single signon with active directory
Moderator: crythias
single signon with active directory
guys
I modified the config.pm file so I can have my user autheticate using their AD acccount but its not working
See the logs below.
ry))
Oct 5 11:55:00 Snakeeyes OTRS-CGI-10[2215]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece#000
Oct 5 11:55:00 Snakeeyes OTRS-CGI-10[2215]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'mritorto@sumitrustusa.ad'!
Oct 5 11:55:20 Snakeeyes OTRS-CGI-10[2218]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece#000
Oct 5 11:55:20 Snakeeyes OTRS-CGI-10[2218]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
[root@Snakeeyes log]#
Below are my settings in the config.pm file - the password is not shown here for securty purposes
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=Hawkman123,OU=Service Accounts,DC=Sumitrustusa,DC=AD';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '######';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
Any ideas as to what I am doing wrong here. I have the ldap module installed
marc
I modified the config.pm file so I can have my user autheticate using their AD acccount but its not working
See the logs below.
ry))
Oct 5 11:55:00 Snakeeyes OTRS-CGI-10[2215]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece#000
Oct 5 11:55:00 Snakeeyes OTRS-CGI-10[2215]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'mritorto@sumitrustusa.ad'!
Oct 5 11:55:20 Snakeeyes OTRS-CGI-10[2218]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece#000
Oct 5 11:55:20 Snakeeyes OTRS-CGI-10[2218]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
[root@Snakeeyes log]#
Below are my settings in the config.pm file - the password is not shown here for securty purposes
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=Hawkman123,OU=Service Accounts,DC=Sumitrustusa,DC=AD';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '######';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
Any ideas as to what I am doing wrong here. I have the ldap module installed
marc
Re: single signon with active directory
please note I am running otrs on fedora 13
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: single signon with active directory
Comments are irrelevant, so your Config simplifies to :
You're missing quite a bit of other code here. Check the http://doc.otrs.org/2.4/en/html/x1872.html or wiki for more information and an example. Don't forget that you'll need to handle authentication as well as user lists.
Code: Select all
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=Hawkman123,OU=Service Accounts,DC=Sumitrustusa,DC=AD';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '######';
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: single signon with active directory
guys
okay I made the following mofications to the config.pm file see below (some things were change for security reasons)
I now get this message
Oct 6 15:24:53 Snakeeyes OTRS-CGI-10[3132]: [Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: 10.10.5.6).
Oct 6 15:24:53 Snakeeyes OTRS-CGI-10[3132]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
I know I did not finish configuring the singlesign on stuff yet but I figure the ldap stuff word work
any ideas
# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2009 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --
package Kernel::Config;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
#Customized LDAP Settings #
##---------------------------------------------------------#
##----------------------------------------------------------#
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.x.x';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusaxx,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=security groups,dc=sumitrustusax,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hadddd,ou=Service Accounts,dc=sumitrustusax,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreenxx!';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
$Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusax.ad';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusax.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawxxx,ou=Service Accounts,dc=sumitrustusax,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'MeanGreenxxx!';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
########################################################################################
####single sign on" solution for all your agents, you can use HTTP basic authentication
####(for all your systems) and the HTTPBasicAuth module for OTRS. ##########################
# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
# $Self->{LoginURL} = 'http://10.10.2.14/not-authorised-for-otrs.html';
#$Self->{LogoutURL} = 'http://10.10.2.14/thanks-for-using-otrs.html';
okay I made the following mofications to the config.pm file see below (some things were change for security reasons)
I now get this message
Oct 6 15:24:53 Snakeeyes OTRS-CGI-10[3132]: [Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: 10.10.5.6).
