Help with user permissions through ldap login

English! place to talk about development, programming and coding
Post Reply
sry9681
Znuny newbie
Posts: 4
Joined: 23 Jul 2015, 18:03
Znuny Version: The most recent one.

Help with user permissions through ldap login

Post by sry9681 »

When ever I login using an AD user and password it successfully logs in but it wont set the correct permissions per the config file (the last bit of code).

Code: Select all

    # CustomerUser
# (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
       Module => 'Kernel::System::CustomerUser::LDAP',
       Params => {
          Host => '172.xx.x.xx',
          BaseDN => 'DC=domain,DC=local',
          SSCOPE => 'sub',
          UserDN =>'otrs_ldap@domain.local',
          UserPw => 'password',
       },

	   # customer unique id
       CustomerKey => 'sAMAccountName',
       # customer #
       CustomerID => 'mail',
       CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 250,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       Map => [
          # note: Login, Email and CustomerID needed!
          # var, frontend, storage, shown, required, storage-type
          #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
          [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
          [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
          [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
          [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
          [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
          [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
          #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
          #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
       ],
    };

    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrs_ldap@domain.local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

# >>Customer Auth

	#Enable LDAP authentication for Customers / Users
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = '172.xx.x.xx';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# >>Agent Auth
 
    # This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = '172.xx.x.xx';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrs_allow_C,CN=Users,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberOf';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs_ldap@domain.local';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = '172.xx.x.xx';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otrs_ldap@domain.local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # Attributes needed for group syncs
    # (attribute name for group value key)
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberOf';
    # (attribute for type of group content UID/DN for full ldap name)
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'sAMAccountName';
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    #$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    #    'users',
    #]; 
    # AuthSyncModule::LDAP::UserSyncGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs groups, define the following.)
    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
        # ldap group
        'CN=otrs_allow_A,CN=Users,DC=domain,DC=local' => {
            # otrs group
            'admin' => {
                # permission
                rw => 1,
        move_into => 1,
        create => 1,
        note => 1,
        owner => 1,
        priority => 1,
                ro => 1,
            },
        },
    'CN=otrs_allow_C,CN=Users,DC=domain,DC=local' => {
            'users' => {
                rw => 1,
        move_into => 1,
        create => 1,
        note => 1,
        owner => 1,
        priority => 1,
                ro => 1,
            },
        }
    };
The related log after logging in...

Code: Select all

 OTRSUbuntu OTRS-CGI-67[1401]: [Notice][Kernel::System::Auth::LDAP::Au th] User: frbcr1 authentication failed, no LDAP group entry foundGroupDN='CN=otrs_allow_C,CN=Users,DC=domain,DC=local', Filter='(memberOf=CN=FRB Conference Room 1,CN=Managed Service Accounts,CN=Users,DC=domain,DC=local)'! (REMOTE_ADDR: 172.xx.x.xxx).
Any help appreciated.
Top
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:
Contact crythias

Re: Help with user permissions through ldap login

Post by crythias »

Customer groups aren't supported through LDAP (At least, not historically.)

For agents:
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrs_allow_C,CN=Users,DC=domain,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberOf';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

But your error says:

Code: Select all

Kernel::System::Auth::LDAP::Auth] User: frbcr1 authentication failed, no LDAP group entry foundGroupDN='CN=otrs_allow_C,CN=Users,DC=domain,DC=local', Filter='(memberOf=CN=FRB Conference Room 1,CN=Managed Service Accounts,CN=Users,DC=domain,DC=local)'! (REMOTE_ADDR: 172.xx.x.xxx).
Somewhere (SysConfig?) you've specified a filter.

Also, no group with a DN of CN=otrs_allow_C,CN=Users,DC=domain,DC=local
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Top
sry9681
Znuny newbie
Posts: 4
Joined: 23 Jul 2015, 18:03
Znuny Version: The most recent one.

Re: Help with user permissions through ldap login

Post by sry9681 »

I haven't edited anything in the SysConfig.pm file. I just looked through it and these are the only two places with the word 'Filter'.

Code: Select all

if (
        $ConfigItem->{Setting}->[1]->{Option}
        && $ConfigItem->{Setting}->[1]->{Option}->[1]->{Location}
        )
    {
        my $Home = $Self->{Home};
        my @List = $MainObject->DirectoryRead(
            Directory => $Home,
            Filter    => "$ConfigItem->{Setting}->[1]->{Option}->[1]->{Location}",
        );

        for my $Item (@List) {
            $Item =~ s/\Q$Home\E//g;
            $Item =~ s/^[A-z]://g;
            $Item =~ s/\\/\//g;
            $Item =~ s/\/\//\//g;
            $Item =~ s/^\///g;
            $Item =~ s/^(.*)\.pm/$1/g;
            $Item =~ s/\//::/g;
            $Item =~ s/\//::/g;
            my $Value = $Item;
            my $Key   = $Item;
            $Value =~ s/^.*::(.+?)$/$1/g;

            if ( !$ConfigItem->{Setting}->[1]->{Option}->[1]->{Item} ) {
                push( @{ $ConfigItem->{Setting}->[1]->{Option}->[1]->{Item} }, undef$
            }
            push(
                @{ $ConfigItem->{Setting}->[1]->{Option}->[1]->{Item} },
                {
                    Key     => $Key,
                    Content => $Value,
                },
            );
        }
    }
    return %{$ConfigItem};

Code: Select all

=begin Internal:

=cut

sub _Init {
    my ( $Self, %Param ) = @_;

    my $Directory = "$Self->{Home}/Kernel/Config/Files/";

    return if !-e $Directory;

    # get main object
    my $MainObject = $Kernel::OM->Get('Kernel::System::Main');

    # load xml config files
    my @Files = $MainObject->DirectoryRead(
        Directory => $Directory,
        Filter    => "*.xml",
    );

    # get the md5 representing the current configuration state
    my $ConfigChecksum = $Self->{ConfigObject}->ConfigChecksum();

    # get cache object
    my $CacheObject = $Kernel::OM->Get('Kernel::System::Cache');

    my %Data;
    FILE:
    for my $File (@Files) {

        my $CacheKey  = "_Init::${File}::${ConfigChecksum}";
        my $CacheData = $CacheObject->Get(
            Type => 'SysConfig',
            Key  => $CacheKey,
        );

        if ( ref $CacheData eq 'SCALAR' ) {
            my $XMLHashRef;
            if ( eval ${$CacheData} ) {
                $Data{$File} = $XMLHashRef;
                next FILE;
            }
        }

        my $ConfigFile = $MainObject->FileRead(
            Location => $File,
            Mode     => 'binmode',
(Page cutoff here)
And the reason for the attempted Customer groups is because I have been wanting to have only 'users' permissions checked if they are a part of 'CN=otrs_allow_C,CN=Users,DC=domain,DC=local' and have all permission boxes checked (including stats and admin) if they are in 'CN=otrs_allow_A,CN=Users,DC=domain,DC=local'.... Is there any way I can get that to successfully work?
Top
Post Reply

Return to “Developers”