OTRS LDAP Agent Authentication

David Holder

3 Aug 2009 3 Aug '09

7:06 p.m.

Hi Chaps, I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller) ########## Start of LDAP Config ########## # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; Output from Log File: [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!! Does anyone have any ideas what is wrong with my config? Your help is most appreciated. David

Attachments:

attachment.html (text/html — 3.2 KB)

Show replies by date

Michiel Beijen

3 Aug 3 Aug

7:25 p.m.

You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual: http://doc.otrs.org/2.4/en/html/x1826.html Kind regards, -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl On Mon, Aug 3, 2009 at 21:06, David Holder wrote:

...

Hi Chaps,

I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)

########## Start of LDAP Config ##########

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

# for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

Output from Log File:

[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!

Does anyone have any ideas what is wrong with my config?

Your help is most appreciated.

David

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

David Holder

8:13 p.m.

Hi Michiel, Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out. Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong: # agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myotrspassword'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; [...] # AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ]; Any thoughts as to what I'm doing wrong? Thanks, David On Mon, Aug 3, 2009 at 8:25 PM, Michiel Beijen wrote:

...

You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual:

http://doc.otrs.org/2.4/en/html/x1826.html

Kind regards, -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 21:06, David Holder wrote:

...
Hi Chaps,

I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)

########## Start of LDAP Config ##########

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

# for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

Output from Log File:

[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!

Does anyone have any ideas what is wrong with my config?

Your help is most appreciated.

David

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

Michiel Beijen

9:01 p.m.

Try: $Self->{'AuthSyncModule::LDAP::Host'} = 'myserver.domain.local'; (without the ldap:// bit) -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl On Mon, Aug 3, 2009 at 22:13, David Holder wrote:

...

Hi Michiel,

Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out.

Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong:

# agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myotrspassword'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; [...]

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

Any thoughts as to what I'm doing wrong?

Thanks,

David

On Mon, Aug 3, 2009 at 8:25 PM, Michiel Beijen wrote:

...
You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual:

http://doc.otrs.org/2.4/en/html/x1826.html

Kind regards, -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 21:06, David Holder wrote:

...
Hi Chaps,

I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)

########## Start of LDAP Config ##########

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

# for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

Output from Log File:

[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!

Does anyone have any ideas what is wrong with my config?

Your help is most appreciated.

David

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

David Holder

9:08 p.m.

Hi Michiel, Have tried putting that in but when I launch OTRS in firefox i get: Failed to Connect The connection was refused when attempting to contact localhost. Will return to normal if i remove it..... Any ideas? David On Mon, Aug 3, 2009 at 10:01 PM, Michiel Beijen wrote:

...

Try: $Self->{'AuthSyncModule::LDAP::Host'} = 'myserver.domain.local'; (without the ldap:// bit)

-- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 22:13, David Holder wrote:

...
Hi Michiel,

Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out.

Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong:

# agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myotrspassword'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; [...]

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

Any thoughts as to what I'm doing wrong?

Thanks,

David

On Mon, Aug 3, 2009 at 8:25 PM, Michiel Beijen wrote:

...
You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual:

http://doc.otrs.org/2.4/en/html/x1826.html

Kind regards, -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 21:06, David Holder wrote:

...
Hi Chaps,

I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)

########## Start of LDAP Config ##########

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

# for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

Output from Log File:

[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!

Does anyone have any ideas what is wrong with my config?

Your help is most appreciated.

David

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

David Holder

4 Aug 4 Aug

7:12 a.m.

Hi again, Managed to sort this issue out, now I have all my agents authenticating into OTRS via LDAP. Thanks for your help. Just a quick thing, Once an agent logs in they dont have access to the Admin section of OTRS, nor can i log in as root@localhost. Is there a way either to give them access to the admin section or log in as root@localhost? Thanks, Michiel Beijen wrote:

...

Try: $Self->{'AuthSyncModule::LDAP::Host'} = 'myserver.domain.local'; (without the ldap:// bit)

-- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 22:13, David Holder mailto:david.holder@gmail.com> wrote:

Hi Michiel,

Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out.

Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong:

# agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myotrspassword'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; [...]

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

Any thoughts as to what I'm doing wrong?

Thanks,

David

On Mon, Aug 3, 2009 at 8:25 PM, Michiel Beijen mailto:michiel@beefreeit.nl> wrote:

You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual:

http://doc.otrs.org/2.4/en/html/x1826.html

Kind regards, -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 21:06, David Holder mailto:david.holder@gmail.com> wrote:

Hi Chaps,

I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)

########## Start of LDAP Config ##########

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

# for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com http://domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

Output from Log File:

[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!

