Kundenanmeldung an DB und LDAP

TheDude · Post by **TheDude** » 14 Mar 2017, 14:29

Hallo,

nachdem ich nun einige Stunden mit der Fehlersuche verbracht habe, möchte ich Euch um Hilfe bitten. Wir nutzen OTRS bereits seit einigen Jahren produktiv. Da zukünftig neue Funktionen huinzukommen sollen, wollte ich das System nebenher sauber neu aufsetzen.

Ausgangssituation vorerst:
1 OTRS soll mit einer lokalen DB und dem LDAP laufen
2 Agenten sollen sich per LDAP authentifizieren
3 Kunden sollen sich intern (per LDAP und möglichst SSO) und extern (mittels Registrierung auf der Webseite) anmelden können
4 lokaler Admin (root@localhost) soll sich möglichst als letzte Instanz anmelden können

Umsetzen konnte ich bisher, dass sich die Agenten mittels LDAP anmelden können.
Auch die Anmeldung mit dem lokalen Admin geht.
Die Kundenanmeldung nach manuellen Anlegen eines Kunden geht (Registrierungkonnte ich noch nicht testen)

Problem:
Die Kundenanmeldung am LDAP geht nicht. Als Fehlermeldung kommt "Anmeldung fehlgeschlagen! Benutzername oder Passwort wurden falsch eingegeben.". Diese sind jedoch richtig (User fungiert auch als Agent und dort geht die Anmeldung mit den Daten).

Vielleicht seh ich den Wald vor lauter Bäumen nicht mehr, doch ich finde den Fehler nicht.

Unsere Config:

Code: Select all


	
	# ---------------------------------------------------- #
	# Agents Authentifizirung via LDAP                     #
	# ---------------------------------------------------- #

	#Anmelden an der DB
		$Self->{'AuthModule1'} = 'Kernel::System::Auth::DB';
		#$Self->{'AuthModule::DB::CryptType'} = 'crypt';

	# This is an example configuration for an LDAP auth. backend.
	# (Make sure Net::LDAP is installed!)
		$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
		$Self->{'AuthModule::LDAP::Host'} = 'IP-ADRESSE';
		$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=de';
		$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

	# Check if the user is allowed to auth in a posixGroup
	# (e. g. user needs to be in a group xyz to use otrs)
		$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=DL_OTRS_Admin,ou=Anwendungen,dc=domain,dc=de';
		$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
		
	# for ldap posixGroups objectclass (just uid)
	#  $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
	# for non ldap posixGroups objectclass (with full user dn)
	#  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

	# The following is valid but would only be necessary if the
	# anonymous user do NOT have permission to read from the LDAP tree
		$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=S_OTRS,OU=System-User,OU=Users,DC=domain,DC=de';
		$Self->{'AuthModule::LDAP::SearchUserPw'} = 'PASSWORT';

	# in case you want to add always one filter to each ldap query, use
	# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	#	$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

	# in case you want to add a suffix to each login name, then
	# you can use this option. e. g. user just want to use user but
	# in your ldap directory exists user@domain.
	# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.de';

	# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
		$Self->{'AuthModule::LDAP::Params'} = {
			port => 389,
			timeout => 120,
			async => 0,
			version => 3,
		};

		 
	   # defines AuthSyncBackend (AuthSyncModule) for AuthModule
	# if this key exists and is empty, there won't be a sync.
	# example values: AuthSyncBackend, AuthSyncBackend2
		$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

	# agent data sync against ldap
		$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
		$Self->{'AuthSyncModule::LDAP::Host'} = 'IP-ADRESSE';
		$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=de';
		$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
		$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=S_OTRS,OU=System-User,OU=Users,DC=domain,DC=de';
		$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'PASSWORT';
		$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
			# DB -> LDAP
			UserFirstname => 'givenName',
			UserLastname  => 'sn',
			UserEmail     => 'mail',
		};

	# AuthSyncModule::LDAP::UserSyncInitialGroups
	# (sync following group with rw permission after initial create of first agent
	# login)
		$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
			'users',
		];

	
	
