SSO, Kerberos and LDAP

[morit2578]

Dears,
I use OTRS5 on a Linux CentOS server and I need a SSO, so I need to use Kerberos to take take username and check the user agaist LDAP on Windows 2008 R2 domain.

I was be able to configure my OTRS for use LDAP for Autentication putting the Username and Password manually I was also be able to configure OTRS5 to accept Kerbros but in this case OTRS5 told that uera are unknow or bad passord.

I think that the issue has in my config.pm

Code: Select all

ackage Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{'DatabaseHost'} = '127.0.0.1';

    # The database name
    $Self->{'Database'} = "otrs";

    # The database user
    $Self->{'DatabaseUser'} = "otrs";

    # The password of database user. You also can use bin/otrs.Console.pl Maint::Database::PasswordCrypt
    # for crypted passwords
    $Self->{'DatabasePw'} = '1YDbl6x8Bkl3uTib';

    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";

    # The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a TCP/IP connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # The database DSN for Microsoft SQL Server - only supported if OTRS is
    # installed on Windows as well
#    $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

    # The database DSN for Oracle ==> more: "perldoc DBD::oracle"
#    $Self->{DatabaseDSN} = "DBI:Oracle://$Self->{DatabaseHost}:1521/$Self->{Database}";
#
#    $ENV{ORACLE_HOME}     = '/path/to/your/oracle';
#    $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
#    $ENV{NLS_LANG}        = 'AMERICAN_AMERICA.AL32UTF8';

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;
    
    # CUSTOMER BACKEND SETTINGS

    $Self->{CustomerUser} = {
             Module => 'Kernel::System::CustomerUser::LDAP',
             Params => {
               Host => 'myDC',
               BaseDN => 'basDN,
               SSCOPE => 'sub',
               UserDN => 'user in LDAP CN form
               UserPw => 'pwd,
             },
             CustomerKey => 'sAMAccountName',
             CustomerID => 'mail',
             CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
             CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
             CustomerUserPostMasterSearchFields => ['mail'],
             CustomerUserNameFields => ['givenname', 'sn'],
             Map => [
               # note: Login, Email and CustomerID needed!
               # var, frontend, storage, shown, required, storage-type
               # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
                 [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
                 [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
                 [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
                 [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
                 [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
               # [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
               # [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
               # [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
             ],
           };

    # AUTHENTICATION SETTINGS


    ##LDAP Auth Users    
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
    $Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@DOMAIN';
    
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'myDC';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'basDN;
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'user CN format;
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'PWD;
    
    $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@realm;
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #

use base qw(Kernel::Config::Defaults);

# -----------------------------------------------------#

1;

Can you help me to obtain my goal?
Look to user in AD and user Kerberos Credential negotiate by IE to login

Regards
Francesco

[morit2578]

Hi all,
other little puzzle bit, on journalctl I found this:

[Kernel::System::CustomerAuth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER}

Regards
Francesco

[root]

First you have to fix your Kerberos configuration. A valid Kerberos SSO provides the missed environment variable.

[morit2578]

Hi all,
I think that the issue should be related to PERL.

I have try this simple php script:

Code: Select all

<?php
 echo "You have logged in as <b>" . $_SERVER['REMOTE_USER'] . "</b>;";
?>

with this result
You have logged in as <MySam><My Realm>;

with this simple perl script:

Code: Select all

#!/usr/bin/perl

print "Content-type: text/html\n\n";
print "<font size=+1>Environment</font>\n";
foreach (sort keys %ENV)
{
  print "<b>$_</b>: $ENV{$_}<br>\n";
  }
  
  1;

I receiva this

Environment user :

My guess is something related with mod_perl configuration, do you have any idea?

Regards
Francesco

[root]

Good hint, check the order of the configuration. On CentOS the files are read in alphabetical order.
In my configurations I load mod_perl first and the the Kerberos confiuration

[morit2578]

Hi All,
I have found the issue:

Code: Select all

#        <IfModule mod_version.c>
#            <IfVersion < 2.4>
#                Order allow,deny
#                Allow from all
#            </IfVersion>
#            <IfVersion >= 2.4>
#                Require all granted
#            </IfVersion>
#        </IfModule>
#        <IfModule !mod_version.c>
#            Order allow,deny
#            Allow from all
#        </IfModule>

This line, now commented, set "Require all granted" for mod_perl overwriting my kerberos settings.

Thanks for the support

Bye
Francesco