[SOLVED} LDAP authentication

[bleitner]

Just starting to get this system set up and I've installed OTRS 3.1.4 with ITSM 3.1.2 on Ubuntu 10.04. My next step is to configure LDAP authentication, which is where I'm struggling. Right now I will only be using the system to support internal employees. Because of this the customers and agents are all in the same LDAP db, which is an AD system. I noticed that the docs reference setting up LDAP for Agents and for Customers separately, is this what I need to do? If not, then what what are the options?

Do customers and agents have to log on through different interfaces - agents.pl vs. customers.pl? Or if I set up one LDAP db is there a way to define (ie - via groups in ldap) what users are agents and what users are customers, and therefore the system presents the appropriate interface - helpdesk vs. portal? I ask because the one modification I made to the system is to remove /otrs/ from the uri and now I don't know how to access the customer portal? The original thought was that I tell everyone to go to helpdesk.domain.com, but I'm not sure that would work if the system can't distinguish between different roles for users in the sam LDAP db? I can use two different subdomains if that that makes more sense - for instance, tell agents to go to helpdesk.domain.com and users to go to portal.domain.com?

I'm just looking for some direction and understanding of capability so I don't go down a rabbit hole and can get this set up properly first time around

Thanks!
Bob

[bleitner]

I've taken certain config params out of the default.pm and put them in the Config.pm to configure LDAP for both agents and customers. Both are coming from the same AD server, and I've added the users that should be considered agents to a group called "OTRS Agents". I can not log in using my AD Credentials at the agent logon, and get the resulting error in the user.log:

Apr 30 16:56:29 OTRS003101-Peak OTRS-CGI-10[30176]: [Notice][Kernel::System::Auth::LDAP::Auth] User: bob.leitner@temboo.corp authentication failed, no LDAP entry found!BaseDN='dc=temboo,dc=corp', Filter='(uid=bob.leitner@temboo.corp)', (REMOTE_ADDR: 10.11.2.155).
Apr 30 16:56:29 OTRS003101-Peak OTRS-CGI-10[30176]: [Error][Kernel::System::User::UserLookup][Line:797]: No UserID found for 'bob.leitner'!

This is the configuration additions I've made:

# --------------------------------------------------- #
# authentication settings for agent #
# (enable what you need, auth against otrs db, #
# against LDAP directory, agains HTTP basic auth #
# or against Radius server) #
# --------------------------------------------------- #
# This is the auth. module againt the otrs db
# $Self->{AuthModule} = 'Kernel::System::Auth::DB';

# defines AuthSyncBackend (AuthSyncModule) for AuthModule
# if this key exists and is empty, there won't be a sync.
# example values: AuthSyncBackend, AuthSyncBackend2
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

# password crypt type (sha2|sha1|md5|crypt|plain)
# $Self->{'AuthModule::DB::CryptType'} = 'md5';

# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.temboo.corp';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=temboo,dc=corp';
$Self->{'AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS Agents,ou=posixGroups,dc=temboo,dc=corp';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrs.ldap@temboo.corp';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
$Self->{'AuthModule::LDAP::UserSuffix'} = '@temboo.corp';

# --------------------------------------------------- #
# customer authentication settings #
# (enable what you need, auth against otrs db, #
# against a LDAP directory, against HTTP basic #
# authentication and against Radius server) #
# --------------------------------------------------- #

# password crypt type (md5|crypt|plain)
# $Self->{'Customer::AuthModule::DB::CryptType'} = 'md5';

# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.temboo.corp';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=temboo,dc=corp';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs.ldap@temboo.corp';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@temboo.corp';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
# $Self->{'Customer::AuthModule::LDAP::Params'} = {
# port => 389,
# timeout => 120,
# async => 0,
# version => 3,
# };

# Die if backend can't work, e. g. can't connect to server.
# $Self->{'Customer::AuthModule::LDAP::Die'} = 1;

Can someone please let me know what I'm missing, or what is wrong?

[crythias]

did you figure out the ldap?

no LDAP entry found!BaseDN='dc=temboo,dc=corp', Filter='(uid=bob.leitner@temboo.corp)', (REMOTE_ADDR: 10.11.2.155).

this is comprised of:
# $Self->{'AuthModule::LDAP::UserAttr'}
being undefined, therefore using uid as default
the submitted login name (bob.leitner)
and appended suffix:
$Self->{'AuthModule::LDAP::UserSuffix'} = '@temboo.corp';

Check ldap (ADSIEdit?) for the attributes of your username. determine the composition of the uid field (is it an email address?)

Do customers and agents have to log on through different interfaces..?

Yes. Agents: index.pl Customer: customer.pl

I noticed that the docs reference setting up LDAP for Agents and for Customers separately, is this what I need to do?

Yes.

[bleitner]

Yes, did work through it, and some of the problems were as you suggested