Single sign on with acitve directory for customers

[jeffman1]

How do i activate single sign on for active directory for customers? I do not want to add manaually at all the customers(not an option). I work at a school and want the customers to be staff already in active directory in a specific group called staff which has other groups under it for each district location. Any ideas as to how to do this?

[jeffman1]

Oh, anyone please explain or put comments for code every three - five lines explaining as iam new and it will help me. Otherwise, your help will be like talking to the wind and nothing i will understand.

[crythias]

http://wiki.otrs.org/index.php?title=Im ... ith_Apache

[jeffman1]

what about this part in the docs: "you should also change some settings in the SysConfig under Frontend::Customer::Auth"
what settings? no links explaination nothing.

[crythias]

They're similar for what you just added for the agents.

So, looking at the sample above this, there's something that indicates for Agents/Users...

Now you should make sure OTRS is configured to use HTTPBasicAuth to authenticate the agents. Add the following lines to your Kernel/Config.pm file:

Code: Select all

    $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
    $Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'mydomain\\';
    # If you use this module, you should use as fallback
    # the following configuration settings if the user is not authorized
    # apache ($ENV{REMOTE_USER})
    $Self->{LoginURL} = 'http://example.com/Im_sorry_youre_not_authenticated';
# or a youtube vid of Rick Astley?
    $Self->{LogoutURL} = 'http://example.com/portal';

(instead of AuthModule, it'd be CustomerAuthModule)

[crythias]

Also, this: http://doc.otrs.org/3.0/en/html/auth-backends.html

[jeffman1]

Still cant get active directory working either way I think this doesnt work i've tried everything you said and nothing works to logon to active directory either in my last post or now. I think you should post all files sample code and explainations not point to documentation because the documentation has flaws and doesnt show the big picture. overallpicture->details-> points tell in that order please (preferrably/required in steps as to what to do like: step 1.code in files, step2.place files here, step3.restart apache) even if the steps are in overall configuration i wont mind.

[jeffman1]

Undefined subroutine &Kernel::Config::Load called at C:/PROGRA~1/OTRS/OTRS//Kernel/Config/Defaults.pm line 2040.
On the log file i put the code for active directory in their and it gave me the error above in index.pl and wouldnt continue on.

This is the error i get a lot when working on my active directory authication it happens a portion of the time when i place the code for active directory in the config.pm file.
Note: Iam using windows 7 32-bit for my test above. i havent copied it to the server yet.
This is the log file below:
[Tue Jul 12 08:57:43 2011][Notice][Kernel::System::Package::RepositoryGet] No such package Support-1.2.6!
[Tue Jul 12 08:57:51 2011][Notice][Kernel::System::Package::RepositoryGet] No such package iPhoneHandle-1.0.3!
[Tue Jul 12 08:59:16 2011][Error][Kernel::Modules::AgentTicketSearch::new][41] Got no DBObject!
[Tue Jul 12 08:59:16 2011][Error][Kernel::Modules::AgentTicketSearch::new][41] Got no DBObject!
[Tue Jul 12 09:15:12 2011][Error][Kernel::Output::HTML::Layout::Error][1131] SecureMode active!
[Tue Jul 12 09:15:12 2011][Error][Kernel::Output::HTML::Layout::Error][1131] SecureMode active!
[Tue Jul 12 09:15:23 2011][Notice][Kernel::System::Auth::DB::Auth] User: root@localhost authentication ok (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 09:15:38 2011][Error][Kernel::System::WebUserAgent::Request][135] Can't get file from http://otrs.org/product.xml?Product=OTRS-3.0.9: 500 Can't connect to otrs.org:80 (connect: timeout)
[Tue Jul 12 09:40:33 2011][Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 1050a76ba82f5768c09b04e6b33ce4509e.
[Tue Jul 12 10:35:30 2011][Notice][Kernel::System::Auth::DB::Auth] User: asdf doesn't exist or is invalid!!! (REMOTE_ADDR: 127.0.0.1)
[Tue Jul 12 10:35:30 2011][Error][Kernel::System::User::UserLookup][746] No UserID found for 'asdf'!
[Tue Jul 12 10:35:39 2011][Notice][Kernel::System::Auth::DB::Auth] User: asdf@garrard.kyschools.us doesn't exist or is invalid!!! (REMOTE_ADDR: 127.0.0.1)
[Tue Jul 12 10:35:39 2011][Error][Kernel::System::User::UserLookup][746] No UserID found for 'asdf@garrard.kyschools.us'!
[Tue Jul 12 10:35:50 2011][Notice][Kernel::System::Auth::DB::Auth] User: GARRARD\\asdf doesn't exist or is invalid!!! (REMOTE_ADDR: 127.0.0.1)
[Tue Jul 12 10:35:50 2011][Error][Kernel::System::User::UserLookup][746] No UserID found for 'GARRARD\\asdf'!
[Tue Jul 12 10:35:59 2011][Notice][Kernel::System::Auth::DB::Auth] User: otrs doesn't exist or is invalid!!! (REMOTE_ADDR: 127.0.0.1)
[Tue Jul 12 10:35:59 2011][Error][Kernel::System::User::UserLookup][746] No UserID found for 'otrs'!
[Tue Jul 12 10:36:05 2011][Notice][Kernel::System::Auth::DB::Auth] User: otrs doesn't exist or is invalid!!! (REMOTE_ADDR: 127.0.0.1)
[Tue Jul 12 10:36:05 2011][Error][Kernel::System::User::UserLookup][746] No UserID found for 'otrs'!
[Tue Jul 12 10:36:09 2011][Notice][Kernel::System::Auth::DB::Auth] User: root@localhost authentication ok (REMOTE_ADDR: 127.0.0.1).

