langsam verzweifele ich
ich versuche SSO mit dem aktuellen OTRS 4.0.11 auf einem Centos7 zum laufen zu bringen, allerdings komme ich -nach dieversen Threads hier im Forum und im www- nicht wirklich weiter.
Die installation, sowie die LDAP authentifizierung war kein Problem, nur SSO will nicht... :/
Folgendes Szenario:
Windows 2012R2 Domänen Controller, CentOS7 mit OTRS installation. Die Domainnamen habe ich durch logisch Equivalente ersetzt.
Auf dem DC habe ich ein Keytab für Kerberos erstellt:
Code: Select all
ktpass -princ HTTP/otrssrv.domain.local@DOMAIN.LOCAL -mapuser ldapread@DOMAIN.LOCAL -crypto RC4-HMAC-NT ptype KRB5_NT_PRINCIPAL -mapop set –pass password -out "C:\tmp\otrssrv.keytab"
Code: Select all
[root@localhost conf.d]# kinit -VV -k -t /etc/httpd/keytabs/otrssrv.keytab HTTP/otrssrv.domain.local@DOMAIN.LOCAL
Using existing cache: persistent:0:0
Using principal: HTTP/otrssrv.domain.local@DOMAIN.LOCAL
Using keytab: /etc/httpd/keytabs/otrssrv.keytab
Authenticated to Kerberos v5
Code: Select all
[root@localhost conf.d]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = DOMAIN.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.LOCAL = {
kdc = dc01.domain.local
kdc = dc02.domain.local
admin_server = dc01.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
Code: Select all
[root@localhost conf.d]# cat /etc/httpd/conf.d/zzz_otrs.conf
# --
# added for OTRS (http://otrs.org/)
# --
ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"
<IfModule mod_perl.c>
# Setup environment and preload modules
Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl
# Reload Perl modules when changed on disk
PerlModule Apache2::Reload
PerlInitHandler Apache2::Reload
# general mod_perl2 options
LoadModule auth_kerb_module usr/lib/httpd/modules/mod_auth_kerb.so
<Location /otrs>
# ErrorDocument 403 /otrs/customer.pl
ErrorDocument 403 /otrs/index.pl
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
PerlOptions +ParseHeaders
PerlOptions +SetupEnv
AuthType Kerberos
AuthName "OTRS"
Krb5Keytab /etc/httpd/keytabs/otrssrv.keytab
KrbAuthRealms DOMAIN.LOCAL
KrbMethodNegotiate on
KrbSaveCredentials on
KrbMethodK5Passwd on
Require valid-user
KrbVerifyKDC Off
KrbServiceName HTTP
Order allow,deny
Allow from all
<IfModule mod_version.c>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</IfModule>
<IfModule !mod_version.c>
Order allow,deny
Allow from all
</IfModule>
</Location>
# mod_perl2 options for GenericInterface
<Location /otrs/nph-genericinterface.pl>
PerlOptions -ParseHeaders
</Location>
</IfModule>
<Directory "/opt/otrs/bin/cgi-bin/">
AllowOverride None
Options +ExecCGI -Includes
<IfModule mod_version.c>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</IfModule>
<IfModule !mod_version.c>
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_filter.c>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
</IfModule>
</IfModule>
</Directory>
<Directory "/opt/otrs/var/httpd/htdocs/">
AllowOverride None
<IfModule mod_version.c>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</IfModule>
<IfModule !mod_version.c>
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_filter.c>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
</IfModule>
</IfModule>
# Make sure CSS and JS files are read as UTF8 by the browsers.
AddCharset UTF-8 .css
AddCharset UTF-8 .js
# Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
AddType application/font-woff .woff
</Directory>
<IfModule mod_headers.c>
# Cache css-cache for 30 days
<Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
<FilesMatch "\.(css|CSS)$">
Header set Cache-Control "max-age=2592000 must-revalidate"
</FilesMatch>
</Directory>
# Cache css thirdparty for 4 hours, including icon fonts
<Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
<FilesMatch "\.(css|CSS|woff|svg)$">
Header set Cache-Control "max-age=14400 must-revalidate"
</FilesMatch>
</Directory>
# Cache js-cache for 30 days
<Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
<FilesMatch "\.(js|JS)$">
Header set Cache-Control "max-age=2592000 must-revalidate"
</FilesMatch>
</Directory>
# Cache js thirdparty for 4 hours
<Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">
<FilesMatch "\.(js|JS)$">
Header set Cache-Control "max-age=14400 must-revalidate"
</FilesMatch>
</Directory>
</IfModule>
# Limit the number of requests per child to avoid excessive memory usage
MaxRequestsPerChild 4000
Code: Select all
Aug 20 16:15:10 localhost OTRS-CGI-00[13091]: [Notice][Kernel::System::CustomerAuth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: 172.20.8.71).
Code: Select all
#--------------------------------------------------------------------------------------------
# Kunden Authentifizierung SSO #
#--------------------------------------------------------------------------------------------
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '@DOMAIN.LOCAL';
#--------------------------------------------------------------------------------------------
# Kundendaten #
#--------------------------------------------------------------------------------------------
$Self->{CustomerUser1} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '172.20.101.81',
BaseDN => 'OU=Benutzer,OU=OUs,DC=domainl,DC=local',
SSCOPE => 'sub',
UserDN => 'ldapread@domail.local',
UserPw => 'ldapread',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
Anscheinend liegt es irgendwo an der Apache Konfiguration, aber an dieser Stelle bin ich extrem Ratlos und hoffe ihr könnt mir weiterhelfen...
Vielen Dank schonmal
Gruß Alex