nachdem ich nun einige Stunden mit der Fehlersuche verbracht habe, möchte ich Euch um Hilfe bitten. Wir nutzen OTRS bereits seit einigen Jahren produktiv. Da zukünftig neue Funktionen huinzukommen sollen, wollte ich das System nebenher sauber neu aufsetzen.
Ausgangssituation vorerst:
1 OTRS soll mit einer lokalen DB und dem LDAP laufen
2 Agenten sollen sich per LDAP authentifizieren
3 Kunden sollen sich intern (per LDAP und möglichst SSO) und extern (mittels Registrierung auf der Webseite) anmelden können
4 lokaler Admin (root@localhost) soll sich möglichst als letzte Instanz anmelden können
Umsetzen konnte ich bisher, dass sich die Agenten mittels LDAP anmelden können.
Auch die Anmeldung mit dem lokalen Admin geht.
Die Kundenanmeldung nach manuellen Anlegen eines Kunden geht (Registrierungkonnte ich noch nicht testen)
Problem:
Die Kundenanmeldung am LDAP geht nicht. Als Fehlermeldung kommt "Anmeldung fehlgeschlagen! Benutzername oder Passwort wurden falsch eingegeben.". Diese sind jedoch richtig (User fungiert auch als Agent und dort geht die Anmeldung mit den Daten).
Vielleicht seh ich den Wald vor lauter Bäumen nicht mehr, doch ich finde den Fehler nicht.
Unsere Config:
Code: Select all
# ---------------------------------------------------- #
# Agents Authentifizirung via LDAP #
# ---------------------------------------------------- #
#Anmelden an der DB
$Self->{'AuthModule1'} = 'Kernel::System::Auth::DB';
#$Self->{'AuthModule::DB::CryptType'} = 'crypt';
# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'IP-ADRESSE';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=de';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=DL_OTRS_Admin,ou=Anwendungen,dc=domain,dc=de';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=S_OTRS,OU=System-User,OU=Users,DC=domain,DC=de';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'PASSWORT';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.de';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# defines AuthSyncBackend (AuthSyncModule) for AuthModule
# if this key exists and is empty, there won't be a sync.
# example values: AuthSyncBackend, AuthSyncBackend2
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'IP-ADRESSE';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=de';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=S_OTRS,OU=System-User,OU=Users,DC=domain,DC=de';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'PASSWORT';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# ---------------------------------------------------- #
# Customer Backend DB #
#
# 1. Customer user backend: DB
# (customer database backend and settings)
$Self->{CustomerUser} = {
Name => 'Customer Database',
Module => 'Kernel::System::CustomerUser::DB',
Params => {
# if you want to use an external database, add the
# required settings
# DSN => 'DBI:odbc:yourdsn',
# Type => 'mssql', # only for ODBC connections
# DSN => 'DBI:mysql:database=customerdb;host=customerdbhost',
# User => '',
# Password => '',
Table => 'customer_user',
},
# customer unique id
CustomerKey => 'login',
# customer #
CustomerID => 'customer_id',
CustomerValid => 'valid_id',
CustomerUserListFields => ['first_name', 'last_name', 'email'],
CustomerUserSearchFields => ['login', 'last_name', 'customer_id'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 50,
CustomerUserPostMasterSearchFields => ['email'],
CustomerUserNameFields => ['title','first_name','last_name'],
CustomerUserEmailUniqCheck => 1,
# # show not own tickets in customer panel, CompanyTickets
# CustomerUserExcludePrimaryCustomerID => 0,
# # generate auto logins
# AutoLoginCreation => 0,
# AutoLoginCreationPrefix => 'auto',
# # admin can change customer preferences
# AdminSetPreferences => 1,
# # cache time to live in sec. - cache any database queries
# CacheTTL => 0,
# # just a read only source
# ReadOnly => 1,
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, httplink,readonly, http-link-target
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'first_name', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'last_name', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'login', 1, 1, 'var', '', 0 ],
[ 'UserPassword', 'Password', 'pw', 0, 0, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'email', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'phone', 1, 0, 'var', '', 0 ],
[ 'UserFax', 'Fax', 'fax', 1, 0, 'var', '', 0 ],
[ 'UserMobile', 'Mobile', 'mobile', 1, 0, 'var', '', 0 ],
[ 'UserStreet', 'Street', 'street', 1, 0, 'var', '', 0 ],
[ 'UserZip', 'Zip', 'zip', 1, 0, 'var', '', 0 ],
[ 'UserCity', 'City', 'city', 1, 0, 'var', '', 0 ],
[ 'UserCountry', 'Country', 'country', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'comments', 1, 0, 'var', '', 0 ],
[ 'ValidID', 'Valid', 'valid_id', 0, 1, 'int', '', 0 ],
],
# default selections
Selections => {
UserTitle => {
'Mr.' => 'Mr.',
'Mrs.' => 'Mrs.',
},
},
};
#
# Ende Customer Backend DB #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# Customer Backend LDAP #
#
# 2. Customer user backend: LDAP
# (customer ldap backend and settings)
$Self->{CustomerUser2} = {
Name => 'LDAP Datasource',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'IP-ADRESSE',
# ldap base dn
BaseDN => 'OU=Users,dc=domain, dc=de',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'CN=S_OTRS,OU=System-User,OU=Users,DC=domain,DC=de',
UserPw => 'PASSWORT',
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
AlwaysFilter => '(&(objectclass=user)(mail=*)(sn=*))',
# if the charset of your ldap server is iso-8859-1, use this:
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'extensionAttribute2',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
# CustomerUserSearchPrefix => '',
# CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 50,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add a ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=locked))',
# admin can't change customer preferences
AdminSetPreferences => 0,
CacheTTL => 60 * 60 * 24,
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, httplink, readonly
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'extensionAttribute2', 1, 0, 'var', '', 0 ],
# [ 'UserDepartment', 'Amt', 'department', 1, 0, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
#
# Ende Customer Backend LDAP #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# Authentifizierung Customer gegen LDAP
#
# This is the auth. module against the LDAP
$Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host2'} = 'IP-ADRESSE';
$Self->{'AuthModule::LDAP::BaseDN2'} = 'OU=Users,,DC=Domain,DC=de';
$Self->{'AuthModule::LDAP::UID2'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN2'} = 'CN=S_OTRS,OU=System-User,OU=Users,DC=domain,DC=de';
$Self->{'AuthModule::LDAP::SearchUserPw2'} = 'PASSWORT';
# $Self->{'AuthModule::LDAP::AlwaysFilter2'} = '';
# $Self->{'AuthModule::LDAP::UserSuffix2'} = '@domain.de';
$Self->{'AuthModule::LDAP::UserLowerCase2'} = 0;
$Self->{'AuthModule::LDAP::Params2'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::LDAP::Die2'} = 1;
#
# Ende Authentifizierung Customer gegen LDAP #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# Authentifizierung Customer gegen DB
#
# This is the auth. module against the otrs db
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::DB';
$Self->{'Customer::AuthModule::DB::Table'} = 'customer_user';
$Self->{'Customer::AuthModule::DB::CustomerKey'} = 'login';
$Self->{'Customer::AuthModule::DB::CustomerPassword'} = 'pw';
#
# Ende Authentifizierung Customer gegen DB #
# ---------------------------------------------------- #
Kann mir jemand helfen?