Cant get AD-Auth for Agents / Customers to work

[cherdeg]

Hi Alltogether,

I would like to introduce OTRS at my company and am currently evaluating the current release for Windows (v3.0.10). So you can guess me being completely clueless atm

I searched this forum quite while but couldn't find a solution for my problem...which is using user accounts from my AD to specify agents and customers for OTRS. After trying to setup my goal using the frontend (which wouldn't succeed), I tried to edit the "C:\Program Files\OTRS\OTRS\Kernel\Config.pm" manually which didn't lead to any changes at all: auth with AD-Users doesn't work.

I'd like to show you my config, please do a short check if I miss something crucial:

Code: Select all

#LDAP-Access for Agents
#==============================================================

#Enable LDAP authentication for Customers / Users
  $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
  $Self->{'AuthModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
  $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=tech,DC=emea,DC=XYZ,DC=biz';
  $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
  $Self->{'AuthModule::LDAP::GroupDN'} ='CN=ADMINS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
  $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUID';
  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
  
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
  $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
  $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
  $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
  
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
  $Self->{'AuthModule::LDAP::Params'} = {
#      port => 389,
      port => 3268,
      timeout => 120,
      async => 0,
      version => 3,
  };

# Now sync data with OTRS DB
  $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
  $Self->{'AuthSyncModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
  $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=tech,DC=emea,DC=XYZ,DC=biz';
  $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
  $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
  $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

  $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
     # DB -> LDAP
     UserFirstname => 'givenName',
     UserLastname  => 'sn',
     UserEmail     => 'mail',
  };
 
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
  $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
      'ADMINS',
  ];

#LDAP-Access for Customers
#==============================================================

# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
	$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
	$Self->{'Customer::AuthModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
	$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
	$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=DOMAINUSERS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUID';

# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
	$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
#    port => 389,
    port => 3268,
    timeout => 120,
    async => 0,
    version => 3,
};

# CustomerUser
    # (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
        Name => 'LDAP Data Source',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            # ldap host
            Host => 'DC02.tech.emea.XYZ.biz',
            # ldap base dn
            BaseDN => 'DC=tech,DC=emea,DC=XYZ,DC=biz',
            # search scope (one|sub)
            SSCOPE => 'sub',
#            # The following is valid but would only be necessary if the
#            # anonymous user does NOT have permission to read from the LDAP tree
            UserDN => 'CN=OTRS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz',
            UserPw => 'password',
            # in case you want to add always one filter to each ldap query, use
            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
            AlwaysFilter => '(objectclass=user)',
            # if your frontend is e. g. iso-8859-1 and the charset of your
            # ldap server is utf-8, use these options.
#            SourceCharset => 'utf-8',
#            DestCharset => 'iso-8859-1',
            # if both your frontend and your LDAP are unicode, use this:
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',

            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
#                port => 389,
                port => 3268,
                timeout => 120,
                async => 0,
                version => 3,
            },
        },
		ReadOnly => 1,
		# customer unique id
        CustomerKey => 'sAMAccountName',
        # customer #
        CustomerID => 'mail',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['cn', 'givenname', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        # show not own tickets in customer panel, CompanyTickets
        CustomerUserExcludePrimaryCustomerID => 0,
        # add an ldap filter for valid users (expert setting)
#        CustomerUserValidFilter => '(!(description=locked))',
        # administrator can't change customer preferences
        AdminSetPreferences => 0,
#        # cache time to live in sec. - cache any database queries
        CacheTTL => 120,
        Map => [
            # note: Login, Email and CustomerID are mandatory!
            # if you need additional attributes from AD, just map them here.
            # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
#            [ 'UserSalutation', 'Title',      'title',           1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',   'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',    'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',    'sAMAccountName',             1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',       'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID',  'mail',            0, 1, 'var', '', 0 ],
#            [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
            [ 'UserPhone',      'Phone',      'telephoneNumber', 1, 0, 'var', '', 0 ],
#            [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
#            [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
            [ 'UserMobile',     'Mobile',      'mobile', 1, 0, 'var', '', 0 ],
            [ 'UserRoom',       'Room',        'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
        ],
    };

  $Self->{'AuthSyncModule::LDAP::Params'} = {
	 port => 3268,
	 timeout => 120,
	 async => 0,
	 version => 3,
	 };

Anything? After changing the file, do I need to restart Apache / MySQL / anything else?

