SSO AD OTRS 7

Moderator: crythias

Post Reply
maro584
OTRS newbie
Posts: 39
Joined: 04 Feb 2020, 17:36
OTRS Version?: 6.0.24
Real Name: Mark

SSO AD OTRS 7

Post by maro584 »

Hello all,

I am trying to implement SSO for OTRS to do that I have add in Config.pm following lines:

Code: Select all

     $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
     $Self->{LoginURL} = 'https://<some url>/otrs/index.pl';
     $Self->{LogoutURL} = 'https://<some url>/otrs/index.pl';
After implementing this I have got following error in logs:

Code: Select all

Dec 11 10:23:57 otrs OTRS-CGI-92[15604]: [Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: <ip address>).
Dec 11 10:23:57 otrs OTRS-CGI-92[15604]: [Error][Kernel::System::Auth::LDAP::Auth][Line:123]: Need User!
Dec 11 10:23:57 otrs OTRS-CGI-92[15604]: [Error][Kernel::System::User::UserLookup][Line:937]: Need UserLogin or UserID!
Dec 11 10:23:58 otrs OTRS-CGI-92[15606]: [Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: <ip address>).
Dec 11 10:23:58 otrs OTRS-CGI-92[15606]: [Error][Kernel::System::Auth::LDAP::Auth][Line:123]: Need User!
Dec 11 10:23:58 otrs OTRS-CGI-92[15606]: [Error][Kernel::System::User::UserLookup][Line:937]: Need UserLogin or UserID!
Dec 11 10:23:58 otrs OTRS-CGI-92[15598]: [Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: <ip address>).
Dec 11 10:23:58 otrs OTRS-CGI-92[15598]: [Error][Kernel::System::Auth::LDAP::Auth][Line:123]: Need User!
Dec 11 10:23:58 otrs OTRS-CGI-92[15598]: [Error][Kernel::System::User::UserLookup][Line:937]: Need UserLogin or UserID!
Dec 11 10:23:59 otrs OTRS-CGI-92[15604]: [Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: <ip address>).
Dec 11 10:23:59 otrs OTRS-CGI-92[15604]: [Error][Kernel::System::Auth::LDAP::Auth][Line:123]: Need User!
Dec 11 10:23:59 otrs OTRS-CGI-92[15604]: [Error][Kernel::System::User::UserLookup][Line:937]: Need UserLogin or UserID!
Dec 11 10:24:00 otrs OTRS-CGI-92[15604]: [Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: <ip address>).
So I have checked a file:

Code: Select all

/opt/otrs/scripts/apache2-httpd.include.conf
And found this:

Code: Select all

# USING SSO
#

# You need to configure 'WebApp::SSO::RemoteUserSecret' in OTRS_HOME/Kernel/Config.pm:
#    $Self->{'WebApp::SSO::RemoteUserSecret'} = 'My-SSO-RemoteUser-Secret';
#
# Also, your Apache must forward the following two headers to OTRS (add this to the <Location /> section):
#
# # Add SSO username to the request.
# RequestHeader set REMOTE_USER %{REMOTE_USER}
#
# # Add SSO secret to the request.
# RequestHeader set REMOTE_USER_SECRET 'My-SSO-Remote-User-Secret'
#
# For more details about the RequestHeader directive, please consult the Apache documentation at
# https://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader
So I have added to <Location /> of this file mentioned lines:

Code: Select all

<Location />
    # Pass the HTTP protocol request header to the backend server if SSL is inactive.
    RequestHeader set "X-Forwarded-Proto" "http" env=!HTTPS
    ProxyPass http://localhost:8080/
    RequestHeader set REMOTE_USER %{REMOTE_USER}
    RequestHeader set REMOTE_USER_SECRET 'My-SSO-Remote-User-Secret'
    # Prevent apache incompatibility with web service clients
    #   that send a "100 Continue" header.
    # Variant for apache 2.4.40 and later.
    <IfVersion >= 2.4.40>
        Proxy100Continue Off
    </IfVersion>
</Location>
Also I have added to the Config.PM mentioned line:

Code: Select all

     $Self->{'WebApp::SSO::RemoteUserSecret'} = '<password for LDAP user used to integrate OTRS with Active Directory>';
Now when I am restarting an Apache I got this:

