SSO not working - Message: Need User!

Moderator: crythias

Post Reply
fcollerette
Znuny newbie
Posts: 24
Joined: 27 Dec 2017, 20:40
Znuny Version: 6.0.2-03

SSO not working - Message: Need User!

Post by fcollerette »

HI everyone,

I've been hitting this problems for quite a few days now so I turn to you for help.

I've read quite a lot of forum subjects and web pages about Kerberos but seems I'm missing something.
Here is just a few I've read today.
viewtopic.php?f=62&t=28160&p=147152&hil ... th#p147152
viewtopic.php?f=62&t=33443&p=135834&hil ... th#p135834
viewtopic.php?t=15422
viewtopic.php?f=62&t=31416&p=127953&hil ... th#p127953

So here is what I'm sure is working.
My LDAP authentication is fine. It works well for agents and customer! It's also my "fallback" so my user can still login entering manually their creds.
My Kerberos setup seems to be OK. When I try to manually auth with KINIT, very thing is fine. (user/pass login and HTTP service login)

So I'm thinking that my problems is either with HTTPD or OTRS.

So here my "error_log" from HTTPD

Code: Select all

ERROR: OTRS-CGI-98 Perl: 5.16.3 OS: linux Time: Fri Jan 26 13:19:16 2018

 Message: Need User!

 RemoteAddress: 10.20.16.120
 RequestURI: /otrs/index.pl

 Traceback (5394): 
   Module: Kernel::System::Auth::LDAP::Auth Line: 123
   Module: Kernel::System::Auth::Auth Line: 152
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 248
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 40
   Module: (eval) (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
   Module: ModPerl::Registry::handler (v1.99) Line: 32

ERROR: OTRS-CGI-98 Perl: 5.16.3 OS: linux Time: Fri Jan 26 13:19:16 2018

 Message: Need UserLogin or UserID!

 RemoteAddress: 10.20.16.120
 RequestURI: /otrs/index.pl

 Traceback (5394): 
   Module: Kernel::System::User::UserLookup Line: 928
   Module: Kernel::System::Auth::Auth Line: 245
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 248
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 40
   Module: (eval) (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
   Module: ModPerl::Registry::handler (v1.99) Line: 32
Here is the start of the "Directory" statement in "zzz_otrs.conf"

Code: Select all

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
    Options +ExecCGI -Includes

<Files "index.pl">
AuthType Kerberos
AuthName "Kerberos AUTH"
KrbAuthRealms MYDOMAIN.LOCAL
KrbSaveCredentials off
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbServiceName HTTP/SERVICENAME(DNS)
Krb5KeyTab /etc/httpd/conf.d/otrs.keytab
Require valid-user
</Files>
Here is what's in my "config.pm" file

Code: Select all

  $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';
  $Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'DOMAIN\\';
  $Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '@DOMAIN.LOCAL';
Tell me if you need more information, I'll gladly post-it for you guys.

Thanks in advance for you precious help.
fcollerette
Znuny newbie
Posts: 24
Joined: 27 Dec 2017, 20:40
Znuny Version: 6.0.2-03

Re: SSO not working - Message: Need User!

Post by fcollerette »

More info here

I tried using Internet Explore and Chrome. I addded my site in "local intranet" also just in case.

I'm running OTRS version 6.0.2 under CentOS 7 using MariaDB and HTTPD.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: SSO not working - Message: Need User!

Post by root »

Hi,

Need User means that the name provided in REMOTE_USER is not a known agent. Create the manually or configure the AuthSyncModule

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
fcollerette
Znuny newbie
Posts: 24
Joined: 27 Dec 2017, 20:40
Znuny Version: 6.0.2-03

Re: SSO not working - Message: Need User!

Post by fcollerette »

I know the user (me) is fine as I can login using the webpage.

Is there a way to see what is submitted in the "REMOTE_USER" ?
That way I could actually see what the problem is.
fcollerette
Znuny newbie
Posts: 24
Joined: 27 Dec 2017, 20:40
Znuny Version: 6.0.2-03

Re: SSO not working - Message: Need User!

Post by fcollerette »

Well I figured that part !

here is a quick tip if someone ever needs it.