Best Regards,
Chris

[crythias]

Interestingly you changed the default port for Customers but not Agents?

[cherdeg]

Hi crythias,

that's a typo I initially copied from http://wiki.otrs.org/index.php?title=Us ... for_agents (> hint to correct it there). My current state is somewhat better that before: I re-installed OTRS and did the changes to config.pm before tampering with the Sys-Config webinterface. When I now login to OTRS and click to "Customers" I can see my users from AD. Also I can see them at "Admin > Customers". But I still can't use them to login; neither to the agents- nor the customers-frontend.

Regards,
Chris

[cherdeg]

Great. I logged out to check if It works now - and now I can't relogin. Neither as root@localhost, nor as my database-defined Superuser

EDIT: Verified - While using the above changes in config, login with db-users defined (including root) is not possible.

[crythias]

Where is your CustomerAuth for LDAP? http://doc.otrs.org/3.0/en/html/auth-ba ... h-backends

Anything else you can tell us (AD vs nonAD ldap, etc.)

[cherdeg]

I used the HowTos from http://wiki.otrs.org/index.php?title=Us ... for_agents and http://wiki.otrs.org/index.php?title=Us ... _customers.

I changed the to fit the needs of our AD (please see the "code-section" my 1st posting, I keep it up to date with local changes). What else would you like to know?

EDIT: Changed config.pm in my 1st posting.
EDIT: Now login to the Agent-Frontend works with standard AD-Users (although nothing was changed there). When using the user configured to do the LDAP-Searches ("OTRS-SEARCH"), the Agent frontend tells me: "Panic, user authenticated but no user data can be found in OTRS DB!! Perhaps the user is invalid." Login to the Customer-Frontend is still not possible with any user.

Please help!

[crythias]

$Self->{'AuthSyncModule::LDAP::Params'} = {
port => 3268,
timeout => 120,
async => 0,
version => 3,
};

[cherdeg]

Hi,

thank you for the answer...but I'm a noob. So could you please be a little more detailed? I inserted your lines to my config, but can't login any longer since...

Regards,
Chris

[crythias]

I respect that you're a complete noob (as you've said) and that you're not sure what to do. However, it is not productive to achieve a result when you respond "I inserted the lines and I can't login"

You might as well have said, "it doesn't work" which is just as [un]helpful.
Did you update your Config.pm on this thread to show where you added it?
Did you get any new or different result?
Did you get any new or different error message?

If you want personal support, I can provide it for a fee, or you can get support from OTRS.

[cherdeg]

However, it is not productive to achieve a result when you respond "I inserted the lines and I can't login"

Honestly, neither is it any productive or helpful to post 5 lines and not tell the proclaimed noob where to put them, (and) if that makes a difference.

Did you update your Config.pm on this thread to show where you added it?

Yes. Regarding the fact that I complained about no customers being able to log in, I pasted it to the end of the customers section (as probably everyone would have).

Did you get any new or different result?

No.

Did you get any new or different error message?

No.

If you want personal support, I can provide it for a fee, or you can get support from OTRS.

Dear Crythias: I am very willing to pay for support for an open source product. As a second step. But first I need a working installation to demonstrate the product's basic features to the guys approving the money. And Active Directory Integration should, imho, be a feature implemented all the same in every installation of OTRS worldwide, depending only on the each required features. The features I need to demonstrate is a) the use of a specified security group to provide OTRS with Agents, b) the use of another specified security group to provide OTRS with customers and c) the possibility for all users of the two groups to login to the each OTRS frontends using their AD accounts (to process (agents) or track (customers) trouble tickets).

So if somebody would be so kind to publish working templates for config.pm (so "the noob" has only to change DC-Host, BaseDN, LDAP-Search User/Password and CNs of the security group, that would be very helpful; also concerning the objective to sell support at a later time (no basically working product > no demonstration > no installation > no sales of your services).

[crythias]

Fair enough. I'll take that rebuke. It's valid, and I deserve some of it. Please accept my apologies. I can't assume anything has been done to old posts, otherwise I'd never stop reading posts.

You've done pretty much everything right so far, so the big question is whether you're getting any error messages that indicate what is failing.

