[Solved] LDAP authentication for customer users on Windows Server 2019 AD

[sebf]

Hello, I am encountering problems configuring LDAP authentication for customer users with credentials from the Active Directory. Whenever I try to connect to the ticket system with valid credentials from the AD, I always get the message on the customer portal that the credentials are incorrect.

This is the configuration I have on the Defaults.pm file:

Code: Select all

# CustomerUser
# (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
        Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            # ldap host
            Host => 'server.subdomain.domain.com',
            # ldap base dn
            BaseDN => 'dc=subdomain,dc=domain,dc=com',
            # search scope (one|sub)
            SSCOPE => 'sub',
            # The following is valid but would only be necessary if the
            # anonymous user does NOT have permission to read from the LDAP tree
            UserDN => 'bindUser@domain.com',
            UserPw => 'password',
            # in case you want to add always one filter to each ldap query, use
            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
            #AlwaysFilter => '(mail=*)',
            # if the charset of your ldap server is iso-8859-1, use this:
            SourceCharset => 'utf-8',
            DestCharset => 'utf-8',
            # die if backend can't work, e. g. can't connect to server
            Die => 0,
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port    => 389,
                timeout => 120,
                async   => 0,
                version => 3,
            },
        },
        # customer unique id
        CustomerKey => 'sAMAccountName',
        # customer #
        CustomerID => 'mail',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 50,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        # Configures the character for joining customer user name parts. Join single space if it is not defined.
        CustomerUserNameFieldsJoin => '',
        # show customer user and customer tickets in customer interface
        CustomerUserExcludePrimaryCustomerID => 0,
        # add a ldap filter for valid users (expert setting)
        # CustomerUserValidFilter => '(!(description=gesperrt))',
        # admin can't change customer preferences
        AdminSetPreferences => 0,
        # cache time to live in sec. - cache any ldap queries
        CacheTTL => 60 * 10 * 0,
        Map => [
            # note: Login, Email and CustomerID needed!
            # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly, http-link-target, link class(es)
            [ 'UserTitle',       'Title',               'title',               1, 0, 'var', '', 0, undef, undef ],
            [ 'UserFirstname',   'Firstname',           'givenname',           1, 0, 'var', '', 0, undef, undef ],
            [ 'UserLastname',    'Lastname',            'sn',                  1, 0, 'var', '', 0, undef, undef ],
            [ 'UserLogin',       'Username',            'uid',                 1, 1, 'var', '', 0, undef, undef ],
            [ 'UserEmail',       'Email',               'mail',                1, 1, 'var', '', 0, undef, undef ],
            [ 'UserCustomerID',  'CustomerID',          'mail',                0, 1, 'var', '', 0, undef, undef ],
            # [ 'UserCustomerIDs', Translatable('CustomerIDs'),         'second_customer_ids', 1, 0, 'var', '', 0, undef, undef ],
            [ 'UserPhone',       'Phone',               'telephonenumber',     1, 0, 'var', '', 0, undef, undef ],
            [ 'UserAddress',     'Address',             'postaladdress',       1, 0, 'var', '', 0, undef, undef ],
            [ 'UserComment',     'Comment',             'description',         1, 0, 'var', '', 0, undef, undef ],

            # this is needed, if "SMIME::FetchFromCustomer" is active
            # [ 'UserSMIMECertificate', 'SMIMECertificate', 'userSMIMECertificate', 0, 1, 'var', '', 1, undef, undef ],

            # Dynamic field example
            # [ 'DynamicField_Name_X', undef, 'Name_X', 0, 0, 'dynamic_field', undef, 0, undef, undef ],
        ],
    };

Maybe I need to copy this on the Config.pm file? Or maybe there is an issue since I need to configure around a subdomain?

Any help will be very appreciated.

- Sebastian

[skullz]

Yeah you right..you need to copy this to Config.pm
Additionally, you also need Customer::AuthModule

https://github.com/znuny/Znuny/blob/2bf ... s.pm#L1372

[sebf]

Should I also configure the synchronization between LDAP and the local Znuny database?

- Sebastian

[sebf]

I managed to figure out the configuration, mostly thanks to an older post viewtopic.php?f=61&t=7082

I got the parameters of the users inside the AD and mapped them accordingly so Znuny would be able to find the users (pay attention to whether the AD users have an UID or not, in my case, they didn't, and configure the parameters inside the Kernel/Config.pm file using the parameters available in the AD).

Here is the section of the Config.pm file I changed:

Code: Select all

    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'host.subdomain.domain.com';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=subdomain,dc=domain,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
    $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=xxxxx,OU=xxxxx,OU=xxxxx,OU=xxxxx,DC=subdomain,DC=domain,DC=com';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'mailaddress@domain.com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';


# CustomerUser
# (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
        Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            # ldap host
            Host => 'host.subdomain.domain.com',
            # ldap base dn
            BaseDN => 'dc=subdomain,dc=domain,dc=com',
            # search scope (one|sub)
            SSCOPE => 'sub',
            # The following is valid but would only be necessary if the
            # anonymous user does NOT have permission to read from the LDAP tree
            UserDN => 'mailaddress@domain.com',
            UserPw => 'xxxxxx',
            # in case you want to add always one filter to each ldap query, use
            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
            #AlwaysFilter => '(mail=*)',
            # if the charset of your ldap server is iso-8859-1, use this:
            SourceCharset => 'utf-8',
            DestCharset => 'utf-8',
            # die if backend can't work, e. g. can't connect to server
            Die => 0,
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
                        Params => {
                port    => 389,
                timeout => 120,
                async   => 0,
                version => 3,
            },
        },
        # customer unique id
        CustomerKey => 'sAMAccountName',
        # customer #
        CustomerID => 'mail',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        # Configures the character for joining customer user name parts. Join single space if it is not defined.
#        CustomerUserNameFieldsJoin => '',
        # show customer user and customer tickets in customer interface
        CustomerUserExcludePrimaryCustomerID => 0,
        # add a ldap filter for valid users (expert setting)
        # CustomerUserValidFilter => '(!(description=gesperrt))',
        # admin can't change customer preferences
        AdminSetPreferences => 0,
        # cache time to live in sec. - cache any ldap queries
#        CacheTTL => 60 * 10 * 0,
        Map => [
            # note: Login, Email and CustomerID needed!
            #     var,             frontend,             storage,           shown (1=always,2=lite), required, storage-type, http-link, readonly, http-link-target, link class(es)
            [ 'UserFirstname',   'Firstname',           'givenname',           1,                        0,     'var',          '',      0,              undef,         undef ],
            [ 'UserLastname',    'Lastname',            'sn',                  1,                        0,     'var',          '',      0,              undef,         undef ],
            [ 'UserLogin',       'Username',            'sAMAccountName',      1,                        1,     'var',          '',      0,              undef,         undef ],
            [ 'UserEmail',       'Email',               'mail',                1,                        1,     'var',          '',      0,              undef,         undef ],
            [ 'UserCustomerID',  'CustomerID',          'mail',                0,                        1,     'var',          '',      0,              undef,         undef ],
            [ 'UserPhone',       'Phone',               'telephonenumber',     1,                        0,     'var',          '',      0,              undef,         undef ],

Also, thank you skullz for helping me.

- Sebastian