Code: Select all

-- The result is failed.
Dec 11 11:28:11 otrs systemd[1]: Unit httpd.service entered failed state.
Dec 11 11:28:11 otrs systemd[1]: httpd.service failed.
Dec 11 11:28:12 otrs otrs.Daemon.pl[10206]: No indexing needed! Skipping...
Dec 11 11:28:12 otrs otrs.Daemon.pl[10206]: Done.
Dec 11 11:28:12 otrs otrs.Daemon.pl[10206]: No messages available for sending.
Dec 11 11:28:12 otrs otrs.Daemon.pl[10206]: Done.
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Gathering unindexed documents for document type 'Appointment' ...
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Index is already up-to-date.
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Gathering unindexed documents for document type 'ArticleChat' ...
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Index is already up-to-date.
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Gathering unindexed documents for document type 'ArticleMIME' ...
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Index is already up-to-date.
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Gathering unindexed documents for document type 'ArticleSMS' ...
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Index is already up-to-date.
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Gathering unindexed documents for document type 'CustomPageContent' ...
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Index is already up-to-date.
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Gathering unindexed documents for document type 'FAQ' ...
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Index is already up-to-date.
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Gathering unindexed documents for document type 'ServiceCatalogueContent' ...
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Index is already up-to-date.
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Gathering unindexed documents for document type 'Ticket' ...
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Index is already up-to-date.
Dec 11 11:28:13 otrs otrs.Daemon.pl[10206]: Done
Dec 11 11:28:14 otrs polkitd[654]: Registered Authentication Agent for unix-process:21074:320185178 (system bus name :1.1979 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
Dec 11 11:28:14 otrs systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
Dec 11 11:28:14 otrs httpd[21090]: AH00526: Syntax error on line 23 of /etc/httpd/conf.d/zzz_otrs.conf:
Dec 11 11:28:14 otrs httpd[21090]: Unrecognized header format %
Dec 11 11:28:14 otrs systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Dec 11 11:28:14 otrs kill[21092]: kill: cannot find process ""
Dec 11 11:28:14 otrs systemd[1]: httpd.service: control process exited, code=exited status=1
Dec 11 11:28:14 otrs systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Dec 11 11:28:14 otrs systemd[1]: Unit httpd.service entered failed state.
Dec 11 11:28:14 otrs systemd[1]: httpd.service failed.
Dec 11 11:28:14 otrs polkitd[654]: Unregistered Authentication Agent for unix-process:21074:320185178 (system bus name :1.1979, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

root
Administrator
Posts: 2563
Joined: 18 Dec 2007, 12:23
OTRS Version?: Znuny LTS and 4/5/6
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: SSO AD OTRS 7

Post by root »

Hi,

Please contact the vendor, you should have a support contract. The title mentions version 7 and this is, at the moment?, not a community edition and not available for the public.

The entry User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} says that the user is not populated in the environment, the web server is the place to go or this.

- Roy
Znuny LTS and ((OTRS) Community Edition CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know why ?

maro584
OTRS newbie
Posts: 39
Joined: 04 Feb 2020, 17:36
OTRS Version?: 6.0.24
Real Name: Mark

Re: SSO AD OTRS 7

Post by maro584 »

Many thanks for clue. If OTRS version 7 is not a topic here on this forum you can move this thread to trash.

root
Administrator
Posts: 2563
Joined: 18 Dec 2007, 12:23
OTRS Version?: Znuny LTS and 4/5/6
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: SSO AD OTRS 7

Post by root »

maro584 wrote:
11 Dec 2020, 13:48
If OTRS version 7 is not a topic here on this forum you can move this thread to trash.
It will, as soon as the vendor stands to his statements.

- Roy
Znuny LTS and ((OTRS) Community Edition CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know why ?

maro584
OTRS newbie
Posts: 39
Joined: 04 Feb 2020, 17:36
OTRS Version?: 6.0.24
Real Name: Mark

Re: SSO AD OTRS 7

Post by maro584 »

One more question before closing a topic. How to configure a webserver to retrieve and pass this header:

$ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER}

I think this is not a case for only OTRS version 7 ;)

In few other topics on this forum I saw that forum users somehow find a solution for this problem but they did not share it.

root
Administrator
Posts: 2563
Joined: 18 Dec 2007, 12:23
OTRS Version?: Znuny LTS and 4/5/6
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: SSO AD OTRS 7

Post by root »

maro584 wrote:
14 Dec 2020, 11:37
One more question before closing a topic. How to configure a webserver to retrieve and pass this header:

$ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER}
A properly configured Apache module like mod_auth_kerb, mod_auth_auth_gssapi, mod_auth_mellon, etc. populates this variable after successful authentication.
Because if have no clue to what the line

Code: Select all

$Self->{'WebApp::SSO::RemoteUserSecret'}
is related I'm not really able to help here. That might be version 7 related, it's not in the Community Edition 6.
maro584 wrote:
14 Dec 2020, 11:37
I think this is not a case for only OTRS version 7 ;)
As always: it depends 😉 . But I recommend to use existing support or is a question like this not covered?

- Roy
Znuny LTS and ((OTRS) Community Edition CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know why ?

maro584
OTRS newbie
Posts: 39
Joined: 04 Feb 2020, 17:36
OTRS Version?: 6.0.24
Real Name: Mark

Re: SSO AD OTRS 7

Post by maro584 »

Does anybody have a good guide how to configure mod_auth_mellon for OTRS?

root
Administrator
Posts: 2563
Joined: 18 Dec 2007, 12:23
OTRS Version?: Znuny LTS and 4/5/6
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: SSO AD OTRS 7

Post by root »

Hi,

This one works fine: https://jdennis.fedorapeople.org/doc/me ... guide.html
Just the IdP is often something else.

Configure it in the beginning without keeping OTRS in mind, SAML has to work first.

- Roy
Znuny LTS and ((OTRS) Community Edition CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know why ?

crythias
Moderator
Posts: 10147
Joined: 04 May 2010, 18:38
OTRS Version?: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: SSO AD OTRS 7

Post by crythias »

I should point out that Internet Explorer/Internet Options may need to "trust" the OTRS site in order to pass remote user.
OTRS 5.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

root
Administrator
Posts: 2563
Joined: 18 Dec 2007, 12:23
OTRS Version?: Znuny LTS and 4/5/6
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: SSO AD OTRS 7

Post by root »

crythias wrote:
15 Dec 2020, 06:09
I should point out that Internet Explorer/Internet Options may need to "trust" the OTRS site in order to pass remote user.
That's true for Kerberos, but not for SAML (mod_auth_mellon).
Znuny LTS and ((OTRS) Community Edition CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know why ?

Post Reply