Code: Select all

  $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUID'; #check case on this, if it matters. memberUid
    # in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
#    $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Now sync data with OTRS DB
  $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
  $Self->{'AuthSyncModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
  $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=tech,DC=emea,DC=XYZ,DC=biz';
  $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
  $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
  $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

  $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
     # DB -> LDAP
     UserFirstname => 'givenName',
     UserLastname  => 'sn',
     UserEmail     => 'mail',
  };

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
  $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
#if this group 'ADMINS' does not exist in OTRS, it won't be useful. 'users' is recommended as well. check case.
      'ADMINS', 'users',
  ];

#moving this up here only because it'd be more practical to troubleshoot
  $Self->{'AuthSyncModule::LDAP::Params'} = {
    port => 3268,
    timeout => 120,
    async => 0,
    version => 3,
    };

#LDAP-Access for Customers
#==============================================================

# This is an example configuration for an LDAP auth. backend.
# (e. g. user needs to be in a group xyz to use otrs)
   $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUID'; #check case memberUid

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
#    port => 389,
    port => 3268, #Search Global Catalog. If not, it's port 389 everywhere. 
    timeout => 120,
    async => 0,
    version => 3,
};

# CustomerUser
    # (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
        Name => 'LDAP Data Source',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => 'DC02.tech.emea.XYZ.biz',
            BaseDN => 'DC=tech,DC=emea,DC=XYZ,DC=biz',
            SSCOPE => 'sub',
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',

            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
#                port => 389,
                port => 3268,
                timeout => 120,
                async => 0,
                version => 3,
            },
        },
      ReadOnly => 1,
      # customer unique id
        CustomerKey => 'sAMAccountName',
        # customer #
        CustomerID => 'mail',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['cn', 'givenname', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        # show not own tickets in customer panel, CompanyTickets
        CustomerUserExcludePrimaryCustomerID => 0,
        # add an ldap filter for valid users (expert setting)
#        CustomerUserValidFilter => '(!(description=locked))',
        # administrator can't change customer preferences
        AdminSetPreferences => 0,
#        # cache time to live in sec. - cache any database queries
        CacheTTL => 120,
        Map => [
            # note: Login, Email and CustomerID are mandatory!
            # if you need additional attributes from AD, just map them here.
            # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
#            [ 'UserSalutation', 'Title',      'title',           1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',   'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',    'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',    'sAMAccountName',             1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',       'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID',  'mail',            0, 1, 'var', '', 0 ],
#            [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
            [ 'UserPhone',      'Phone',      'telephoneNumber', 1, 0, 'var', '', 0 ],
#            [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
#            [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
            [ 'UserMobile',     'Mobile',      'mobile', 1, 0, 'var', '', 0 ],
            [ 'UserRoom',       'Room',        'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
        ],
    };

3268 is Global Catalog, but 389 is "domain" http://technet.microsoft.com/en-us/libr ... 78012.aspx

I've made some suggestions, but they're trivial. The error:
"Panic, user authenticated but no user data can be found in OTRS DB!! Perhaps the user is invalid." generally means there is a mismatch between the user who's logging on and how that is stored as an agent in the database.

The error originates from Kernel/System/Web/InterfaceAgent.pm

It looks for existence of UserID and UserLogin and errors if it doesn't get them.

These come from GetUserData in User.pm, which gets the information from the table:
SELECT $Self->{UserTableUserID}, $Self->{UserTableUser}, "
. " title, first_name, last_name, $Self->{UserTableUserPW}, valid_id, "
. " create_time, change_time FROM $Self->{UserTable} ....

how does that get populated?
from LDAP sync:
$Self->{UserObject}->UserUpdate(
%UserData,
UserID => $UserData{UserID},
UserLogin => $Param{User},
%SyncUser,
UserType => 'User',
ChangeUserID => 1,

Ideally, it should happen as you log in.

If you can provide any system logs (/var/log/messages or c:\Program Files\OTRS\OTRS\var\log\otrs.log relevant to your attempts, it can help troubleshoot the problems as well.)


I deleted some things and didn't delete others. don't copy/paste my code. I should have made it cleaner.