Oct 6 15:24:53 Snakeeyes OTRS-CGI-10[3132]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
I know I did not finish configuring the singlesign on stuff yet but I figure the ldap stuff word work
any ideas
# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2009 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --
package Kernel::Config;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
#Customized LDAP Settings #
##---------------------------------------------------------#
##----------------------------------------------------------#
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.x.x';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusaxx,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=security groups,dc=sumitrustusax,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hadddd,ou=Service Accounts,dc=sumitrustusax,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreenxx!';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
$Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusax.ad';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusax.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawxxx,ou=Service Accounts,dc=sumitrustusax,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'MeanGreenxxx!';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
########################################################################################
####single sign on" solution for all your agents, you can use HTTP basic authentication
####(for all your systems) and the HTTPBasicAuth module for OTRS. ##########################
# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
# $Self->{LoginURL} = 'http://10.10.2.14/not-authorised-for-otrs.html';
#$Self->{LogoutURL} = 'http://10.10.2.14/thanks-for-using-otrs.html';
Re: single signon with active directory
I commented out the singlelong info in the config.pm and now I get this message in the messages.log
authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=root@localhost@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 6 15:44:10 Snakeeyes OTRS-CGI-10[3173]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=hawkman@sumitrustusa.ad@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 6 15:44:10 Snakeeyes OTRS-CGI-10[3173]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=root@localhost@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 6 15:44:10 Snakeeyes OTRS-CGI-10[3173]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=hawkman@sumitrustusa.ad@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 6 15:44:10 Snakeeyes OTRS-CGI-10[3173]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: single signon with active directory
it might be because of this:
and an attempt to log on with full email address.$Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusax.ad';
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: single signon with active directory
I was wondering if otrs would recognize a space in the names of the ad ou structure see below
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=security groups,dc=sumitrustusax,dc=ad';
This account exists in the ou name security groups - would otrs understand that there is a space between the words security and groups.
I know in perl you ususally have to put a // or a ' ' in order for the progam to know the that there is a space.
do I really need a posix group in AD also?
marc
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=security groups,dc=sumitrustusax,dc=ad';
This account exists in the ou name security groups - would otrs understand that there is a space between the words security and groups.
I know in perl you ususally have to put a // or a ' ' in order for the progam to know the that there is a space.
do I really need a posix group in AD also?
marc
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: single signon with active directory
Yes, because directly above it says:mritorto wrote:i thought that had to be in there to logon using username@domainame.com
am i wrong?
marc
Code: Select all
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad@sumitrustusa.ad authentication failed, no LDAP entry found!
It makes sense that *something* is appending the domain name again.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
- Znuny superhero
- Posts: 723
- Joined: 10 Oct 2007, 14:30
- Znuny Version: 3.0
- Location: Hamburg, Germany
Re: single signon with active directory
Due the matter authenticating against samaccountname you should not append a suffix.
You configured your login to search your AD for the username@domain.tld.
E.g.: User 'bofh' logs in at OTRS, the login script will look for 'bofh@domain.tld' in the samaccountname field of your ad. This does not make sense, since samaccountname usually does not contain your domain name.
In case your users login with 'bofh' (without domain) in windows and OTRS,
1) configure it to search the username in samaccountname without suffix!
2) configure it to search the username in userprincipalname adding the suffix!
In case your users login with 'bofh@domain.tld' (with domain) in windows and OTRS, configure it to search the username in userprincipalname without suffix!
You configured your login to search your AD for the username@domain.tld.
E.g.: User 'bofh' logs in at OTRS, the login script will look for 'bofh@domain.tld' in the samaccountname field of your ad. This does not make sense, since samaccountname usually does not contain your domain name.
In case your users login with 'bofh' (without domain) in windows and OTRS,
1) configure it to search the username in samaccountname without suffix!
2) configure it to search the username in userprincipalname adding the suffix!
In case your users login with 'bofh@domain.tld' (with domain) in windows and OTRS, configure it to search the username in userprincipalname without suffix!
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems
-
- Znuny newbie
- Posts: 20
- Joined: 12 Oct 2010, 15:44
- Znuny Version: 3.0.5
Re: single signon with active directory
here is my config and is workig like a charm:
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'pdc.mydomain.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
And the usersnames in OTRS are defined as: firstname.lastname identical withe their AD logon username
George
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'pdc.mydomain.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
And the usersnames in OTRS are defined as: firstname.lastname identical withe their AD logon username
George
OTRS 3.0.5 on Gentoo Linux, LDAP authentication for users and customers.
Re: single signon with active directory
are you saying I should comment the following lines like this:
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusax.ad';
marc
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusax.ad';
marc
Re: single signon with active directory
i commented the suffix section out and now i get this message in the logs
Oct 10 03:43:01 Snakeeyes kernel: imklog 4.4.2, log source = /proc/kmsg started.
Oct 10 03:43:01 Snakeeyes rsyslogd: [origin software="rsyslogd" swVersion="4.4.2 " x-pid="923" x-info="http://www.rsyslog.com"] (re)start
Oct 13 11:50:52 Snakeeyes OTRS-CGI-10[7554]: [Notice][Kernel::System::Auth::LDAP ::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='c n=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=CN=Hawkman, OU=Service Accounts,DC=sumitrustusa,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
Oct 13 11:50:52 Snakeeyes OTRS-CGI-10[7554]: [Error][Kernel::System::User::UserL ookup][Line:696]: No UserID found for 'hawkman'!