Code: Select all

<?php var_dump($_SERVER['REMOTE_USER'])?>
fcollerette
Znuny newbie
Posts: 24
Joined: 27 Dec 2017, 20:40
Znuny Version: 6.0.2-03

Re: SSO not working - Message: Need User!

Post by fcollerette »

I noticed with the php var that my creds were "sAMAccountName@DOMAIN.LOCAL"
So I added "KrbLocalUserMapping On" in my "zzz_otrs.conf" and now REMOTE_USER is reporting "sAMAccountName"

I also removed these 2 lines from my "Config.pm" since I "fixed" that through Apache

Code: Select all

$Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'DOMAIN\\';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '@DOMAIN.LOCAL';
So now I am 100% sure that Apache is returning the correct user to OTRS but I'm still getting the same error. Again, I can type my user/pass and it still works.

So it's most likely down to my OTRS configuration. For claritys sake, i.ll post back my config in Config.pm so you can see my HTTPBaisAuth and LDAP strings for my agents.

Code: Select all

 $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';
  $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
  $Self->{'AuthModule::LDAP::Host1'} = 'ad.local';
  $Self->{'AuthModule::LDAP::BaseDN1'} = 'OU=MyBusiness,DC=domain,DC=local';
  $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
  $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'ldapuser';
  $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'ldappassword';
  $Self->{UserSyncLDAPMap} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname => 'sn',
        UserEmail => 'mail',
    };
  $Self->{UserSyncLDAPGroups} = [
        'users',
    ];
    $Self->{DatabaseUserTable} = 'users';
    $Self->{DatabaseUserTableUserID} = 'id';
    $Self->{DatabaseUserTableUserPW} = 'pw';
    $Self->{DatabaseUserTableUser} = 'login';
  $Self->{'AuthModule::LDAP::GroupDN1'} ='CN=Gr_OTRS_Agent,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local';
  $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
  $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ad.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'MyBusiness,DC=domain,DC=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'ldapuser';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'ldappassword';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];
$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
    # your ldap group
    'CN=Gr_OTRS_Agent,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local' => {
        # otrs group(s)
        'admin' => {
            # permission
            rw => 1,
            ro => 1,
        },
        'faq' => {
            rw => 0,
            ro => 1,
        },
    },
    'cn=agent2,o=otrs' => {
        'users' => {
            rw => 1,
            ro => 1,
        },
    }
};
I'm probably close to the answer but seems I cannot find it.

Thanks again for your help.
fcollerette
Znuny newbie
Posts: 24
Joined: 27 Dec 2017, 20:40
Znuny Version: 6.0.2-03

Re: SSO not working - Message: Need User!

Post by fcollerette »

Also, I check in my databse and I see my users

(select * from users)

So they should match ...
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: SSO not working - Message: Need User!

Post by root »

Hi,

Did you checked if the name in the table users match the name in the access_log of the httpd?

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
fcollerette
Znuny newbie
Posts: 24
Joined: 27 Dec 2017, 20:40
Znuny Version: 6.0.2-03

Re: SSO not working - Message: Need User!

Post by fcollerette »

Hi Roy,

I doubled check in my log.
I do not see the user.

I have setup a sub-site with the same "kerberos config" and this one works well.
So I know it's not my kerberos config.

Maybe I'm just not putting it at the right place in zzz_otrs.conf .... I tried many variation ... but I can't figure this one out.

Thanks for your help
root wrote:Hi,

Did you checked if the name in the table users match the name in the access_log of the httpd?

- Roy
fcollerette
Znuny newbie
Posts: 24
Joined: 27 Dec 2017, 20:40
Znuny Version: 6.0.2-03

Re: SSO not working - Message: Need User!

Post by fcollerette »

I have found the issue: (viewtopic.php?t=33249)
CODE: SELECT ALL

# <IfModule mod_version.c>
# <IfVersion < 2.4>
# Order allow,deny
# Allow from all
# </IfVersion>
# <IfVersion >= 2.4>
# Require all granted
# </IfVersion>
# </IfModule>
# <IfModule !mod_version.c>
# Order allow,deny
# Allow from all
# </IfModule>


This line, now commented, set "Require all granted" for mod_perl overwriting my kerberos settings.
Post Reply