	# ---------------------------------------------------- #
	# Customer Backend DB   		               #
	#
	# 1. Customer user backend: DB
	# (customer database backend and settings)
		$Self->{CustomerUser} = {
		Name => 'Customer Database',
		Module => 'Kernel::System::CustomerUser::DB',
		Params => {
		# if you want to use an external database, add the
		# required settings
		# DSN => 'DBI:odbc:yourdsn',
		# Type => 'mssql', # only for ODBC connections
		# DSN => 'DBI:mysql:database=customerdb;host=customerdbhost',
		# User => '',
		# Password => '',
		Table => 'customer_user',
		},
		# customer unique id
		CustomerKey => 'login',
		# customer #
		CustomerID => 'customer_id',
		CustomerValid => 'valid_id',
		CustomerUserListFields => ['first_name', 'last_name', 'email'],
		CustomerUserSearchFields => ['login', 'last_name', 'customer_id'],
		CustomerUserSearchPrefix => '',
		CustomerUserSearchSuffix => '*',
		CustomerUserSearchListLimit => 50,
		CustomerUserPostMasterSearchFields => ['email'],
		CustomerUserNameFields => ['title','first_name','last_name'],
		CustomerUserEmailUniqCheck => 1,
		# # show not own tickets in customer panel, CompanyTickets
		# CustomerUserExcludePrimaryCustomerID => 0,
		# # generate auto logins
		# AutoLoginCreation => 0,
		# AutoLoginCreationPrefix => 'auto',
		# # admin can change customer preferences
		# AdminSetPreferences => 1,
		# # cache time to live in sec. - cache any database queries
		# CacheTTL => 0,
		# # just a read only source
		# ReadOnly => 1,
		Map => [
		# note: Login, Email and CustomerID needed!
		# var, frontend, storage, shown (1=always,2=lite), required, storage-type, httplink,readonly, http-link-target
		[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
		[ 'UserFirstname', 'Firstname', 'first_name', 1, 1, 'var', '', 0 ],
		[ 'UserLastname', 'Lastname', 'last_name', 1, 1, 'var', '', 0 ],
		[ 'UserLogin', 'Username', 'login', 1, 1, 'var', '', 0 ],
		[ 'UserPassword', 'Password', 'pw', 0, 0, 'var', '', 0 ],
		[ 'UserEmail', 'Email', 'email', 1, 1, 'var', '', 0 ],
		[ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var', '', 0 ],
		[ 'UserPhone', 'Phone', 'phone', 1, 0, 'var', '', 0 ],
		[ 'UserFax', 'Fax', 'fax', 1, 0, 'var', '', 0 ],
		[ 'UserMobile', 'Mobile', 'mobile', 1, 0, 'var', '', 0 ],
		[ 'UserStreet', 'Street', 'street', 1, 0, 'var', '', 0 ],
		[ 'UserZip', 'Zip', 'zip', 1, 0, 'var', '', 0 ],
		[ 'UserCity', 'City', 'city', 1, 0, 'var', '', 0 ],
		[ 'UserCountry', 'Country', 'country', 1, 0, 'var', '', 0 ],
		[ 'UserComment', 'Comment', 'comments', 1, 0, 'var', '', 0 ],
		[ 'ValidID', 'Valid', 'valid_id', 0, 1, 'int', '', 0 ],
		],
		# default selections
		Selections => {
		UserTitle => {
		'Mr.' => 'Mr.',
		'Mrs.' => 'Mrs.',
		},
		},
		};
	# 
	# Ende Customer Backend DB				               #
	# ---------------------------------------------------- #	
	