[crythias]

please post your current config.pm

[jeffman1]

Note: I want to Sync the All the Staff Users except the technology staff as customers. I'd prefer to have the technology staff to be under agents. Okay their is a "_Groups" OU which has groups of staff for all our locations under "Staff" OU. Example Staff OU->_Groups OU->Location Name Staff User Group

# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2010 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.23 2010/01/13 22:25:00 martin Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --

package Kernel::Config;

sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #

# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/otrs.CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'hot';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
#__________________________________________________________________
# Self->{'CustomerAuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
# $Self->{'CustomerAuthModule::HTTPBasicAuth::Replace'} = 'GARRARD\\';
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
# $Self->{LoginURL} = 'http://localhost/';
# or a youtube vid of Rick Astley?
# $Self->{LogoutURL} = 'http://www.garrard.kyschools.us/';
#__________________________________________________________________
# This is an example configuration for an LDAP auth sync. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'garrard.ketsds.net';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=garrard, dc=ketsds,dc=net';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'GARRARD\';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
# $Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthSyncModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthSyncModule::LDAP::Die'} = 1;

# Attributes needed for group syncs
# (attribute name for group value key)
# $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
# (attribute for type of group content UID/DN for full ldap name)
# $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
# $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
# $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
# 'users',
# ];

# AuthSyncModule::LDAP::UserSyncGroupsDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# groups to otrs groups, define the following.)
# $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
# # ldap group
# 'cn=agent,o=otrs' => {
# # otrs group
# 'admin' => {
# # permission
# rw => 1,
# ro => 1,
# },
# 'faq' => {
# rw => 0,
# ro => 1,
# },
# },
# 'cn=agent2,o=otrs' => {
# 'users' => {
# rw => 1,
# ro => 1,
# },
# }
# };

# AuthSyncModule::LDAP::UserSyncRolesDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# groups to otrs roles, define the following.)
# $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
# # ldap group
# 'cn=agent,o=otrs' => {
# # otrs role
# 'role1' => 1,
# 'role2' => 0,
# },
# 'cn=agent2,o=otrs' => {
# 'role3' => 1,
# }
# };

# AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# attributes to otrs groups, define the following.)
# $Self->{'AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition'} = {
# # ldap attribute
# 'LDAPAttribute' => {
# # ldap attribute value
# 'LDAPAttributeValue1' => {
# # otrs group
# 'admin' => {
# # permission
# rw => 1,
# ro => 1,
# },
# 'faq' => {
# rw => 0,
# ro => 1,
# },
# },
# },
# 'LDAPAttribute2' => {
# 'LDAPAttributeValue' => {
# 'users' => {
# rw => 1,
# ro => 1,
# },
# },
# }
# };

# AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# attributes to otrs roles, define the following.)
# $Self->{'AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition'} = {
# # ldap attribute
# 'LDAPAttribute' => {
# # ldap attribute value
# 'LDAPAttributeValue1' => {
# # otrs role
# 'role1' => 1,
# 'role2' => 1,
# },
# },
# 'LDAPAttribute2' => {
# 'LDAPAttributeValue1' => {
# 'role3' => 1,
# },
# },
# };




# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = 'C:/PROGRA~1/OTRS/OTRS';

# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;

# ---------------------------------------------------- #

# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #

$Self->{LogModule} = 'Kernel::System::Log::File';
$Self->{LogModule::LogFile} = 'C:/PROGRA~1/OTRS/OTRS/var/log/otrs.log';
# $DIBI$
$Self->{'DefaultCharset'} = 'utf-8';


# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.23 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

[jeffman1]

Installed the Net:LDAP module and then it activated the ldap option in the newest OTRS version which im using and now im getting this error in the log file:
Also, i can set all the same settings like in the config.pm file for the customer auth part.
[Tue Jul 12 10:21:13 2011][Notice][Kernel::System::Package::RepositoryGet] No such package Support-1.2.6!
[Tue Jul 12 10:21:17 2011][Notice][Kernel::System::Package::RepositoryGet] No such package iPhoneHandle-1.0.3!
[Tue Jul 12 10:29:05 2011][Notice][Kernel::System::AuthSession::DB::CheckSessionID] SessionID: '10d406ad259e3cbb2c2b6976a3bde89837' is invalid!!!
[Tue Jul 12 10:29:20 2011][Notice][Kernel::System::Auth::DB::Auth] User: root@localhost authentication ok (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 10:29:35 2011][Error][Kernel::System::WebUserAgent::Request][135] Can't get file from http://otrs.org/product.xml?Product=OTRS-3.0.9: 500 Can't connect to otrs.org:80 (connect: timeout)
[Tue Jul 12 10:33:27 2011][Error][Kernel::System::MailAccount::IMAP::_Fetch][127] IMAP: Can't connect to pod51004.outlook.com
[Tue Jul 12 10:36:07 2011][Notice][Kernel::System::Auth::DB::Auth] User: root@localhost authentication ok (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 10:49:14 2011][Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 10cb4a7ab0e0fe22e977254add89bbe75b.
[Tue Jul 12 10:49:51 2011][Error][Kernel::System::CustomerAuth::LDAP::Auth][193] First bind failed! 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
[Tue Jul 12 10:49:58 2011][Error][Kernel::System::CustomerAuth::LDAP::Auth][193] First bind failed! 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
[Tue Jul 12 10:50:10 2011][Error][Kernel::System::CustomerAuth::LDAP::Auth][193] First bind failed! 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
[Tue Jul 12 10:50:33 2011][Notice][Kernel::System::Auth::DB::Auth] User: asdf@garrard.kyschools.us doesn't exist or is invalid!!! (REMOTE_ADDR: 127.0.0.1)
[Tue Jul 12 10:50:33 2011][Error][Kernel::System::User::UserLookup][746] No UserID found for 'asdf@garrard.kyschools.us'!
[Tue Jul 12 10:50:43 2011][Notice][Kernel::System::Auth::DB::Auth] User: root@localhost authentication ok (REMOTE_ADDR: 127.0.0.1).

[jojo]

Your logfile shows loads of errors, which shows that your system is not setup properly

[Tue Jul 12 10:49:51 2011][Error][Kernel::System::CustomerAuth::LDAP::Auth][193] First bind failed! 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772

-> your Bind User credentials (Username or password) are wrong

[jeffman1]

Maybe its the schema but the username and password are not wrong

[crythias]

Removing all comments:

Code: Select all

package Kernel::Config;

sub Load {
my $Self = shift;
$Self->{'DatabaseHost'} = 'localhost';
$Self->{'DatabaseUser'} = 'otrs';
$Self->{'DatabasePw'} = 'hot';
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
$Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'garrard.ketsds.net';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=garrard, dc=ketsds,dc=net';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'GARRARD\';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
	DB -> LDAP 
	UserFirstname => 'givenName',
	UserLastname => 'sn',
	UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::Params'} = {
	port => 389,
	timeout => 120,
	async => 0,
	version => 3,
};

$Self->{'AuthSyncModule::LDAP::Die'} = 1;

$Self->{Home} = 'C:/PROGRA~1/OTRS/OTRS';

$Self->{LogModule} = 'Kernel::System::Log::File';
$Self->{LogModule::LogFile} = 'C:/PROGRA~1/OTRS/OTRS/var/log/otrs.log';
$Self->{'DefaultCharset'} = 'utf-8';
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.23 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

This looks nothing at all like any of the wiki or documentation.
Start with the documentation or wiki, ignore sync, because it has nothing to do with customers.