Oct 13 11:51:05 Snakeeyes OTRS-CGI-10[7557]: [Notice][Kernel::System::Auth::LDAP ::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='c n=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=CN=Hawkman, OU=Service Accounts,DC=sumitrustusa,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
Oct 13 11:51:05 Snakeeyes OTRS-CGI-10[7557]: [Error][Kernel::System::User::UserL ookup][Line:696]: No UserID found for 'hawkman'!
[root@Snakeeyes log]#
Oct 10 03:43:01 Snakeeyes kernel: imklog 4.4.2, log source = /proc/kmsg started.
Oct 10 03:43:01 Snakeeyes rsyslogd: [origin software="rsyslogd" swVersion="4.4.2 " x-pid="923" x-info="http://www.rsyslog.com"] (re)start
Oct 13 11:50:52 Snakeeyes OTRS-CGI-10[7554]: [Notice][Kernel::System::Auth::LDAP ::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='c n=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=CN=Hawkman, OU=Service Accounts,DC=sumitrustusa,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
Oct 13 11:50:52 Snakeeyes OTRS-CGI-10[7554]: [Error][Kernel::System::User::UserL ookup][Line:696]: No UserID found for 'hawkman'!
Oct 13 11:51:05 Snakeeyes OTRS-CGI-10[7557]: [Notice][Kernel::System::Auth::LDAP ::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='c n=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=CN=Hawkman, OU=Service Accounts,DC=sumitrustusa,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
Oct 13 11:51:05 Snakeeyes OTRS-CGI-10[7557]: [Error][Kernel::System::User::UserL ookup][Line:696]: No UserID found for 'hawkman'!
[root@Snakeeyes log]#
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: single signon with active directory
this particular error indicates a space between c and n ...
foundGroupDN='c n=ot
foundGroupDN='c n=ot
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: single signon with active directory
hmm i dont see a space in the config file
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: single signon with active directory
Please post your current Config.pm (password redacted), and whether you are attempting to log in with username or email address.
It appears that you've both removed the domain suffix and attempted to log in with the username only.
Also, you seem to (if I'm reading this correctly) be filtering on a specific User, and that may even be case sensitive. At this time, I'm simply guessing because I don't have enough information.
It appears that you've both removed the domain suffix and attempted to log in with the username only.
Also, you seem to (if I'm reading this correctly) be filtering on a specific User, and that may even be case sensitive. At this time, I'm simply guessing because I don't have enough information.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: single signon with active directory
at first with the suffix uncommented out I tried using the username hawkman@domainname.com.
I now commented the section 8 out so I am using just hawkman.
do I need this search option?
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreen!';
I want to be able to use any acct on the domain. see my latest config below
# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2009 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --
package Kernel::Config;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
#Customized LDAP Settings by Marc J. Ritorto MCSE#
##---------------------------------------------------------#
##----------------------------------------------------------#
#CN=Hawkman,OU=Service Accounts,DC=sumitrustusa,DC=ad
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=security groups,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreen!';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusa.ad';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusa.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'MeanGreen!';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
########################################################################################
####single sign on" solution for all your agents, you can use HTTP basic authentication
####(for all your systems) and the HTTPBasicAuth module for OTRS. ##########################
# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
# $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
# $Self->{LoginURL} = 'http://10.10.2.14/not-authorised-for-otrs.html';
#$Self->{LogoutURL} = 'http://10.10.2.14/thanks-for-using-otrs.html';
# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'Lookatme!';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';
# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$
$Self->{'SystemID'} = 10;
$Self->{'SecureMode'} = 1;
$Self->{'Organization'} = 'Sumitomo Trust & Banking CO. (USA)';
$Self->{'LogModule::LogFile'} = '/tmp/otrs.log';
$Self->{'LogModule'} = 'Kernel::System::Log::SysLog';
$Self->{'FQDN'} = 'Snakeeyes.sumitrustusa.ad';
$Self->{'DefaultLanguage'} = 'en';
$Self->{'AdminEmail'} = 'itadmin@stbusax.com';
$Self->{'DefaultCharset'} = 'utf-8';
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}
# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;
use vars qw(@ISA $VERSION);
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');
use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.21 $)[1];
# -----------------------------------------------------#
1;
I now commented the section 8 out so I am using just hawkman.
do I need this search option?
