configuring an LDAP customer backend

Post Reply
gfontanili
Znuny newbie
Posts: 4
Joined: 15 Sep 2016, 10:28
Znuny Version: 5.0.4
Real Name: Gianfranco Fontanili
Company: Brevini Fluid Power SPA

configuring an LDAP customer backend

Post by gfontanili »

ciao a tutti,
sto provando a configurare l'autenticazione LDAP per i clienti.

Ho modificato il file Config.pm con il seguente codice:

Code: Select all

# 2. Customer user backend: LDAP
# (customer ldap backend and settings)
$Self->{CustomerUser2} = {
    Name => 'LDAP Datasource',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => 'example.com',
        # ldap base dn
        BaseDN => 'CN=helpdesk_customers,OU=Groups,OU=ITA,DC=example,DC=com',
        # search scope (one|sub)
        SSCOPE => 'sub',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => 'authorized_user',
        UserPw => 'pwd_authorized_user',
        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '',
        # if the charset of your ldap server is iso-8859-1, use this:
#        SourceCharset => 'iso-8859-1',

        # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
        Params => {
            port => 389,
            timeout => 120,
            async => 0,
            version => 3,
        },
    },
    # customer unique id
    CustomerKey => 'uid',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['uid', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add a ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # admin can't change customer preferences
    AdminSetPreferences => 0,
    Map => [
        # note: Login, Email and CustomerID needed!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
#        [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
        [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
        [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
        [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
    ],
};
Nell'elenco dei clienti non vedo però i membri del gruppo helpdesk_customers.
Nei log mi ritorna questo errore:
Can't contact LDAP server
Thu Sep 15 09:51:35 2016 error OTRS-CGI-87 First bind failed! 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Dove sto sbagliando?

Grazie.

Gianfranco
Giulio Soleni
Znuny wizard
Posts: 392
Joined: 30 Dec 2010, 14:35
Znuny Version: 6.0.x and 5.0.x
Real Name: Giulio Soleni
Company: IKS srl

Re: configuring an LDAP customer backend

Post by Giulio Soleni »

Ciao,
credo che l'errore sia nella specifica del parametro BaseDN che dovrebbe contenere solo il distinguished name del server LDAP.
Ammesso che il tuo server sia example.com, BaseDN dovrebbe essere solo 'DC=example,DC=com'
La specifica completa dovrebbe essere invece posta a valore del parametro AlwaysFilter (memberOf=path completo LDAP group).
Inoltre non so come tu abbia specificato le credenziali di UserDN ma ... ammesso che l'utenza si chiami per esempio ldapUser, essa va specificata con il percorso assoluto LDAP (nel caso mio 'CN=ldapUser,OU=Utenze di Servizio,DC=domain,DC=local')

Questa è la configurazione funzionante per il nostro sistema (ho solo cambiato i nomi del dominio e le credenziali dell'utenza per ovvie ragioni)

Code: Select all

$Self->{CustomerUser1} = {
   Name => 'ActiveDirectory Data Source',
   Module => 'Kernel::System::CustomerUser::LDAP',
   Params => {
      Host => 'dc1.domain.local',
      BaseDN => 'DC=domain,DC=local',
      SSCOPE => 'sub',
      UserDN => 'CN=ldapUser,OU=Utenze di Servizio,DC=domain,DC=local',
      UserPw => '****',
      # in case you want to add always one filter to each ldap query, use
      # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
      AlwaysFilter => '(memberOf=CN=OTRS_Customers,OU=Liste e Gruppi,DC=domain,DC=local)',
      #AlwaysFilter => '',
      # if both your frontend and your LDAP are unicode, use this:
      SourceCharset => 'utf-8',
      DestCharset   => 'utf-8',
      Params => {
         port => 389,
         timeout => 120,
         async => 0,
         version => 3,
      },      
   },
   # just a read only source
   ReadOnly => 1,
   CustomerKey => 'sAMAccountName',
   CustomerID => 'mail',
   CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
   CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail', 'telephonenumber', 'mobile'],
   CustomerUserSearchPrefix => '',
   CustomerUserSearchSuffix => '*',
   CustomerCompanySupport => 1,
   CustomerUserSearchListLimit => 250,
   CustomerUserPostMasterSearchFields => ['mail'],
   CustomerUserNameFields => ['givenname', 'sn'],
   # show not own tickets in customer panel, CompanyTickets
   CustomerUserExcludePrimaryCustomerID => 1,
   # add an ldap filter for valid users (expert setting)
#   CustomerUserValidFilter => '(!(description=locked))',
   # administrator can't change customer preferences
   AdminSetPreferences => 0,
   # cache time to live in sec. - cache any database queries
   CacheTTL => 120,
   Map => [
      # note: Login, Email and CustomerID are mandatory!
      # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
      [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
      [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
      [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
      [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
      [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
      [ 'UserCustomerID', 'CustomerID', 'company',            0, 1, 'var', '', 0 ],
      [ 'UserCustomerIDs', 'CustomerIDs', '',       1, 0, 'var', '', 0 ],
      [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
      [ 'UserFax',          'Fax',         'facsimileTelephoneNumber',          1, 0, 'var', '', 0 ],
      [ 'UserMobile',       'Mobile',      'mobile',       1, 0, 'var', '', 0 ],
      [ 'UserStreet',       'Street',      'streetAddress',       1, 0, 'var', '', 0 ],
      [ 'UserZip',          'Zip',         'postalCode',          1, 0, 'var', '', 0 ],
      [ 'UserCity',         'City',        'physicalDeliveryOfficeName',         1, 0, 'var', '', 0 ],
      [ 'UserCountry',      'Country',     'co',      1, 0, 'var', '', 0 ],      
      [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
      [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
   ],
};
Vanno inoltre specificati prima di tutto questo, i parametri relativi al modulo di autenticazione che sarà usato per LDAP; nel mio caso:

Code: Select all

$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'dc1.domain.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'DC=domain,DC=local';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN1'} = 'CN=OTRS_Customers,OU=Liste e Gruppi,DC=domain,DC=local';
$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN'; 
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=ldapUser,OU=Utenze di Servizio,DC=domain,DC=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = '****';
forse nel caso tuo tutte le specifiche si dovranno concludere con un 2 anziché un 1 ...(intendo dire Customer::AuthModule2 anziché Customer::AuthModule1 ecc)
OTRS 6.0.x on CentOS 7.x with MariaDB 10.2.x database connected to an Active Directory for Agents and Customers.
ITSM and FAQ modules installed.
Post Reply