how would you go about configuring a Backend that would authenticate against an AD over LDAPS, is it even possible? I have been looking for days for a solution to this problem. i find plenty of documentation on how to connect with LDAP but can only find LDAPS mentioned in a few posts.
I am pretty new to OTRS and im currently just testing if its a viable tool for my company.
LDAPS authentication
Moderator: crythias
-
- Znuny newbie
- Posts: 14
- Joined: 12 Nov 2018, 16:54
- Znuny Version: 6.0.12
- Real Name: Tommy Ballo
Re: LDAPS authentication
this is my config.pm
otrs doesnt crash or anything but if i try to load the customer administration panel, it only shows the default DatabaseBackend
when i check the system log all it says is: Can't connect to ldaps://activedirectory.host.com:
otrs doesnt crash or anything but if i try to load the customer administration panel, it only shows the default DatabaseBackend
when i check the system log all it says is: Can't connect to ldaps://activedirectory.host.com:
Code: Select all
$Self->{CustomerUser2} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'ldaps://activedirectory.host.com',
# ldap base dn
BaseDN => 'base..dn..goes..here',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'user..dn..goes..here',
UserPw => 'password',
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
AlwaysFilter => '',
# if the charset of your ldap server is iso-8859-1, use this:
# SourceCharset => 'iso-8859-1',
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
verify => 'require',
port => 636,
timeout => 30,
async => 0,
version => 3,
cafile => '/usr/local/cacerts/certificate.pem',
},
},
# customer unique id
CustomerKey => 'uid',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add an ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=locked))',
# administrator can't change customer preferences
AdminSetPreferences => 0,
# # cache time to live in sec. - cache any database queries
# CacheTTL => 0,
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly, http-link-target, link class(es)
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
-
- Administrator
- Posts: 3963
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: LDAPS authentication
Hi,
Did you tried to connect to the ldap server by using telnet/openssl s_client to the server?
- Roy
Did you tried to connect to the ldap server by using telnet/openssl s_client to the server?
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
- Znuny newbie
- Posts: 14
- Joined: 12 Nov 2018, 16:54
- Znuny Version: 6.0.12
- Real Name: Tommy Ballo
Re: LDAPS authentication
i have tried connecting to the server with apache directory studio with all the same credentials and it works with no flaw.
-
- Administrator
- Posts: 3963
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: LDAPS authentication
Hi,
Please replace the last to in my post with an from.
TLDR; Did you checked if the LDAP server is reachable from the OTRS server?
- Roy
Please replace the last to in my post with an from.
TLDR; Did you checked if the LDAP server is reachable from the OTRS server?
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
- Znuny newbie
- Posts: 14
- Joined: 12 Nov 2018, 16:54
- Znuny Version: 6.0.12
- Real Name: Tommy Ballo
Re: LDAPS authentication
HI there, thanks for the help, it seems to be that i was blocked by a firewall and i can finally establish a connection.
Now im getting 2 errors when i try to connect.
First bind failed! I/O Error Connection reset by peer
Search failed! Can't contact LDAP server
Now im getting 2 errors when i try to connect.
First bind failed! I/O Error Connection reset by peer
Search failed! Can't contact LDAP server
Last edited by Ballzer0 on 19 Nov 2018, 14:23, edited 1 time in total.
-
- Administrator
- Posts: 3963
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: LDAPS authentication
Hi,
"First bind failed" is always a hint that the UserDN/UserPw combination is wrong. If it's an Active Directory I always recommend using the userPrincipalName of the bind user instead of the DN.
- Roy
"First bind failed" is always a hint that the UserDN/UserPw combination is wrong. If it's an Active Directory I always recommend using the userPrincipalName of the bind user instead of the DN.
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
- Znuny newbie
- Posts: 14
- Joined: 12 Nov 2018, 16:54
- Znuny Version: 6.0.12
- Real Name: Tommy Ballo
Re: LDAPS authentication
should it work to fill in the user principal name directly in the userDN line or should i create a separate line for it?