[cherdeg]

Okay, thank you very much...we're definitely getting forward...Customer AND Agent Login is now possible with AD users; AD users are also populated as customers within OTRS. Here my current addons to config.pm:

Code: Select all

#LDAP-Access for Agents
#==============================================================

#Enable LDAP authentication for Customers / Users
	$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
	$Self->{'AuthModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
	$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
	$Self->{'AuthModule::LDAP::GroupDN'} ='CN=DOMAIN-ADMINS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
	$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
	$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=ORTS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
  
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
	$Self->{'AuthModule::LDAP::Params'} = {
#		port => 389,
		port => 3268,
		timeout => 120,
		async => 0,
		version => 3,
	};

# Now sync data with OTRS DB
	$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
	$Self->{'AuthSyncModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
	$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
	$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=ORTS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

	$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
		# DB -> LDAP
		UserFirstname => 'givenName',
		UserLastname  => 'sn',
		UserEmail     => 'mail',
	};
  
	$Self->{'AuthSyncModule::LDAP::Params'} = {
		port => 3268,
		timeout => 120,
		async => 0,
		version => 3,
	};
	
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
	$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
		'DOMAIN-ADMINS',
	];


#LDAP-Access for Customers
#==============================================================

# This is an example configuration for an LDAP auth. backend.
# (e. g. user needs to be in a group xyz to use otrs)
#	$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
	$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
	$Self->{'Customer::AuthModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
	$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# for ldap posixGroups objectclass (just uid)
	$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
	$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=ORTS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
	
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
	$Self->{'Customer::AuthModule::LDAP::Params'} = {
#		port => 389,
		port => 3268,
		timeout => 120,
		async => 0,
		version => 3,
	};

# CustomerUser
    # (customer user ldap backend and settings)
	$Self->{CustomerUser} = {
		Name => 'LDAP Data Source',
		Module => 'Kernel::System::CustomerUser::LDAP',
		Params => {
			Host => 'DC02.tech.emea.XYZ.biz',
			BaseDN => 'DC=tech,DC=emea,DC=XYZ,DC=biz',
			SSCOPE => 'sub',
			# The following is valid but would only be necessary if the
			# anonymous user does NOT have permission to read from the LDAP tree
			UserDN => 'CN=ORTS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz',
			UserPw => 'password',
			# in case you want to add always one filter to each ldap query, use
			# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
			AlwaysFilter => '(objectclass=user)',
			# if your frontend is e. g. iso-8859-1 and the charset of your
			# ldap server is utf-8, use these options.
#			SourceCharset => 'utf-8',
#			DestCharset => 'iso-8859-1',
			# if both your frontend and your LDAP are unicode, use this:
			SourceCharset => 'utf-8',
			DestCharset   => 'utf-8',

			# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
			Params => {
#				port => 389,
				port => 3268,
				timeout => 120,
				async => 0,
				version => 3,
			},
		},
	
		ReadOnly => 1,
		
		# customer unique id
		CustomerKey => 'sAMAccountName',
		# customer #
		CustomerID => 'mail',
		CustomerUserListFields => ['cn', 'mail'],
		CustomerUserSearchFields => ['cn', 'givenname', 'mail'],
		CustomerUserSearchPrefix => '',
		CustomerUserSearchSuffix => '*',
		CustomerUserSearchListLimit => 250,
		CustomerUserPostMasterSearchFields => ['mail'],
		CustomerUserNameFields => ['givenname', 'sn'],
		# show not own tickets in customer panel, CompanyTickets
		CustomerUserExcludePrimaryCustomerID => 0,
		# add an ldap filter for valid users (expert setting)
#		CustomerUserValidFilter => '(!(description=locked))',
		# administrator can't change customer preferences
		AdminSetPreferences => 0,
		# cache time to live in sec. - cache any database queries
		CacheTTL => 120,
		Map => [
			# note: Login, Email and CustomerID are mandatory!
			# if you need additional attributes from AD, just map them here.
			# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
#			[ 'UserSalutation', 'Title',      'title',           1, 0, 'var', '', 0 ],
			[ 'UserFirstname',  'Firstname',   'givenname',       1, 1, 'var', '', 0 ],
			[ 'UserLastname',   'Lastname',    'sn',              1, 1, 'var', '', 0 ],
			[ 'UserLogin',      'Username',    'sAMAccountName',             1, 1, 'var', '', 0 ],
			[ 'UserEmail',      'Email',       'mail',            1, 1, 'var', '', 0 ],
			[ 'UserCustomerID', 'CustomerID',  'mail',            0, 1, 'var', '', 0 ],
#			[ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
			[ 'UserPhone',      'Phone',      'telephoneNumber', 1, 0, 'var', '', 0 ],
#			[ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
#			[ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
			[ 'UserMobile',     'Mobile',      'mobile', 1, 0, 'var', '', 0 ],
			[ 'UserRoom',       'Room',        'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
		],
	};

What I'm now missing is a way to have OTRS see only users of a special security group as customers. Is there an equivalent to

Code: Select all

#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
	$Self->{'AuthModule::LDAP::GroupDN'} ='CN=DOMAIN-ADMINS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
	$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

for customers?

