GELÖST: OTRS 3.0 Mehrere LDAP Backends

[risker]

Hallo,

wir setzen OTRS 3.0.10 (Ubuntu 10.04, FAQ Modul) ein und nutzen als Agent-AuthBackend LDAP.

Es soll nun ein 2. LDAP mit einem anderen Usersuffix dazukommen, ich habe dazu eine zweite LDAP Config eingebaut und beide indiziert, es gibt nun also jeweils AuthModule1 und AuthModule2.

Der Login des ursprünglichen LDAP Auths, also jetzt Auth1 funktioniert weiterhin, mir ist aber nicht ganz klar warum er nicht in dem 2. Backend sucht, bzw. wie ich das OTRS dazu bringe dort zu suchen.


UserSuffix habe ich bei beiden auf die jeweilige Domain gesetzt und testweise leer gelassen um es selber anzuhängen, leider scheint er immer im 1. Backend zu suchen (ersichtlich am Such DN im Log)


Kann mir da jemand auf die Sprünge helfen?

Vielen Dank im Voraus
Gruß
risker

[oleole]

Poste doch mal die Config.

[risker]

Code: Select all

    $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::UserLowerCase1'} = 1;
    $Self->{'AuthModule::LDAP::Host1'} = '172.16.100.231';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'OU=Groupe_foo1,DC=foo1,DC=fr';
    $Self->{'AuthModule::LDAP::UID1'} = 'userPrincipalName';     # user@ntdomain - actual post-2000 logon name
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    $Self->{'AuthModule::LDAP::UserSuffix1'} = '@foo1.com';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'FOO1\User';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'SECRET';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN1'} = '';
    $Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params1'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

    # ---------------------------------------------------- # 
    # LDAP user with settings synchronisation              #
    # ---------------------------------------------------- # 
    $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::UserLowerCase1'} = 1;
    $Self->{'AuthSyncModule::LDAP::Host1'} = '172.16.100.231';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'OU=Groupe_foo1,DC=foo1,DC=fr';
    # Bind credentials to log into AD
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'FOO1\User';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'SECRET';
    #$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';   # pre-2000 NT logon name - limited to 20 character
    #$Self->{'AuthSyncModule::LDAP::UID1'} = 'mail';                     # email@webdomain - may not be unique
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'userPrincipalName'; # user@ntdomain - actual post-2000 logon name
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    $Self->{'AuthSyncModule::LDAP::UserSuffix1'} = '@foo1.com';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
        'users',
    ];

# 2nd Backend

    $Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::UserLowerCase2'} = 1;
    $Self->{'AuthModule::LDAP::Host2'} = '172.16.100.232';
    $Self->{'AuthModule::LDAP::BaseDN2'} = 'OU=Groupe_foo2,DC=foo2,DC=com';
    $Self->{'AuthModule::LDAP::UID2'} = 'userPrincipalName';     # user@ntdomain - actual post-2000 logon name
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    $Self->{'AuthModule::LDAP::UserSuffix2'} = '@foo2.com';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN2'} = 'FOO2\User';
    $Self->{'AuthModule::LDAP::SearchUserPw2'} = 'SECRET';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN2'} = '';
    $Self->{'AuthSyncModule::LDAP::AccessAttr2'} = 'member';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter2'} = '';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params2'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

    # ---------------------------------------------------- # 
    # LDAP user with settings synchronisation              #
    # ---------------------------------------------------- # 
    $Self->{'AuthSyncModule2'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::UserLowerCase2'} = 1;
    $Self->{'AuthSyncModule::LDAP::Host2'} = '172.16.100.232';
    $Self->{'AuthSyncModule::LDAP::BaseDN2'} = 'OU=Groupe_foo2,DC=foo2,DC=com';
    # Bind credentials to log into AD
    $Self->{'AuthSyncModule::LDAP::SearchUserDN2'} = 'FOO2\User';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw2'} = 'SECRET';
    $Self->{'AuthSyncModule::LDAP::UID2'} = 'userPrincipalName'; # user@ntdomain - actual post-2000 logon name
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    $Self->{'AuthSyncModule::LDAP::UserSuffix2'} = '@foo2.com';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap2'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups2'} = [
        'users',
    ];

[Wolfgangf]

das geht einfach mit durchnummerieren, hier ein Beispiel aus meiner Config

Code: Select all

 # This is the auth. module against the otrs db
    $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::DB';
    $Self->{'Customer::AuthModule::DB::Table1'} = 'customer_user';
    $Self->{'Customer::AuthModule::DB::CustomerKey1'} = 'login';
    $Self->{'Customer::AuthModule::DB::CustomerPassword1'} = 'pw';
  # This is the auth. module against LDAP
    $Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host2'} = \@ldaphosts;
    $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'DC=xx,DC=xx';                                                     
    $Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=xx,OU=xx,DC=xx,DC=xx,DC=xx';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'xx1';
    $Self->{'Customer::AuthModule::LDAP::AlwaysFilter2'} = '(&(objectCategory=person)(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))';
    $Self->{'Customer::AuthModule::LDAP::Params2'} = {
        port => 3268,
        timeout => 10,
        async => 0,
        version => 3,------------------------------------ #
    };#

[risker]

Hallo Wolfgang,

Meine AgentAuth Konfiguration ist doch nummeriert?

[root]

Poste doch mal die Fehlermeldung bitte.

[boris]

Findet es den User mit dem du dich anmeldet willst vielleicht im ersten Backend?

