LDAP agent authentication Windows 2008 R2

[hinttitiikeri]

Hi

I can't get LDAP work for agent authentication. I'm using OTRS 3.0.9 which is installed on Windows Server 2008 R2.

Here's my config.pm

Code: Select all

package Kernel::Config;

sub Load {
    my $Self = shift;
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #         Start of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #
    # DatabaseHost
    # (The database host.)
    $Self->{'DatabaseHost'} = 'localhost';
    # Database
    # (The database name.)
    $Self->{'Database'} = 'otrs';
    # DatabaseUser
    # (The database user.)
    $Self->{'DatabaseUser'} = 'user';
    # DatabasePw
    # (The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords.)
    $Self->{'DatabasePw'} = 'password';
    # DatabaseDSN
    # (The database DSN for MySQL ==> more: "man DBD::mysql")
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

    # (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a tcpip connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = 'C:/PROGRA~2/OTRS_3~1/OTRS';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

 $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'server.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local';
    $Self->{'AuthModule::LDAP::UID'} = 'uid';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapuser';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

 $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://server.domain.local/';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'ldapuser';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];


    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #           End of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.23 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

And here is what I get on log when trying to login.

[Thu Jul 28 16:14:03 2011][Notice][Kernel::System::Auth::DB::Auth] User: test doesn't exist or is invalid!!! (REMOTE_ADDR: 127.0.0.1)
[Thu Jul 28 16:14:03 2011][Error][Kernel::System::User::UserLookup][746] No UserID found for 'test'!

Could anyone please help me what I'm doing wrong? I'm an absolute beginner with these things so please be gentle.

[ferrosti]

Code: Select all

$Self->{'AuthModule::LDAP::UID'} = 'uid';

actually is 'samaccountname' on windows AD

Code: Select all

$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';

is 'member'

[hinttitiikeri]

Thanks for the reply. I changed the parameters but I still get the same error. Shouldn't there be some kind of LDAP error message also? All I get is notice from db::auth

[ferrosti]

Hard to say what, but something got screwed.
Authentication does not need agent data in local DB, only data needs to.
Do you have something like this enabled in sysconfig? Have you ever been able to login anyways?

[hinttitiikeri]

This is pretty much clean install still so I haven't touched the sysconfig. I am able to login with the credentials I manually create to db. Also default root credentials does work.

[renee]

I'm confused that you Config.pm asks to use the LDAP module, but the log says, it still uses the DB backend module for authentication. So, you've edited the correct Config.pm? Is there anything else in the log?

[hinttitiikeri]

I'm confused that you Config.pm asks to use the LDAP module, but the log says, it still uses the DB backend module for authentication. So, you've edited the correct Config.pm? Is there anything else in the log?

I'm confused about this also. There is nothing related to LDAP in log.
Config.pm I've edited is the installdir\OTRS\Kernel\Config.pm. I don't know if this is the correct one (Is there even multiple config.pm's?)

[renee]

I've edited is the installdir\OTRS\Kernel\Config.pm. I don't know if this is the correct one (Is there even multiple config.pm's?)

There might be multiple Config.pm's - when copied it to somewhere to play with it or when you have more than one instance of OTRS running... In a single OTRS instance there is only one Conifg.pm.

[hinttitiikeri]

There is only one instance so I presume this is the correct file I've edited.

[ferrosti]

This is the correct file.
Please rename it to Config.pm.bck and see what happens. ATM I believe that this file is not taken for some reason.

BTW, did you run ~/bin/otrs.SetPermissions.pl using your parameters?

[hinttitiikeri]

OTRS doesn't start when I rename the config file. So I take it is really reading the config.pm.

I haven't run ~/bin/otrs.SetPermissions.pl. I don't even know what does it do. Any guides to set up LDAP to OTRS haven't suggested that I should run the script.

[ferrosti]

otrs.SetPermissions.pl is no matter of LDAP, but of your whole OTRS installation.
Please run it with the parms that are required by your setup.

[hinttitiikeri]

Well I thought that the web installer would do all required stuff, but sure I can run that script. I'll come back with the results later.

[hinttitiikeri]

Well I thought that the web installer would do all required stuff, but sure I can run that script. I'll come back with the results later.

Is this setPermissions script really necesary on windows systems? Everyone has "Full Control" permissions to OTRS folder.

[ferrosti]

Nope, this is not needed on windows servers.
Please fill in this information in your signature!

[juliom]

I'll tell you from experience the instructions in admin manual for this are no good and it's not just a matter of changing the config.pm I also had to modify other config files to get LDAP to work. I also had to make changes to my apache2-httpd.include.conf file to get it to work and no manual I found specified that. There is one set of instructions out there that are really good just do a google search for OTRS LDAP for windows.

This site helped me out but there is more info in this site with more detail instructions just couldn't locate them for you
http://trinityhome.org/Home/index.php?w ... ront_id=18