Does anyone have any ideas what is wrong with my config?

Your help is most appreciated.

David

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

------------------------------------------------------------------------

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

Rory

8:27 a.m.

Before you implement the LDAP Auth config you need to create a user for doing ldap lookups who is in both your AD and your DB. You need to have this user, (or another user who is in both the AD and the DB) promoted to Admin before you implement the Ldap Auth config. To get yourself an admin login simply comment out all the Ldap Auth config so that you are back tp DB authentication, login as root@localhost and promote one of the users into the Admin group. Re-apply the Ldap config and then login as the user you have promoted and you should now have admin access with this user. Let us know if that works, Rory Support my 365 Challenge in aid of the Irish Cancer Society www.365challenge.ie 2009/8/4 David Holder :

...

Hi again,

Managed to sort this issue out, now I have all my agents authenticating into OTRS via LDAP. Thanks for your help.

Just a quick thing, Once an agent logs in they dont have access to the Admin section of OTRS, nor can i log in as root@localhost.

Is there a way either to give them access to the admin section or log in as root@localhost?

Thanks,

Michiel Beijen wrote:

...
Try: $Self->{'AuthSyncModule::LDAP::Host'} = 'myserver.domain.local'; (without the ldap:// bit)

-- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 22:13, David Holder mailto:david.holder@gmail.com> wrote:

Hi Michiel,

Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out.

Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong:

# agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myotrspassword'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; [...]

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

Any thoughts as to what I'm doing wrong?

Thanks,

David

On Mon, Aug 3, 2009 at 8:25 PM, Michiel Beijen mailto:michiel@beefreeit.nl> wrote:

You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual:

http://doc.otrs.org/2.4/en/html/x1826.html

Kind regards, -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 21:06, David Holder mailto:david.holder@gmail.com> wrote:

Hi Chaps,

I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)

########## Start of LDAP Config ##########

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com http://domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

Output from Log File:

[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!

Does anyone have any ideas what is wrong with my config?

Your help is most appreciated.

David

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

------------------------------------------------------------------------

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

David Holder

9:15 a.m.

Hi Rory, Thanks for your comments, that's exactly what I did and now it works fine. I loged on as myself via LDAP config, then re-applied local config, promoted myself to full rights and then re-applied the LDAP config, therefore I can now have access to the admin area as well as promote other authenticated agents. Thanks all for your help. David On Tue, Aug 4, 2009 at 9:27 AM, Rory wrote:

...

Before you implement the LDAP Auth config you need to create a user for doing ldap lookups who is in both your AD and your DB. You need to have this user, (or another user who is in both the AD and the DB) promoted to Admin before you implement the Ldap Auth config. To get yourself an admin login simply comment out all the Ldap Auth config so that you are back tp DB authentication, login as root@localhost and promote one of the users into the Admin group. Re-apply the Ldap config and then login as the user you have promoted and you should now have admin access with this user.

Let us know if that works, Rory

Support my 365 Challenge in aid of the Irish Cancer Society

www.365challenge.ie

2009/8/4 David Holder :

...
Hi again,

Managed to sort this issue out, now I have all my agents authenticating into OTRS via LDAP. Thanks for your help.

Just a quick thing, Once an agent logs in they dont have access to the Admin section of OTRS, nor can i log in as root@localhost.

Is there a way either to give them access to the admin section or log in as root@localhost?

Thanks,

Michiel Beijen wrote:

...
Try: $Self->{'AuthSyncModule::LDAP::Host'} = 'myserver.domain.local'; (without the ldap:// bit)

-- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 22:13, David Holder mailto:david.holder@gmail.com> wrote:

Hi Michiel,

Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out.

Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong:

# agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myotrspassword'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; [...]

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

Any thoughts as to what I'm doing wrong?

Thanks,

David

On Mon, Aug 3, 2009 at 8:25 PM, Michiel Beijen mailto:michiel@beefreeit.nl> wrote:

You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual:

http://doc.otrs.org/2.4/en/html/x1826.html

Kind regards, -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 21:06, David Holder mailto:david.holder@gmail.com> wrote:

Hi Chaps,

I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)

########## Start of LDAP Config ##########

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for ldap posixGroups objectclass (just

uid)

...
#$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user

dn)

...
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com http://domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

Output from Log File:

[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!

Does anyone have any ideas what is wrong with my config?

Your help is most appreciated.

