Agent Login via LDAP [GELÖST]

[staybb]

Hallo,

ich möchte unser OTRS 3.1.11 an unser ActiveDirectory anbinden, damit sich die Agenten und Customer via LDAP anmelden können.

Die Anmeldung für die Customer habe ich zum laufen bekommen. Über das Framework und die Config.pm .

Nur bei der Agenten habe ich das Problem das ich folgende Meldung in den Logs erhalte, wenn ich mich versuche über ldap anzumelden:

Code: Select all

User: otrs_admin authentication failed, no LDAP entry found!BaseDN='dc=domain,dc=domain', Filter='(sAMAccountName=otrs_admin)', (REMOTE_ADDR: IP).

So sieht meine Config.pm momentan aus:

Code: Select all

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #           End of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

	$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
	$Self->{'AuthModule::LDAP::Host'} = 'ldapserver';
	$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=domain';
	$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = '';
	$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
	$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'domain\user';
	$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
	$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
       $Self->{'Customer::AuthModule::LDAP::Params'} = {
          port => 389,
          timeout => 120,
          async => 0,
          version => 3,
       };

	# Enable LDAP Authentication Sync for Agent #
	$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
	$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldapserver/';
	$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain,dc=domain';
	$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
	$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
	$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'domain\guenthart';
	$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

	# Enable Agent Mapping from LDAP to DB #
	$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
	UserFirstname => 'givenName',
	UserLastname => 'sn',
	UserEmail => 'mail',
	};	

	# AuthSyncModule::LDAP::UserSyncInitialGroups
	# (sync following group with rw permission after initial create of first agent
	# login)
	$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
	];

# CustomerUser
    # (customer ldap backend and settings)
    $Self->{CustomerUser} = {
        Name => 'LDAP Datenquelle',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            # ldap host
        Host => 'ldapserver',
            # ldap base dn
        BaseDN => '1',
            # search scope (one|sub)
        SSCOPE => 'sub',
            # The following is valid but would only be necessary if the
            # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => 'domain\user',
        UserPw => 'password',
            # in case you want to add always one filter to each ldap query, use
            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '',
            # if both your frontend and your LDAP are unicode, use this:
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',
            # if your frontend is unicode and the charset of your
            # ldap server is iso-8859-1, use these options.
            # SourceCharset => 'iso-8859-1',
            # DestCharset => 'utf-8',
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
    },
            # customer unique id
        CustomerKey => 'sAMAccountName',
            # customer #
        CustomerID => 'mail',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
            # show not own tickets in customer panel, CompanyTickets
        CustomerUserExcludePrimaryCustomerID => 0,
            # add an ldap filter for valid users (expert setting)
        #    CustomerUserValidFilter => '(!(description=locked))',
            # administrator can't change customer preferences
        AdminSetPreferences => 0,
        #    # cache time to live in sec. - cache any database queries
        #    CacheTTL => 0,
            Map => [
            # note: Login, Email and CustomerID are mandatory!
            # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
            [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Login',   'sAMAccountName',     1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
        ],
    };
}

An was könnte es liegen? Ich habe schon etliche Einstellungen versucht...

Hier viewtopic.php?f=60&t=16543 habe ich gelesen, das folgendes Phänomen bei mir stattfindet:

"No LDAP entry found!"
This means you've successfully queried (logged in to query) the LDAP server, but the request doesn't return a result. Usually, this means you're trying to ask for a username in the wrong field or basedn.
You'll see Filter='(Param1=Param2Param3)'
Param1 is uid or the value of UserAttr
Param2 is the submitted username/login entry
Param3 is the UserSuffix, if provided

Der User um sich mit ldap zu authentifizieren ist im ActiveDirectory in folgender Struktur angelegt:
OU - Firma -> OU-Benutzer -> OU-VirtuelleBenutzer

[choenig]

wie die Fehlermeldung schon sagt, Du suchst am/im falschen Pfad...
Such Dir mit einem LDAP-Explorer (z.B. Softerra LDAP Explorer) die genauen Pfadangaben aus dem AD.
In manchen Fällen hilft auch der Eintrag der IP-Adresse eines DC's statt des FQDN.

Vielleicht hilft Dir auch der Thread weiter:
viewtopic.php?f=36&t=7558

[staybb]

Also ich habe den Usern, die in das Backend als Agent sich anmelden dürfen im ActiveDirectory einer Gruppe zugewiesen (otrs-user).

Folgendes habe ich in der Config.pm dazu eingetragen:

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
   $Self->{'AuthModule::LDAP::Host'} = 'LDAPServerIP';
   $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=de';
   $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
   # Check if the user is allowed to auth in a posixGroup
   # (e. g. user needs to be in a group xyz to use otrs)
   $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
   $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=G-otrs-user,CN=Users,DC=domain,DC=de';
   $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
   $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'ldap_user';
   $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
   $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
       $Self->{'Customer::AuthModule::LDAP::Params'} = {
          port => 389,
          timeout => 120,
          async => 0,
          version => 3,
       };

Den FQDN habe ich durch die IP ersetzt. Gleiches Problem.

[staybb]

Es funktioniert nun!

Das Problem war bei dem Eintrag

Code: Select all

$Self->{'AuthModule::LDAP::SearchUserDN'}

Der Syntax benötigt das @domainname.de dann geht es.

Code: Select all

$Self->{'AuthModule::LDAP::SearchUserDN'}  = 'ldap_user@domainname.de';