	# ---------------------------------------------------- #
	# Customer Backend LDAP			  		               #
	#
	# 2. Customer user backend: LDAP
	# (customer ldap backend and settings)
		$Self->{CustomerUser2} = {
		Name => 'LDAP Datasource',
		Module => 'Kernel::System::CustomerUser::LDAP',
		Params => {
		# ldap host
		Host => 'IP-ADRESSE',
		# ldap base dn
		BaseDN => 'OU=Users,dc=domain, dc=de',
		# search scope (one|sub)
		SSCOPE => 'sub',
		# The following is valid but would only be necessary if the
		# anonymous user does NOT have permission to read from the LDAP tree
		UserDN => 'CN=S_OTRS,OU=System-User,OU=Users,DC=domain,DC=de',
        UserPw => 'PASSWORT',
		# in case you want to add always one filter to each ldap query, use
		# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
		AlwaysFilter =>  '(&(objectclass=user)(mail=*)(sn=*))',
		# if the charset of your ldap server is iso-8859-1, use this:
		SourceCharset => 'utf-8',
		DestCharset => 'utf-8',
		# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
		Params => {
		port => 389,
		timeout => 120,
		async => 0,
		version => 3,
		},
		},
		# customer unique id
		CustomerKey => 'sAMAccountName',
		# customer #
		CustomerID => 'extensionAttribute2',
		CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
		CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
		# CustomerUserSearchPrefix => '',
		# CustomerUserSearchSuffix => '*',
		CustomerUserSearchListLimit => 50,
		CustomerUserPostMasterSearchFields => ['mail'],
		CustomerUserNameFields => ['givenname', 'sn'],
		# show not own tickets in customer panel, CompanyTickets
		CustomerUserExcludePrimaryCustomerID => 0,
		# add a ldap filter for valid users (expert setting)
		# CustomerUserValidFilter => '(!(description=locked))',
		# admin can't change customer preferences
		AdminSetPreferences => 0,
		CacheTTL => 60 * 60 * 24,
		
		Map => [
		# note: Login, Email and CustomerID needed!
		# var, frontend, storage, shown (1=always,2=lite), required, storage-type, httplink, readonly
		[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
          [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
          [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
          [ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
          [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
          [ 'UserCustomerID', 'CustomerID', 'extensionAttribute2', 1, 0, 'var', '', 0 ],
		  # [ 'UserDepartment', 'Amt', 'department', 1, 0, 'var', '', 0 ],
          [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
          # [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
          # [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
		],
		};
	# 
	# Ende Customer Backend LDAP			               #
	# ---------------------------------------------------- #
	
	
	# ---------------------------------------------------- #
	# Authentifizierung Customer gegen LDAP
	#
		# This is the auth. module against the LDAP
		$Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
		$Self->{'AuthModule::LDAP::Host2'} = 'IP-ADRESSE';
		$Self->{'AuthModule::LDAP::BaseDN2'} = 'OU=Users,,DC=Domain,DC=de';
		$Self->{'AuthModule::LDAP::UID2'} = 'sAMAccountName';
		$Self->{'AuthModule::LDAP::SearchUserDN2'} = 'CN=S_OTRS,OU=System-User,OU=Users,DC=domain,DC=de';
		$Self->{'AuthModule::LDAP::SearchUserPw2'} = 'PASSWORT';
		# $Self->{'AuthModule::LDAP::AlwaysFilter2'} = '';
		# $Self->{'AuthModule::LDAP::UserSuffix2'} = '@domain.de';
		$Self->{'AuthModule::LDAP::UserLowerCase2'} = 0;
		$Self->{'AuthModule::LDAP::Params2'} = {
			port => 389,
			timeout => 120,
			async => 0,
			version => 3,
		};
		$Self->{'AuthModule::LDAP::Die2'} = 1;
	# 
	# Ende Authentifizierung Customer gegen LDAP           #
	# ---------------------------------------------------- #
	
			
	# ---------------------------------------------------- #
	# Authentifizierung Customer gegen DB
	#
		# This is the auth. module against the otrs db
		$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::DB';
		$Self->{'Customer::AuthModule::DB::Table'} = 'customer_user';
		$Self->{'Customer::AuthModule::DB::CustomerKey'} = 'login';
		$Self->{'Customer::AuthModule::DB::CustomerPassword'} = 'pw';
	# 
	# Ende Authentifizierung Customer gegen DB             #
	# ---------------------------------------------------- #

Kann mir jemand helfen?

NancyL · Post by **NancyL** » 14 Mar 2017, 17:22

ich meine du solltest das CustomerAuth Modul nutzen...
'Customer::AuthModule' = 'Kernel::System::CustomerAuth::LDAP';

ergänze mal folgenden code mit deinen Angaben (DC, Accountdaten usw.)
das sollte dann auch gegen ldap klappen

Code: Select all

#----------------------------------------------------#
#Kundenauthentifizierung gegen ein LDAP Backend      #
#----------------------------------------------------#

        
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'DEIN DC';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domäne,DC=de';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'Domäne\User';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Passwort';
    $Self->{'Customer::AuthModule::LDAP::Params'} = {
       port => 389,
       timeout => 120,
       async => 0,
       version => 3,
       };
	  