David

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

------------------------------------------------------------------------

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

Michiel Beijen

9:35 a.m.

You could have also just ran otrs/bin/otrs.addUser2Group -g admin -u username -p rw .. but maybe that's for the next time... ;-) -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl On Tue, Aug 4, 2009 at 11:15, David Holder wrote:

...

Hi Rory,

Thanks for your comments, that's exactly what I did and now it works fine.

I loged on as myself via LDAP config, then re-applied local config, promoted myself to full rights and then re-applied the LDAP config, therefore I can now have access to the admin area as well as promote other authenticated agents.

Thanks all for your help.

David

On Tue, Aug 4, 2009 at 9:27 AM, Rory wrote:

...
Before you implement the LDAP Auth config you need to create a user for doing ldap lookups who is in both your AD and your DB. You need to have this user, (or another user who is in both the AD and the DB) promoted to Admin before you implement the Ldap Auth config. To get yourself an admin login simply comment out all the Ldap Auth config so that you are back tp DB authentication, login as root@localhost and promote one of the users into the Admin group. Re-apply the Ldap config and then login as the user you have promoted and you should now have admin access with this user.

Let us know if that works, Rory

Support my 365 Challenge in aid of the Irish Cancer Society

www.365challenge.ie

2009/8/4 David Holder :

...
Hi again,

Managed to sort this issue out, now I have all my agents authenticating into OTRS via LDAP. Thanks for your help.

Just a quick thing, Once an agent logs in they dont have access to the Admin section of OTRS, nor can i log in as root@localhost.

Is there a way either to give them access to the admin section or log in as root@localhost?

Thanks,

Michiel Beijen wrote:

...
Try: $Self->{'AuthSyncModule::LDAP::Host'} = 'myserver.domain.local'; (without the ldap:// bit)

-- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 22:13, David Holder mailto:david.holder@gmail.com> wrote:

Hi Michiel,

Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out.

Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong:

# agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} =

'myotrspassword';

...
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; [...]

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

Any thoughts as to what I'm doing wrong?

Thanks,

David

On Mon, Aug 3, 2009 at 8:25 PM, Michiel Beijen mailto:michiel@beefreeit.nl> wrote:

You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual:

http://doc.otrs.org/2.4/en/html/x1826.html

Kind regards, -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 21:06, David Holder mailto:david.holder@gmail.com> wrote:

Hi Chaps,

I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)

########## Start of LDAP Config ##########

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for ldap posixGroups objectclass (just

uid)

...
#$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user

dn)

...
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com http://domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

Output from Log File:

[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!

Does anyone have any ideas what is wrong with my config?

Your help is most appreciated.

David

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

...
...
OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

...
...
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

rajaa Jlil

9:38 a.m.

hello; sorry but i need help, my web installer didn't work thx for help Cordialement -JLIL Rajaa- ESG-Casablanca tél : 0665 78 86 49 Date: Tue, 4 Aug 2009 11:35:26 +0200 From: michiel@beefreeit.nl To: otrs@otrs.org Subject: Re: [otrs] OTRS LDAP Agent Authentication You could have also just ran otrs/bin/otrs.addUser2Group -g admin -u username -p rw .. but maybe that's for the next time... ;-)-- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl On Tue, Aug 4, 2009 at 11:15, David Holder wrote: Hi Rory, Thanks for your comments, that's exactly what I did and now it works fine. I loged on as myself via LDAP config, then re-applied local config, promoted myself to full rights and then re-applied the LDAP config, therefore I can now have access to the admin area as well as promote other authenticated agents. Thanks all for your help. David On Tue, Aug 4, 2009 at 9:27 AM, Rory wrote: Before you implement the LDAP Auth config you need to create a user for doing ldap lookups who is in both your AD and your DB. You need to have this user, (or another user who is in both the AD and the DB) promoted to Admin before you implement the Ldap Auth config. To get yourself an admin login simply comment out all the Ldap Auth config so that you are back tp DB authentication, login as root@localhost and promote one of the users into the Admin group. Re-apply the Ldap config and then login as the user you have promoted and you should now have admin access with this user. Let us know if that works, Rory Support my 365 Challenge in aid of the Irish Cancer Society www.365challenge.ie 2009/8/4 David Holder :

...

Hi again,

Managed to sort this issue out, now I have all my agents authenticating into OTRS via LDAP. Thanks for your help.

Just a quick thing, Once an agent logs in they dont have access to the Admin section of OTRS, nor can i log in as root@localhost.

Is there a way either to give them access to the admin section or log in as root@localhost?

