: 2#entry#[Root]#member
ACL: 2#entry#[Public]#gidNumber
ACL: 2#entry#[Public]#uamPosixWorkstationList
ACL: 2#entry#[Public]#member
ACL: 1#entry#[Public]#cn
ACL: 2#entry#[Public]#uamPosixPAMServiceExcludeList
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Any assistance would be greatly appreciated.
Thanks,
Bart
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/ 
Archive: http://lists.otrs.org/pipermail/otrs 
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/ 
Archive: http://lists.otrs.org/pipermail/otrs 
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

Re: [otrs] User LDAP authentication

Bart Wallace

Free BSD

Christoph Ohliger

tags

participants (3)