single signon with active directory

[mritorto]

guys

I modified the config.pm file so I can have my user autheticate using their AD acccount but its not working

See the logs below.


ry))
Oct 5 11:55:00 Snakeeyes OTRS-CGI-10[2215]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece#000
Oct 5 11:55:00 Snakeeyes OTRS-CGI-10[2215]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'mritorto@sumitrustusa.ad'!
Oct 5 11:55:20 Snakeeyes OTRS-CGI-10[2218]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece#000
Oct 5 11:55:20 Snakeeyes OTRS-CGI-10[2218]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
[root@Snakeeyes log]#


Below are my settings in the config.pm file - the password is not shown here for securty purposes



# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=Hawkman123,OU=Service Accounts,DC=Sumitrustusa,DC=AD';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '######';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';


Any ideas as to what I am doing wrong here. I have the ldap module installed

marc

[mritorto]

please note I am running otrs on fedora 13

[crythias]

Comments are irrelevant, so your Config simplifies to :

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=Hawkman123,OU=Service Accounts,DC=Sumitrustusa,DC=AD';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '######';

You're missing quite a bit of other code here. Check the http://doc.otrs.org/2.4/en/html/x1872.html or wiki for more information and an example. Don't forget that you'll need to handle authentication as well as user lists.

[mritorto]

guys



okay I made the following mofications to the config.pm file see below (some things were change for security reasons)

I now get this message

Oct 6 15:24:53 Snakeeyes OTRS-CGI-10[3132]: [Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: 10.10.5.6).
Oct 6 15:24:53 Snakeeyes OTRS-CGI-10[3132]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!


I know I did not finish configuring the singlesign on stuff yet but I figure the ldap stuff word work


any ideas

# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2009 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --

package Kernel::Config;

sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
#Customized LDAP Settings #

##---------------------------------------------------------#
##----------------------------------------------------------#


# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.x.x';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusaxx,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=security groups,dc=sumitrustusax,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hadddd,ou=Service Accounts,dc=sumitrustusax,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreenxx!';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
$Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusax.ad';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusax.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawxxx,ou=Service Accounts,dc=sumitrustusax,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'MeanGreenxxx!';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};


# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
########################################################################################

####single sign on" solution for all your agents, you can use HTTP basic authentication
####(for all your systems) and the HTTPBasicAuth module for OTRS. ##########################

# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';

# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
# $Self->{LoginURL} = 'http://10.10.2.14/not-authorised-for-otrs.html';
#$Self->{LogoutURL} = 'http://10.10.2.14/thanks-for-using-otrs.html';

[mritorto]

I commented out the singlelong info in the config.pm and now I get this message in the messages.log


authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=root@localhost@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 6 15:44:10 Snakeeyes OTRS-CGI-10[3173]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=hawkman@sumitrustusa.ad@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 6 15:44:10 Snakeeyes OTRS-CGI-10[3173]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!

[crythias]

it might be because of this:

$Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusax.ad';

and an attempt to log on with full email address.

[mritorto]

i thought that had to be in there to logon using username@domainame.com


am i wrong?

marc

[mritorto]

I was wondering if otrs would recognize a space in the names of the ad ou structure see below


$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=security groups,dc=sumitrustusax,dc=ad';

This account exists in the ou name security groups - would otrs understand that there is a space between the words security and groups.

I know in perl you ususally have to put a // or a ' ' in order for the progam to know the that there is a space.

do I really need a posix group in AD also?
marc

[crythias]

i thought that had to be in there to logon using username@domainame.com


am i wrong?

marc

Yes, because directly above it says:

Code: Select all

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.

If you think about what your log says,
Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad@sumitrustusa.ad authentication failed, no LDAP entry found!
It makes sense that *something* is appending the domain name again.

[ferrosti]

Due the matter authenticating against samaccountname you should not append a suffix.
You configured your login to search your AD for the username@domain.tld.
E.g.: User 'bofh' logs in at OTRS, the login script will look for 'bofh@domain.tld' in the samaccountname field of your ad. This does not make sense, since samaccountname usually does not contain your domain name.

In case your users login with 'bofh' (without domain) in windows and OTRS,
1) configure it to search the username in samaccountname without suffix!
2) configure it to search the username in userprincipalname adding the suffix!

In case your users login with 'bofh@domain.tld' (with domain) in windows and OTRS, configure it to search the username in userprincipalname without suffix!