Thanks,

Michiel Beijen wrote:

...
Try: $Self->{'AuthSyncModule::LDAP::Host'} = 'myserver.domain.local'; (without the ldap:// bit)

-- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 22:13, David Holder mailto:david.holder@gmail.com> wrote:

Hi Michiel,

Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out.

Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong:

# agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myotrspassword'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; [...]

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

Any thoughts as to what I'm doing wrong?

Thanks,

David

On Mon, Aug 3, 2009 at 8:25 PM, Michiel Beijen mailto:michiel@beefreeit.nl> wrote:

You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual:

http://doc.otrs.org/2.4/en/html/x1826.html

Kind regards, -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 21:06, David Holder mailto:david.holder@gmail.com> wrote:

Hi Chaps,

I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)

########## Start of LDAP Config ##########

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com http://domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

Output from Log File:

[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!

Does anyone have any ideas what is wrong with my config?

Your help is most appreciated.

David

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

------------------------------------------------------------------------

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/ --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/ _________________________________________________________________ Partagez vos souvenirs sur le Web avec les personnes de votre choix. http://www.microsoft.com/northafrica/windows/windowslive/products/photos-sha...

David Holder

11:19 a.m.

Lol Michiel, Thanks for that and all your previous help :) David On Tue, Aug 4, 2009 at 10:35 AM, Michiel Beijen wrote:

...

You could have also just ran otrs/bin/otrs.addUser2Group -g admin -u username -p rw .. but maybe that's for the next time... ;-) -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Tue, Aug 4, 2009 at 11:15, David Holder wrote:

...
Hi Rory,

Thanks for your comments, that's exactly what I did and now it works fine.

I loged on as myself via LDAP config, then re-applied local config, promoted myself to full rights and then re-applied the LDAP config, therefore I can now have access to the admin area as well as promote other authenticated agents.

Thanks all for your help.

David

On Tue, Aug 4, 2009 at 9:27 AM, Rory wrote:

...
Before you implement the LDAP Auth config you need to create a user for doing ldap lookups who is in both your AD and your DB. You need to have this user, (or another user who is in both the AD and the DB) promoted to Admin before you implement the Ldap Auth config. To get yourself an admin login simply comment out all the Ldap Auth config so that you are back tp DB authentication, login as root@localhost and promote one of the users into the Admin group. Re-apply the Ldap config and then login as the user you have promoted and you should now have admin access with this user.

Let us know if that works, Rory

Support my 365 Challenge in aid of the Irish Cancer Society

www.365challenge.ie

2009/8/4 David Holder :

...
Hi again,

Managed to sort this issue out, now I have all my agents authenticating into OTRS via LDAP. Thanks for your help.

Just a quick thing, Once an agent logs in they dont have access to the Admin section of OTRS, nor can i log in as root@localhost.

Is there a way either to give them access to the admin section or log in as root@localhost?

Thanks,

Michiel Beijen wrote:

...
Try: $Self->{'AuthSyncModule::LDAP::Host'} = 'myserver.domain.local'; (without the ldap:// bit)

-- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 22:13, David Holder mailto:david.holder@gmail.com> wrote:

Hi Michiel,

Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out.

Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong:

# agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain,

dc=local';

...
$Self->{'AuthSyncModule::LDAP::UID'} = 'UID'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} =

'myotrspassword';

...
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; [...]

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

Any thoughts as to what I'm doing wrong?

Thanks,

David

On Mon, Aug 3, 2009 at 8:25 PM, Michiel Beijen mailto:michiel@beefreeit.nl> wrote:

You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual:

http://doc.otrs.org/2.4/en/html/x1826.html

Kind regards, -- Michiel Beijen Software Consultant +31 6 - 457 42 418 Bee Free IT + http://beefreeit.nl

On Mon, Aug 3, 2009 at 21:06, David Holder mailto:david.holder@gmail.com>

wrote:

...
Hi Chaps,

I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)

########## Start of LDAP Config ##########

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for ldap posixGroups objectclass (just

uid)

...
#$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user

dn)

...
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com http://domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

Output from Log File:

[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1). [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'! [Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!

Does anyone have any ideas what is wrong with my config?

Your help is most appreciated.

David

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe:

http://lists.otrs.org/cgi-bin/listinfo/otrs

...
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

...
...
OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

...
...
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

5827

Age (days ago)

5828

Last active (days ago)

List overview

Download

10 comments

4 participants

participants (4)

David Holder
Michiel Beijen
rajaa Jlil
Rory