[jeffman1]

I have copied this from the admin manual you posted:
Would this work for me?
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'garrard.ketsds.net';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=garrard,dc=ketsds,dc=net';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

#Please explain format for below search user DN and if its needed if i want to allow customer logins using ldap.
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

[jeffman1]

This is the error i got by trying the code above:
[Wed Jul 13 05:48:41 2011][Error][Kernel::System::CustomerAuth::LDAP::Auth][221] Search failed! Bad filter
What does this mean? I think my base dn is correct. Do i need to just put the domain name in base dn and not specific user search OU?
Does creating my first agent and customer help?

[crythias]

What you've provided isn't for single sign on.

CONCEPTS:

• Agents (who logs onto /index.pl)
• Customer (who logs onto /customer.pl)
• Authentication: permission to log on
• Customer or User database: demographics of the customer or agent

For each and every way you want to list and authenticate customers and users, you need to have an appropriate connection to a method to do both things. You have up to 10 different simultaneous connection possibilities, but the most common are database and ldap.

If you want to have a user list from an ldap connection, you must establish the connection and use a Map to connect. That doesn't provide authentication, that just provides a list of user demographics. If you want to use ldap for user demographics and use the database for passwords, you can do that. If you want to use ldap for the demographics and ldap for authentication, you must connect to the ldap using the Auth, and provide some field (in the config) that links the authentication to the demographics (login, email address, UID?)

Single sign on is just another authentication method. (so far, db, ldap, and sso). If you want to use single sign on, it's just a few lines of code, but you need to have a demographics database that the authentication makes sense to use. READ: Yes, we know you're authorized/who you say you are (sso) -- you have a valid driver's license -- but you're not on the guest list. Actually, we don't have a guest list, so we're not letting anyone in.



Besides having no Customer Demographics, You need to uncomment one of:
# for ldap posixGroups objectclass (just uid)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID'; <-- uncomment this one?
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com'; <-- uncomment this if you want to allow only a specific group of people to authenticate

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'DN'; <-- Distinguished name to log in. Maybe cn=username, ou=users, dc=garrard, dc=ketsds,dc=net
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = ''; <-- password

[ferrosti]

Your errorlog says: 'bad filter'.

Adjust

Code: Select all

$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

to your needs or disable it.

[crythias]

Also, if you don't have a filter, comment out the always filter.

[jeffman1]

I will try the filter but i dont think thats it. It might be that though maybe im not removing the default filter in Frontend::Customer::Auth module inside the admin gui interface. Want to get active directory working first then implement single sign on. I warn you a school system is a ahole to setup sometimes and it may sound like im frustrated. So sometimes getting a basic working version then going up is best.

[jeffman1]

Im getting this now from the log file(after removing always filter part):
[Tue Jul 12 18:32:02 2011][Error][Kernel::System::DB::new][181] Access denied for user 'otrs'@'localhost' (using password: YES)
[Tue Jul 12 18:33:14 2011][Notice][Kernel::System::Package::RepositoryGet] No such package Support-1.2.6!
[Tue Jul 12 18:33:18 2011][Notice][Kernel::System::Package::RepositoryGet] No such package iPhoneHandle-1.0.3!
[Tue Jul 12 18:38:34 2011][Notice][Kernel::System::Auth::DB::Auth] User: root@localhost authentication ok (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 18:40:50 2011][Error][Kernel::System::SysConfig::ConfigSubGroupList][1063] Need Name!
[Tue Jul 12 18:46:17 2011][Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 10fd459721d2795dc9c644c97787440f2b.
[Tue Jul 12 18:47:35 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: root@localhost authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=root@localhost)', (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 18:47:52 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: asdf authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=asdf)', (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 18:49:00 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: asdf@garrard.kyschools.us authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=asdf@garrard.kyschools.us)', (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 18:49:18 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: GARRARD\asdf authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=GARRARD\\asdf)', (REMOTE_ADDR: 127.0.0.1).

asdf is in 000_Garrard Co BOE which is under the plus sign under Staff in active directory users and computers

[jeffman1]

Iam i setting a setting wrong i saw someone else that got their program working by changing some dn settings and checking to make sure their correct did i miss anything? Heres my currect config file with the relevent parts:
# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'garrard.ketsds.net';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=garrard,dc=ketsds,dc=net';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=asdf,OU=000_Garrard Co BOE,OU=Staff,DC=garrard,DC=ketsds,DC=net';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(!objectclass=computer)';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

Question i have the suffix commented out and disabled in config.pm and Frontend::Customer::Auth module inside the admin gui interface but do i need to put it back in or did i set a setting wrong?