[georgelazar]

here is my config and is workig like a charm:

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'pdc.mydomain.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

And the usersnames in OTRS are defined as: firstname.lastname identical withe their AD logon username

George

[mritorto]

are you saying I should comment the following lines like this:


# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusax.ad';


marc

[mritorto]

i commented the suffix section out and now i get this message in the logs


Oct 10 03:43:01 Snakeeyes kernel: imklog 4.4.2, log source = /proc/kmsg started.
Oct 10 03:43:01 Snakeeyes rsyslogd: [origin software="rsyslogd" swVersion="4.4.2 " x-pid="923" x-info="http://www.rsyslog.com"] (re)start
Oct 13 11:50:52 Snakeeyes OTRS-CGI-10[7554]: [Notice][Kernel::System::Auth::LDAP ::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='c n=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=CN=Hawkman, OU=Service Accounts,DC=sumitrustusa,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
Oct 13 11:50:52 Snakeeyes OTRS-CGI-10[7554]: [Error][Kernel::System::User::UserL ookup][Line:696]: No UserID found for 'hawkman'!
Oct 13 11:51:05 Snakeeyes OTRS-CGI-10[7557]: [Notice][Kernel::System::Auth::LDAP ::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='c n=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=CN=Hawkman, OU=Service Accounts,DC=sumitrustusa,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
Oct 13 11:51:05 Snakeeyes OTRS-CGI-10[7557]: [Error][Kernel::System::User::UserL ookup][Line:696]: No UserID found for 'hawkman'!
[root@Snakeeyes log]#

[crythias]

this particular error indicates a space between c and n ...
foundGroupDN='c n=ot

[mritorto]

hmm i dont see a space in the config file

[crythias]

Please post your current Config.pm (password redacted), and whether you are attempting to log in with username or email address.

It appears that you've both removed the domain suffix and attempted to log in with the username only.

Also, you seem to (if I'm reading this correctly) be filtering on a specific User, and that may even be case sensitive. At this time, I'm simply guessing because I don't have enough information.

[mritorto]

at first with the suffix uncommented out I tried using the username hawkman@domainname.com.

I now commented the section 8 out so I am using just hawkman.



do I need this search option?


# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreen!';


I want to be able to use any acct on the domain. see my latest config below


# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2009 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --

package Kernel::Config;

sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
#Customized LDAP Settings by Marc J. Ritorto MCSE#

##---------------------------------------------------------#
##----------------------------------------------------------#

#CN=Hawkman,OU=Service Accounts,DC=sumitrustusa,DC=ad
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=security groups,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreen!';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusa.ad';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusa.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'MeanGreen!';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};


# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
########################################################################################

####single sign on" solution for all your agents, you can use HTTP basic authentication
####(for all your systems) and the HTTPBasicAuth module for OTRS. ##########################

# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
# $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';

# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
# $Self->{LoginURL} = 'http://10.10.2.14/not-authorised-for-otrs.html';
#$Self->{LogoutURL} = 'http://10.10.2.14/thanks-for-using-otrs.html';





















# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'Lookatme!';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';

# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;

# ---------------------------------------------------- #

# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$
$Self->{'SystemID'} = 10;
$Self->{'SecureMode'} = 1;
$Self->{'Organization'} = 'Sumitomo Trust & Banking CO. (USA)';
$Self->{'LogModule::LogFile'} = '/tmp/otrs.log';
$Self->{'LogModule'} = 'Kernel::System::Log::SysLog';
$Self->{'FQDN'} = 'Snakeeyes.sumitrustusa.ad';
$Self->{'DefaultLanguage'} = 'en';
$Self->{'AdminEmail'} = 'itadmin@stbusax.com';
$Self->{'DefaultCharset'} = 'utf-8';

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.21 $)[1];

# -----------------------------------------------------#

1;

[crythias]

Maybe you should re-read the wiki page. http://wiki.otrs.org/index.php?title=Us ... for_agents

These should probably match:
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '##password##';

$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusa.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '##password##';

If you want to type username@sumitrustusa.ad as the logging in user, do not remove the comment.
If you want to type username as the logging in user, remove the comment.
In other words, this entry, if enabled, appends to the username provided at login before it tries to find out if it's a valid login.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusa.ad';

This "could be" member, but if you want memberUid, keep it.
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';


You need to uncomment *one* of these (probably the DN line):
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

[mritorto]

let me see

[mritorto]

i still can't get it to work

i tried uncommenting the dn, then uid and then uncommenting both


You need to uncomment *one* of these (probably the DN line):
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

here are the logs

[root@Snakeeyes Kernel]# tail /var/log/messages
Oct 14 16:32:10 Snakeeyes OTRS-CGI-10[8272]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='cn=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=hawkman)'! (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:32:10 Snakeeyes OTRS-CGI-10[8272]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman'!
Oct 14 16:32:26 Snakeeyes OTRS-CGI-10[8274]: [Notice][Kernel::System::Auth::LDAP::Auth] User: Hawkman@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=Hawkman@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:32:26 Snakeeyes OTRS-CGI-10[8274]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'Hawkman@sumitrustusa.ad'!
Oct 14 16:32:37 Snakeeyes OTRS-CGI-10[8276]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=hawkman@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:32:37 Snakeeyes OTRS-CGI-10[8276]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
Oct 14 16:33:09 Snakeeyes OTRS-CGI-10[8278]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='cn=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=CN=Hawkman,OU=Service Accounts,DC=sumitrustusa,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:33:09 Snakeeyes OTRS-CGI-10[8278]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman'!
Oct 14 16:35:23 Snakeeyes OTRS-CGI-10[8281]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=hawkman@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:35:23 Snakeeyes OTRS-CGI-10[8281]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
[root@Snakeeyes Kernel]#


I wonder if its still space issue between the "ou"'s name like service accounts.


marc

[mritorto]

hey in that wiki link you gave me

they have 'member'; and not memberuid . Which should be used?


it has this $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';




You have this

# $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)

[mritorto]

i am noticing that my linux server is 5 mins behind my domain controller. Would that affect it?

