multiple ldap authentication

Moderator: crythias

Post Reply
aeg
Znuny newbie
Posts: 42
Joined: 02 Mar 2017, 15:53
Znuny Version: 5.0.4

multiple ldap authentication

Post by aeg »

I'm testing multiple ldap backend authentication, and I came a cross that I login on another user in other domain if the user name was the same
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

should the problem resolve if I add "email" instead of 'sAMAccountName' ?
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: multiple ldap authentication

Post by root »

You need an attribute which is unique in every single Active Directory / LDAP. It this is sAMAccoutnName, uid, mail or userPrincipalName can only be answered by yourself
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
aeg
Znuny newbie
Posts: 42
Joined: 02 Mar 2017, 15:53
Znuny Version: 5.0.4

Re: multiple ldap authentication

Post by aeg »

I'm trying to make the "mail" authentication to work.
when i try to log in as a Agent i get this error
"Panic, user authenticated but no user data can be found in OTRS DB!! Perhaps the user is invalid."

I can log in as a customer, but there are no customer information for customers when i create tickets.

any ideas?


# --- Agent line

$Self->{'AuthModule3'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host3'} = 'ip';
$Self->{'AuthModule::LDAP::BaseDN3'} = 'dc=domain,dc=local';
$Self->{'AuthModule::LDAP::UID3'} = 'mail';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN3'} = 'my agent group';
$Self->{'AuthModule::LDAP::AccessAttr3'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr3'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN3'} = 'A.d. search users';
$Self->{'AuthModule::LDAP::SearchUserPw3'} = 'pass';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter3'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix3'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params3'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# ---
$Self->{'AuthSyncModule3'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host3'} = 'ip';
$Self->{'AuthSyncModule::LDAP::BaseDN3'} = 'dc=domain, dc=local';
$Self->{'AuthSyncModule::LDAP::UID3'} = 'mail';
$Self->{'AuthSyncModule::LDAP::SearchUserDN3'} = 'OTRS search userl';
$Self->{'AuthSyncModule::LDAP::SearchUserPw3'} = 'pass';
$Self->{'AuthSyncModule::LDAP::UserSyncMap3'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

#Customers
$Self->{'Customer::AuthModule3'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host3'} = 'ip';
$Self->{'Customer::AuthModule::LDAP::BaseDN3'} = 'dc=domain, dc=local';
$Self->{'Customer::AuthModule::LDAP::UID3'} = 'mail';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN3'} = 'otrs search user';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw3'} = 'pass';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter3'} = '(mail=*)';
$Self->{'Customer::AuthModule::LDAP::Params3'} = { async => 0, port => 389, timeout => 120, version =>3, };
## The above is the LDAP Customer Authentication module.

$Self->{CustomerUser3} = {
Name => 'Active Directory 3',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'IP',
BaseDN => 'dc=domain, dc=local',
SSCOPE => 'sub',
UserDN => 'otrs search user',
UserPw => 'pass',
AlwaysFilter => '(mail=*)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},

CustomerKey => 'mail',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'uid', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 900,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CacheTTL => 120,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 1, 'var', '', 1 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
Last edited by aeg on 15 Mar 2017, 12:56, edited 1 time in total.
aeg
Znuny newbie
Posts: 42
Joined: 02 Mar 2017, 15:53
Znuny Version: 5.0.4

Re: multiple ldap authentication

Post by aeg »

I got the logon to work, but when the customer logs on to the customer site and create a ticket, there is no customer information. And the customer cant open the ticket "Permission denied"
Post Reply