[crythias]

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
(Read Defaults.pm for more options).

[cherdeg]

EDIT:
Thank you! Problem is that when using the options to check the group, login is not possible. The following error is logged:

Code: Select all

[Wed Sep 14 13:47:34 2011][Notice][Kernel::System::Auth::LDAP::Auth] User: MyUser authentication failed, no LDAP group entry foundGroupDN='CN=DOMAIN-ADMINS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz', Filter='(memberUid=CN=MyUser,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz)'! (REMOTE_ADDR: 127.0.0.1).

The user is definitely member of the group and the groups DN was taken from an actual .ldf file of our domain. What could be wrong with these lines?

Code: Select all

	$Self->{'AuthModule::LDAP::GroupDN'} ='CN=DOMAIN-ADMINS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
	$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
	$Self->{'AuthModule::LDAP::UserAttr'} = 'sAMAccountName';

???

Funny thing is that the same lines with "Customer::~" work for customers.

EDIT:
AAARGH!!! I'm getting crazy!!! What worked seconds ago doesn't work any longer by now!!! What's up with this tool?

[crythias]

By the way, I'm making an assumption that you're uncommenting when necessary, and placing the code snippets in or around like-named objects, more or less in line with how it's organized in Defaults.pm

But also, I don't want to confuse the issue when you ask a question about Customers and go back to Agents being broken in the next statement.

If you don't want to use the GroupDN feature (it's too narrow?) then you can use the filter feature.

http://www.petri.co.il/ldap_search_samp ... change.htm

[cherdeg]

If you don't want to use the GroupDN feature (it's too narrow?) then you can use the filter feature.

That's not the point: I'd very like to use the GroupDN feature, but it simply does not work.

[crythias]

Above you used "ADMINS" and below "DOMAIN-ADMINS"

I don't think inheritance counts for anything here.

[cherdeg]

Above you used "ADMINS" and below "DOMAIN-ADMINS"

Of course in reality it's neither the one nor the other - you'll understand that I can't use my actual groups in a public forum. But I can assure you that the both strings match in my config.pm.

I've checked my config.pm against the defaults.pm. The result is that I use all parts of the LDAP-auth and LDAP-authsync configuration in the correct order. If I use the restriction that only members of a specified security group are allowed to login as agents, I get the following error (I can verify with "dsget group "CN=DOMAIN-ADMINS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz" -members" that the user IS MEMBER of the group):

Code: Select all

[Thu Sep 15 10:25:09 2011][Notice][Kernel::System::Auth::LDAP::Auth] User: MyUser authentication failed, no LDAP group entry foundGroupDN='cn=DOMAIN-ADMINS,ou=Global_Universell Groups,ou=Groups,ou=123,dc=tech,dc=emea,dc=XYZ,dc=biz', Filter='(memberUid=MyUser)'! (REMOTE_ADDR: 127.0.0.1).

My configuration for the login restriction:

Code: Select all

#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
	$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=DOMAIN-ADMINS,ou=Global_Universell Groups,ou=Groups,ou=123,dc=tech,dc=emea,dc=XYZ,dc=biz';
	$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
	$Self->{'AuthModule::LDAP::UserAttr'} = 'sAMAccountName';

In Case the problem is caused somewhere else, here again the complete configuration for the agents auth and authsync:

Code: Select all

#LDAP-Access for Agents
#==============================================================

#Enable LDAP authentication for Customers / Users
	$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
	$Self->{'AuthModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
	$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=tech,dc=emea,dc=XYZ,dc=biz';
	$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
	
#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
	$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=DOMAIN-ADMINS,ou=Global_Universell Groups,ou=Groups,ou=123,dc=tech,dc=emea,dc=XYZ,dc=biz';
	$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
	$Self->{'AuthModule::LDAP::UserAttr'} = 'sAMAccountName';

#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
	$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS-SEARCH,ou=Users,ou=123,dc=tech,dc=emea,dc=XYZ,dc=biz';
	$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
#	$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
	
# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
	$Self->{'AuthModule::LDAP::Charset'} = 'utf-8';
  
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
	$Self->{'AuthModule::LDAP::Params'} = {
#		port => 389,
		port => 3268,
		timeout => 120,
		async => 0,
		version => 3,
	};