[jeffman1]

I tryed looking up information on this but iam still stuck with the correct settings for the config.pm and in Frontend::Customer::Auth gui interface.
The Picture shows some of my settings inside of Frontend::Customer::Auth in the gui interface. All same as config.pm except i choose DN instead of UID on one combo box.

[crythias]

[Tue Jul 12 18:32:02 2011][Error][Kernel::System::DB::new][181] Access denied for user 'otrs'@'localhost' (using password: YES) <-- YOUR PASSWORD IS WRONG
[Tue Jul 12 18:33:14 2011][Notice][Kernel::System::Package::RepositoryGet] No such package Support-1.2.6!
[Tue Jul 12 18:33:18 2011][Notice][Kernel::System::Package::RepositoryGet] No such package iPhoneHandle-1.0.3!
[Tue Jul 12 18:38:34 2011][Notice][Kernel::System::Auth::DB::Auth] User: root@localhost authentication ok (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 18:40:50 2011][Error][Kernel::System::SysConfig::ConfigSubGroupList][1063] Need Name! <-- ????? ERROR
[Tue Jul 12 18:46:17 2011][Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 10fd459721d2795dc9c644c97787440f2b.
[Tue Jul 12 18:47:35 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: root@localhost authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=root@localhost)', (REMOTE_ADDR: 127.0.0.1). <-- ROOT@LOCALHOST IS NOT IN YOUR AUTHENTICATION DATABASE (LDAP)
[Tue Jul 12 18:47:52 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: asdf authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=asdf)', (REMOTE_ADDR: 127.0.0.1). <-- ASDF ISN'T IN LDAP
[Tue Jul 12 18:49:00 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: asdf@garrard.kyschools.us authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=asdf@garrard.kyschools.us)', (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 18:49:18 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: GARRARD\asdf authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=GARRARD\\asdf)', (REMOTE_ADDR: 127.0.0.1).

SYSCONFIG DOESN'T CHANGE CONFIG.PM PARAMETERS.

[jeffman1]

I know do i need it though for ad authication? I have the same or mostly same settings in sysconfig.

[jeffman1]

Anything i can do i've been working on this for days and my boss wants it done. Please help me figure this out i'd prefer not to give up soon but since im so close i dont want to quit unless its going to take a few more days to get it to work.
asdf is in ldap. asdf is a legitmate user i dont know what your talking about.

we use asdf to install programs but it has an email address.

[jeffman1]

Anyone that can help with the active directory part please post here.
Heres my last log file:
Do i need to modify my base dn to narrow it down to where asdf is located?
Tue Jul 12 20:09:32 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: GARRARD\asdf authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=GARRARD\\asdf)', (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 20:09:47 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: GARRARD\ASDF authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=GARRARD\\ASDF)', (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 20:12:39 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: asdf@garrard.kyschools.us authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=asdf@garrard.kyschools.us)', (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 20:12:55 2011][Notice][Kernel::System::Auth::DB::Auth] User: root@localhost authentication ok (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 20:17:10 2011][Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 107ffd41181d01581df444aafdf4e884b3.
[Tue Jul 12 20:17:40 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: asdf@garrard.kyschools.us authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=asdf@garrard.kyschools.us)', (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 20:17:46 2011][Error][Kernel::System::CustomerAuth::LDAP::Auth][137] Need Pw! <-What happened here? why does it need my password is their something wrong?
[Tue Jul 12 20:17:59 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: GARRARD\asdf authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=GARRARD\\asdf)', (REMOTE_ADDR: 127.0.0.1).

[crythias]

"I don't know what you're talking about?" Neither does otrs know what you're talking about. That's what the error messages say.

[jeffman1]

makes no sense. What iam i supposed to do to fix the problem?
Tell me is my active directory DN or anything else incorrect?