[mritorto]

i now move my otrs group to a another ou in ad with out a space

I now see these messages in the log


Oct 15 17:36:52 Snakeeyes OTRS-CGI-10[8982]: [Error][Kernel::System::Auth::LDAP::Auth][Line:276]: Search failed! base='cn=otrs,ou=Test,dc=sumitrustusa,dc=ad', filter='(memberUid=CN=Ritorto\\,Marc,OU=User Accounts,DC=sumitrustusa,DC=ad)', Success
Oct 15 17:36:52 Snakeeyes OTRS-CGI-10[8982]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'mritorto'!


I have tried both mritorto and mritorto@domainname.ad


still can't get in


see current config.pm


# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2009 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --

package Kernel::Config;

sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
#Customized LDAP Settings by Marc J. Ritorto MCSE#

##---------------------------------------------------------#
##----------------------------------------------------------#

#CN=Hawkman,OU=Service Accounts,DC=sumitrustusa,DC=ad
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkmanxx,ou=Service Accounts,dc=sumitrustusas,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Meanpwd!';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusas.ad';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusas.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusax,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawkmanxx,ou=Service Accounts,dc=sumitrustusas,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Meanpwd!';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};


# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
########################################################################################

####single sign on" solution for all your agents, you can use HTTP basic authentication
####(for all your systems) and the HTTPBasicAuth module for OTRS. ##########################

# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
# $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';

# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
# $Self->{LoginURL} = 'http://10.10.2.14/not-authorised-for-otrs.html';
# $Self->{LogoutURL} = 'http://10.10.2.14/thanks-for-using-otrs.html';





















# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'Lookatme!';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';

# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;

# ---------------------------------------------------- #

# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$
$Self->{'SystemID'} = 10;
$Self->{'SecureMode'} = 1;
$Self->{'Organization'} = 'Sumitomo Trust & Banking CO. (USA)';
$Self->{'LogModule::LogFile'} = '/tmp/otrs.log';
$Self->{'LogModule'} = 'Kernel::System::Log::SysLog';
$Self->{'FQDN'} = 'Snakeeyes.sumitrustusa.ad';
$Self->{'DefaultLanguage'} = 'en';
$Self->{'AdminEmail'} = 'itadmin@stbusax.com';
$Self->{'DefaultCharset'} = 'utf-8';

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.21 $)[1];

# -----------------------------------------------------#

1;

[mritorto]

i noticed otrs is putting // in my username

memberUid=CN=Ritorto\\,Marc,OU=User Accounts,DC=sumitrustusax,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).

why is that

[nagesh_vnr]

Try This Configuration :

# Enable LDAP Authentication for Agent #


$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '10.0.0.80'; // U R Host
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=myserver,DC=com'; // UR Domain Controllers

$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};


// Code for DB Sync

# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://10.0.0.80';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=myserver,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];

[mritorto]

what's the difference here

[mritorto]

my config came from the wiki site

[mritorto]

whats the difference between member and memberUid?



This "could be" member, but if you want memberUid, keep it.
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';

[mritorto]

guys

when I restart otrs serviveI get this message
Starting OTRS..
Checking httpd ... done.
Checking MySQL ... failed.
--> Please start the database at first! (service mysqld start) <--
[root@Snakeeyes ~]#


would that be the cause of why I can't login in with my ad account

[mritorto]

guys

I got it to work with these settings

# --
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --

# Enable LDAP Authentication for Agent #
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreen!';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Enable LDAP Authentication Sync for Agent #
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://10.10.2.15:389';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'MeanGreen!';

# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};




Is there anyway to have the acct that need admin rights on otrs to be added to right groups thru this proccess.

If not i assume i can use the old config.pm file to logon and add the users I want lised in the otrs db to the right admin groups right.

also is there a way to have the config.pm look at the ad directory and the otrs local db for authentication just in case the domain controller is down or so I can still use the local root acct to manage otrs?

marc

[crythias]

If the active directory email matches the email address that's already assigned, no further action should be necessary. You'd have been able to test this...
as for backup auth, I believe the sync is supposed to handle that. On the other hand, if either otrs or ad fails in communication, it would appear that bigger problems are likely in your network.