# Now sync data with OTRS DB
	$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
	$Self->{'AuthSyncModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
	$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=tech,dc=emea,dc=XYZ,dc=biz';
	$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree	
	$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=OTRS-SEARCH,ou=Users,ou=123,dc=tech,dc=emea,dc=XYZ,dc=biz';
	$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';
#	$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
	$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
		# DB -> LDAP
		UserFirstname => 'givenName',
		UserLastname  => 'sn',
		UserEmail     => 'mail',
	};

# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
	$Self->{'AuthSyncModule::LDAP::Charset'} = 'utf-8';

# Attributes needed for group syncs
# (attribute name for group value key)
#	$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
#	$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'sAMAccountName';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)	
	$Self->{'AuthSyncModule::LDAP::Params'} = {
#		port => 389,
		port => 3268,
		timeout => 120,
		async => 0,
		version => 3,
	};
	
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
#	$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
#		'DOMAIN-ADMINS',
#	];

Please somebody with the same needs: Post your *working* config here so I can adapt it to our environment.

Thank you very much!

[cherdeg]

*bump*

Please help, guys.

[cherdeg]

*bump*

Please help, guys. For your info: If I can't present a working AD integration for both agents and customers by the deadline on Wednesday the 28th, OTRS will not be kept in the choice cycle for the Ticket System product we will manage about 80.000 customers with (and will use massive fees to buy maintenance and support for). BTW: Redmine already works, but I'd really prefer OTRS.

[jojo]

Than you should buy some professional help. There are a lot of working examples out here and in the wiki...!

[cherdeg]

As I wrote above, I've used the EXACT example from the wiki and it DOES NOT work - just try yourself.
As I wrote above, I'll buy professional help if my boss decides the system to be the one to go for production.
As I wrote above: if I can't present until next Wednesday, shit hits the fan...for OTRS (I don't care a f***, I'm as fine with the one or the other product).

If you guys want to get about 50 to 100 kilo Euros per annual budgets into the OTRS market (from a major German car manufacturer), you should stop telling me crap about WiKi and forum and start to help. If you are pros, then you are able to use my posted config to test at your testbed and find the flaws in seconds. I'm not able to - and I don't need to, 'coz I've got e.g. redmine working in minutes...two weeks ago. I don't even have to build up skills for OTRS, because I'm just doing the pre-selection and presentation of the products within our choice. My findings regarding their installation and management is the main factor influencing the final decision; not more or less. Really: I don't care...but you should.

[jojo]

Try

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; or $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberof;

and

$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';


OTRS works very well with all LDAP servers, but you need to fill out the correct LDAP values. (Looking at a LDIF from the group or the user would help)

[cherdeg]

Looking at a LDIF from the group or the user would help

Code: Select all

dn: CN=DOMAIN-ADMINS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=tech,DC=emea,OU=XYZ,DC=biz
changetype: add
objectClass: top
objectClass: group
cn: DOMAIN-ADMINS
description: global Administrators
member: CN=Administrator,CN=Builtin,DC=tech,DC=emea,OU=XYZ,DC=biz
distinguishedName: 
 CN=DOMAIN-ADMINS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=te ch,DC=emea,OU=XYZ,DC=biz
instanceType: 4
whenCreated: 20041021081545.0Z
whenChanged: 20110826100342.0Z
uSNCreated: 21626
info: Administration OU=123
memberOf: 
 CN=ENTERPRISE-ADMINS,OU=Global,OU=_Admin_Groups,DC=tech,DC=emea,OU=XYZ,DC=biz
uSNChanged: 40586821
name: DOMAIN-ADMINS
objectGUID:: RBXBJ2OdjkS244fdaqpdnc0jQ==
objectSid:: AQUAAAAAAAUaslkdjj523452356sfdks34rnoI3RQAAA==
adminCount: 1
sAMAccountName: DOMAIN-ADMINS
sAMAccountType: 268206416
groupType: -2148463646
objectCategory: CN=Group,CN=Schema,CN=Configuration,OU=XYZ,DC=biz

[jojo]

So it should be:

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

[cherdeg]

AND BÄÄÄNG - works. Thank you very much, Jojo!

If somebody is skilled and really interested in helping and not only making big statements and faking to look pro, problems can be solved in seconds. Q.E.D.

Jojo, please PN me your contact data for eventual further use ($$$).