[crythias]

Every level of the error message is important:
CustomerUser: asdf@garrard.kyschools.us authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=asdf@garrard.kyschools.us)', (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 20:17:40 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: asdf@garrard.kyschools.us authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=asdf@garrard.kyschools.us)', (REMOTE_ADDR: 127.0.0.1).
[Tue Jul 12 20:17:46 2011][Error][Kernel::System::CustomerAuth::LDAP::Auth][137] Need Pw! <-What happened here? why does it need my password is their something wrong?
[Tue Jul 12 20:17:59 2011][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: GARRARD\asdf authentication failed, no LDAP entry found!BaseDN='dc=garrard,dc=ketsds,dc=net', Filter='(uid=GARRARD\\asdf)', (REMOTE_ADDR: 127.0.0.1).

Let's take the first line

CustomerUser: asdf@garrard.kyschools.us authentication failed, <--error message
no LDAP entry found! <-- can't find it in ldap. You can argue the point, but the computer says tell me how to find it.
BaseDN='dc=garrard,dc=ketsds,dc=net', <-- somehow something like (I don't know) uid=asdf@garrard.kyschools.us, dc=garrard, dc=ketsds, dc=net doesn't work
Filter='(uid=asdf@garrard.kyschools.us)' <-- what it tried
, (REMOTE_ADDR: 127.0.0.1).

Why does it need a password? BECAUSE YOU"RE NOT USING SINGLE SIGN ON. You're using LDAP, and you have to ask LDAP to authenticate.

[jeffman1]

I tryed everything it wont except it. THe only thing i can think of is changing the base dn to match asdf. But how should it look?

[crythias]

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'garrard.ketsds.net';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=garrard,dc=ketsds,dc=net'; // (maybe, but try also dc=ketsds, dc=net. This usually assumes you're going to check things agains ketsds.net maybe you're not, maybe you're checking things against garrard.ketsds.net I don't know your schema layout, but your lookups are completely different from this!)
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid'; // I don't know why this was commented, but I'm uncommenting it.
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; // no need to uncomment both. just the one!

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=asdf,OU=000_Garrard Co BOE,OU=Staff,DC=garrard,DC=ketsds,DC=net';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = ''; // the password for asdf to allow it search for the person who enters his own login.

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(!objectclass=computer)'; // commented, so useless. If you agree, don't worry about it

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com'; // if you're expecting people to put in asdf and the user lookup is asdf@somedomain.com, put the domain here and uncomment it.

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

[jeffman1]

This is what happened when i try changing it to ketsds.net instead of garrard.ketsds.net:
[Tue Jul 12 21:37:26 2011][Error][Kernel::System::CustomerAuth::LDAP::Auth][221] Search failed! 0000202B: RefErr: DSID-031006BB, data 0, 1 access points
ref 1: 'ketsds.net'
The log file reported this.

[crythias]

Then don't do that...

[jeffman1]

[Tue Jul 12 21:48:21 2011][Error][Kernel::System::CustomerAuth::LDAP::Auth][221] Search failed! Timelimit exceeded
What does this mean? My guess is something caused it to time out or my active directory is slow. Its really slow now, and it keeps taking too long in using ad. Do i set a setting wrong or should i change Frontend::Customer::Auth back to the db backend or whats your suggestion?
Should I try do authication annoumously or is that a bad idea. Server 2008 r2 its running the default package with perl and apache.

[jeffman1]

Any more? come on dont give up on me.
Never mind authication failed again. I tried your suggestions above nothings worked yet.
Could it be my search user schema or should i try turning off something?
I had an idea would putting asdf@garrard.kyschools.us in my config.pm file help? Thats the email address thats linked to everyones account and its what they use to logon to the system. I recommend install scripts to install active directory in the future for manaual installs or installs of otrs without it built in. FOG is a great open source ghost system that i ran one installer script and it could link with active directory too but besides the fact that ad didnt work well good product.
First one to answer correctly my problem i will thank and invite to a secret gaming project.

[ferrosti]

Well, some research should be done yourself at least.

It would be nice if you gave some details about your LDAP (Windows AD or openLDAP or whatever), User Login names as they login to windows, etc.

In Windows AD

Code: Select all

$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';

needs to be

Code: Select all

$Self->{'Customer::AuthModule::LDAP::UID'} = 'samaccountname';

I recommend install scripts to install active directory in the future for manaual installs or installs of otrs without it built in.

The install scripts would need exactly the same parameters as you need to insert in here.