[risker]

Nein, den gibt es da nicht:

Code: Select all

[Notice][Kernel::System::Auth::DB::Auth] User: testotrs doesn't exist or is invalid!!!
[Notice][Kernel::System::Auth::LDAP::Auth] User: testotrs@foo1.com authentication failed, no LDAP entry found!BaseDN='OU=Groupe_foo1,DC=foo1,DC=com', Filter='(userPrincipalName=testotrs@foo1.com)'.
[Error][Kernel::System::Auth::LDAP::Auth][Line:216]: Search failed! 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:#012#011'DC=foo2,DC=com'#012#000
[Error][Kernel::System::User::UserLookup][Line:746]: No UserID found for 'testotrs'!

Da ist der Anmeldeversuch

[boris]

Ohne den rest der Config gesehen zu haben behaupte ich mal der Fehler liegt hier:

Code: Select all

        $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
            'users',
        ];

Wir mal das

Code: Select all

 ];

raus.

[risker]

Damit würde ich mir doch nur einen Syntax Fehler holen.

[boris]

Die Klammer geht aber nirgedwo in deinem Codeschnipsel auf.

[boris]

OMG...hab nix gesagt

[boris]

So hab ich das gemacht. Und hier funktioniert es:

Code: Select all

#--------------------------------------------------------------------------------------------
#                                            Firma1                                         #
#--------------------------------------------------------------------------------------------
#--------------------------------------------------------------------------------------------
#                                   Agenten Authentifizeirung                               #
#--------------------------------------------------------------------------------------------
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'dc.Firma1.local'; 
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=Firma1,dc=local';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'otrsldap@Firma1.local';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'Passwort123';
#--------------------------------------------------------------------------------------------
#                                  Kunden Authentifizeirung                                 #
#--------------------------------------------------------------------------------------------
 $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
 $Self->{'Customer::AuthModule::LDAP::Host1'} = 'dc.Firma1.local';
 $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'DC=Firma1, DC=local';
 $Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
 $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'otrsldap@Firma1.local';
 $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'Passwort';
 
 #--------------------------------------------------------------------------------------------
 #                                      Firma1 Ende                                         #
 #--------------------------------------------------------------------------------------------
 
 
 
#--------------------------------------------------------------------------------------------
#                                            Firma2                                          #
#--------------------------------------------------------------------------------------------
#--------------------------------------------------------------------------------------------
#                                   Agenten Authentifizeirung                               #
#--------------------------------------------------------------------------------------------
$Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host2'} = 'dc.Firma2.intern'; 
$Self->{'AuthModule::LDAP::BaseDN2'} = 'dc=Firma2,dc=intern';
$Self->{'AuthModule::LDAP::UID2'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN2'} = 'ticket@Firma2.intern';
$Self->{'AuthModule::LDAP::SearchUserPw2'} = 'Passwort';
#--------------------------------------------------------------------------------------------
#                                  Kunden Authentifizeirung                                 #
#--------------------------------------------------------------------------------------------
  $Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host2'} = 'dc.Firma2.intern';
  $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'DC=Firma2, DC=intern';
  $Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';
  $Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'ticket@Firma2.intern';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'Passwort';
 
#--------------------------------------------------------------------------------------------
#                                      Firma2 Ende                                      #
#--------------------------------------------------------------------------------------------
 

Funktioniert das?

Code: Select all

$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'FOO1\User';

Da müste die DN stehen soweit ich weiss, oder eben user@schlagmichtod.de
Oder geht das wegen

$Self->{'AuthModule::LDAP::UserSuffix1'} = '@foo1.com';

In der Defaults.pm steht dazu:

Code: Select all

        # in case you want to add a suffix to each login name,  then
        # you can use this option. e. g. user just want to use user but
        # in your ldap directory exists user@domain.

Aber der Search User loggt sich ja in dem Sinne nicht ein also wird meiner Meinung nach auch kein Suffix an:

Code: Select all

$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'FOO1\User';

gehangen.

Also würde ich sagen deine Authentifizeirung muss so aussehen:

Code: Select all

        $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
        $Self->{'AuthModule::LDAP::UserLowerCase1'} = 1;
        $Self->{'AuthModule::LDAP::Host1'} = '172.16.100.231';
        $Self->{'AuthModule::LDAP::BaseDN1'} = 'OU=Groupe_foo1,DC=foo1,DC=fr';
        $Self->{'AuthModule::LDAP::UID1'} = 'userPrincipalName';
        $Self->{'AuthModule::LDAP::UserSuffix1'} = '@foo1.com';
        $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'User@foo1.com';
        $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'SECRET';
        $Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';

        $Self->{'AuthModule::LDAP::Params1'} = {
            port => 389,
            timeout => 120,
            async => 0,
            version => 3,
        };

		
		
		
        $Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
        $Self->{'AuthModule::LDAP::UserLowerCase2'} = 1;
        $Self->{'AuthModule::LDAP::Host2'} = '172.16.100.232';
        $Self->{'AuthModule::LDAP::BaseDN2'} = 'OU=Groupe_foo2,DC=foo2,DC=com';
        $Self->{'AuthModule::LDAP::UID2'} = 'userPrincipalName';
        $Self->{'AuthModule::LDAP::UserSuffix2'} = '@foo2.com';
        $Self->{'AuthModule::LDAP::SearchUserDN2'} = 'User@foo2.com';
        $Self->{'AuthModule::LDAP::SearchUserPw2'} = 'SECRET';
        $Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';

        $Self->{'AuthModule::LDAP::Params1'} = {
            port => 389,
            timeout => 120,
            async => 0,
            version => 3,
        };
		

[risker]

Hallo nochmal,


das Problem hat sich mittlerweile gelöst. Der BaseDN wurde mir falsch angeliefert, nachdem dieser richtig gesetzt ist, klappts auch mit dem Nachbarn

Die Schreibweise des SearchUserDns ist in dem Fall auch egal, foo@bar.com oder bar\foo ergibt in dem Fall das gleiche.

Danke trotzdem für die Zeit ;-(