Hi Dears, I am new to OTRS. And I installed latest version of otrs on FreeBSD 8.0 RC1 running on sparc 64 machine. I want to enable LDAP authentication. But I cannot do it :(. It always says there is an error. My configuration in Config.pm is following: #Enable LDAP authentication for Agents $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'domain.xxx.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxx,DC=com'; $Self->{'AuthModule::LDAP::UID'} = 'uid'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=otrs_group,DC=xxx,DC=com'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid'; # for ldap posixGroups objectclass (just uid) # $Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) # $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap, OU=otrs_group, DC=xxx, DC=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'pwd'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'domain.xxx.com'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxx, DC=com'; $Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'UID=otrs_ldap, OU=otrs_group, DC=xxx, DC=com'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'pwd'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # [...] # AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ]; Can you tell me what is wrong on my configuration. Also I sent you log entries: Oct 15 10:49:28 otrs OTRS-CGI-10[2271]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece Oct 15 10:49:28 otrs OTRS-CGI-10[2271]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'user@xxx.com'! Oct 15 10:50:28 otrs OTRS-CGI-10[2278]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece Please help me, guys :) -- BR, Altangerel Ganbold
Hi, I assume, you've read this: http://doc.otrs.org/2.4/en/html/x1835.html#configuration-agent-auth-back end-ldap. Which server are you using as LDAP Backend? For MS ADS you do need the following: $Self->{'AuthModule::LDAP::UID'} = 'cn'; Please make sure, that you really can search in your LDAP (with ldapsearch for example) in the context of the user 'CN=otrs_ldap, OU=otrs_group, DC=xxx, DC=com' with the given password. Regards, Hermann Maurer -----Original Message----- From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Altangerel Sent: Donnerstag, 15. Oktober 2009 13:29 To: otrs@otrs.org Subject: [otrs] LDAP authentication problem Hi Dears, I am new to OTRS. And I installed latest version of otrs on FreeBSD 8.0 RC1 running on sparc 64 machine. I want to enable LDAP authentication. But I cannot do it :(. It always says there is an error. My configuration in Config.pm is following: #Enable LDAP authentication for Agents $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'domain.xxx.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxx,DC=com'; $Self->{'AuthModule::LDAP::UID'} = 'uid'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=otrs_group,DC=xxx,DC=com'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid'; # for ldap posixGroups objectclass (just uid) # $Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) # $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap, OU=otrs_group, DC=xxx, DC=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'pwd'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'domain.xxx.com'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxx, DC=com'; $Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'UID=otrs_ldap, OU=otrs_group, DC=xxx, DC=com'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'pwd'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # [...] # AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ]; Can you tell me what is wrong on my configuration. Also I sent you log entries: Oct 15 10:49:28 otrs OTRS-CGI-10[2271]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece Oct 15 10:49:28 otrs OTRS-CGI-10[2271]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'user@xxx.com'! Oct 15 10:50:28 otrs OTRS-CGI-10[2278]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece Please help me, guys :) -- BR, Altangerel Ganbold --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/
Hi, Maurer, thank you for your valuable reply :). I've solved my problem by following your suggest. I'm using Windows 2003 server. I faced another problem. By enabling LDAP authentication for agents, I could not log in as admin user he he. To solve this problem, I've decided to use LDAP authentication only for customer users. My configuration is: #Enable LDAP authentication for customers $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'domain.xxx.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=xxx,DC=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'CN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap, DC=xxx, DC=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = ''; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'Customer::AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; When the customers are trying to log in error message appeared. *Panic! No user data!!!!! *But in the log file everything is ok "authentication ok". What is wrong? Maurer, Hermann wrote:
Hi,
I assume, you've read this: http://doc.otrs.org/2.4/en/html/x1835.html#configuration-agent-auth-back end-ldap. Which server are you using as LDAP Backend? For MS ADS you do need the following: $Self->{'AuthModule::LDAP::UID'} = 'cn'; Please make sure, that you really can search in your LDAP (with ldapsearch for example) in the context of the user 'CN=otrs_ldap, OU=otrs_group, DC=xxx, DC=com' with the given password.
Regards, Hermann Maurer
Hi Altangerel, yes, the mapping of LDAP-based values to those suitable for OTRS seems not to be configured. This mapping is described here: http://doc.otrs.org/2.4/en/html/x1790.html#customer-backend-ldap (RTFM!) Our installation is configured as following: Map => [ # # note: Login, Email and CustomerID needed! # # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly [ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ], [ 'UserLogin', 'Login', 'cn', 1, 1, 'var', '', 0 ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ], # # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ], [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ], [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ], [ 'UserLocation', 'Location', 'l', 1, 0, 'var', '', 0 ], ], You can try this or your setup can vary. Mit freundlichen Grüßen / Kind Regards Hermann Maurer -----Original Message----- From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Altangerel Sent: Montag, 19. Oktober 2009 06:45 To: User questions and discussions about OTRS. Subject: Re: [otrs] LDAP authentication problem Hi, Maurer, thank you for your valuable reply :). I've solved my problem by following your suggest. I'm using Windows 2003 server. I faced another problem. By enabling LDAP authentication for agents, I could not log in as admin user he he. To solve this problem, I've decided to use LDAP authentication only for customer users. My configuration is: #Enable LDAP authentication for customers $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'domain.xxx.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=xxx,DC=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'CN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap, DC=xxx, DC=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = ''; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'Customer::AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; When the customers are trying to log in error message appeared. *Panic! No user data!!!!! *But in the log file everything is ok "authentication ok". What is wrong? Maurer, Hermann wrote:
Hi,
I assume, you've read this: http://doc.otrs.org/2.4/en/html/x1835.html#configuration-agent-auth-back end-ldap. Which server are you using as LDAP Backend? For MS ADS you do need the following: $Self->{'AuthModule::LDAP::UID'} = 'cn'; Please make sure, that you really can search in your LDAP (with ldapsearch for example) in the context of the user 'CN=otrs_ldap, OU=otrs_group, DC=xxx, DC=com' with the given password.
Regards, Hermann Maurer
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/
participants (2)
-
Altangerel -
Maurer, Hermann