#----------------------------------------------------#
# Enable LDAP Authentication Sync Kunden             #
#----------------------------------------------------#
   $Self->{CustomerUser} = {
   Name => 'Domäne',
   Module => 'Kernel::System::CustomerUser::LDAP',
   Params => {
   Host => 'DEIN DC',
   BaseDN => 'OU=xxx, DC=xxx, DC=de',
   SSCOPE => 'sub',
   UserDN => 'user@domäne.de',
   UserPw => 'passwort',
   SourceCharset => 'utf-8',
   DestCharset   => 'utf-8',
     },
   CustomerKey => 'sAMAccountName',
   CustomerID => 'sAMAccountName',
   CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
   CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
   CustomerUserPostMasterSearchFields => ['mail'],
   CustomerUserNameFields => ['givenname', 'sn'],
   CustomerUserValidFilter => '(!(displayName=*PG*))',
    Map => [
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'sAMAccountName', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 1, 'var' ],
      [ 'department', 'Abteilung', 'department', 1, 0, 'var' ],
      [ 'company', 'Firma', 'company', 1, 0, 'var' ],
      [ 'City', 'City', 'l', 1, 0, 'var' ],
      [ 'StreetAddress', 'Street', 'StreetAddress', 1, 0, 'var' ],
      [ 'UserAddress', 'Raum', 'physicalDeliveryOfficeName', 1, 1, 'var' ],
      [ 'UserComment', 'Comment', 'Comment', 1, 0, 'var' ],
      ],
       };

TheDude · Post by **TheDude** » 16 Mar 2017, 08:36

heureka...manchmal kann die Lösung so einfach sein. Danke für den Tipp.

Bleibt nun noch eine Frage:
Kann ich die Authentifizierung der Customer unterschiedlich gestalten?
Bisher haben wir unser System nur intern genutzt und da wurden die Customer mittels SSO angemeldet. Zukünftig soll das System aber auch von extern erreichbar sein und hier müssen sich die User mit Namen und PSW anmelden können.

rbroda · Post by **rbroda** » 21 Apr 2017, 13:48

Gibt es denn keine Möglichkeiten sich über das

- "CustomerAuth::LDAP - Modul" und
- "Customer::AuthModule::DB - Modul"

gleichzeitig zu Authentifizieren?

Meine internen Kunden, die sich über LDAP authentifizieren klappt.
Meine externe Kunden, die ich in der Datenbank erstellt habe, sollen sich auch anmelden können.

An welcher stelle ist eine Anpassung nötig?

albsie · Post by **albsie** » 24 Apr 2017, 08:15

Diese Option gibt es.
Hier ist meine funktionierende Config für die gleichzeitige Authentifizierung von LDAP/interner DB

Code: Select all

#                                                          LDAP Auth  Customer                                    $
#-----------------------------------------------------------------------------------------------------------------$
        $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
        $Self->{'Customer::AuthModule::LDAP::Host'} = '1.1.1.1';
        $Self->{'Customer::AuthModule::LDAP::BaseDN'} ='DC=,DC=de';
        $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
       # $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=,OU=,DC=,DC=de';
        #$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'MemberUid';
        $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '';
        $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';
                $Self->{'Customer::AuthModule::LDAP::Params'} = {
            port => 389,
            timeout => 120,
            async => 0,
            version => 3,
                        };
############### DB Auth Customer ######
# Customer DB Authentication
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::DB';
$Self->{'Customer::AuthModule::DB::Table1'} = 'customer_user';
$Self->{'Customer::AuthModule::DB::CustomerKey1'} = 'login'; #depends on what is set to be the CustomerKey
$Self->{'Customer::AuthModule::DB::CustomerPassword1'} = 'pw';

TheDude · Post by **TheDude** » 09 May 2017, 08:11

Die Lösung ist sicher einfach, doch ich finde sie nicht.

Wie erreiche ich, dass Kunden, die per Mail direkt ans System geschrieben haben, in der Customer DB angelegt werden?

Znuny and ((OTRS)) Community Edition

Kundenanmeldung an DB und LDAP

Kundenanmeldung an DB und LDAP

Re: Kundenanmeldung an DB und LDAP

Re: Kundenanmeldung an DB und LDAP

Re: Kundenanmeldung an DB und LDAP

Re: Kundenanmeldung an DB und LDAP

Re: Kundenanmeldung an DB und LDAP