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreen!';
I want to be able to use any acct on the domain. see my latest config below
# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2009 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --
package Kernel::Config;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
#Customized LDAP Settings by Marc J. Ritorto MCSE#
##---------------------------------------------------------#
##----------------------------------------------------------#
#CN=Hawkman,OU=Service Accounts,DC=sumitrustusa,DC=ad
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=security groups,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreen!';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusa.ad';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusa.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'MeanGreen!';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
########################################################################################
####single sign on" solution for all your agents, you can use HTTP basic authentication
####(for all your systems) and the HTTPBasicAuth module for OTRS. ##########################
# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
# $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
# $Self->{LoginURL} = 'http://10.10.2.14/not-authorised-for-otrs.html';
#$Self->{LogoutURL} = 'http://10.10.2.14/thanks-for-using-otrs.html';
# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'Lookatme!';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';
# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$
$Self->{'SystemID'} = 10;
$Self->{'SecureMode'} = 1;
$Self->{'Organization'} = 'Sumitomo Trust & Banking CO. (USA)';
$Self->{'LogModule::LogFile'} = '/tmp/otrs.log';
$Self->{'LogModule'} = 'Kernel::System::Log::SysLog';
$Self->{'FQDN'} = 'Snakeeyes.sumitrustusa.ad';
$Self->{'DefaultLanguage'} = 'en';
$Self->{'AdminEmail'} = 'itadmin@stbusax.com';
$Self->{'DefaultCharset'} = 'utf-8';
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}
# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;
use vars qw(@ISA $VERSION);
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');
use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.21 $)[1];
# -----------------------------------------------------#
1;
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: single signon with active directory
Maybe you should re-read the wiki page. http://wiki.otrs.org/index.php?title=Us ... for_agents
These should probably match:
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '##password##';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusa.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '##password##';
If you want to type username@sumitrustusa.ad as the logging in user, do not remove the comment.
If you want to type username as the logging in user, remove the comment.
In other words, this entry, if enabled, appends to the username provided at login before it tries to find out if it's a valid login.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusa.ad';
This "could be" member, but if you want memberUid, keep it.
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
You need to uncomment *one* of these (probably the DN line):
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
These should probably match:
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '##password##';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusa.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawkman,ou=Service Accounts,dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '##password##';
If you want to type username@sumitrustusa.ad as the logging in user, do not remove the comment.
If you want to type username as the logging in user, remove the comment.
In other words, this entry, if enabled, appends to the username provided at login before it tries to find out if it's a valid login.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusa.ad';
This "could be" member, but if you want memberUid, keep it.
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
You need to uncomment *one* of these (probably the DN line):
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: single signon with active directory
let me see
Re: single signon with active directory
i still can't get it to work
i tried uncommenting the dn, then uid and then uncommenting both
You need to uncomment *one* of these (probably the DN line):
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
here are the logs
[root@Snakeeyes Kernel]# tail /var/log/messages
Oct 14 16:32:10 Snakeeyes OTRS-CGI-10[8272]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='cn=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=hawkman)'! (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:32:10 Snakeeyes OTRS-CGI-10[8272]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman'!
Oct 14 16:32:26 Snakeeyes OTRS-CGI-10[8274]: [Notice][Kernel::System::Auth::LDAP::Auth] User: Hawkman@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=Hawkman@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:32:26 Snakeeyes OTRS-CGI-10[8274]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'Hawkman@sumitrustusa.ad'!
Oct 14 16:32:37 Snakeeyes OTRS-CGI-10[8276]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=hawkman@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:32:37 Snakeeyes OTRS-CGI-10[8276]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
Oct 14 16:33:09 Snakeeyes OTRS-CGI-10[8278]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='cn=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=CN=Hawkman,OU=Service Accounts,DC=sumitrustusa,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:33:09 Snakeeyes OTRS-CGI-10[8278]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman'!
Oct 14 16:35:23 Snakeeyes OTRS-CGI-10[8281]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=hawkman@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:35:23 Snakeeyes OTRS-CGI-10[8281]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
[root@Snakeeyes Kernel]#
I wonder if its still space issue between the "ou"'s name like service accounts.
marc
i tried uncommenting the dn, then uid and then uncommenting both
You need to uncomment *one* of these (probably the DN line):
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
here are the logs
[root@Snakeeyes Kernel]# tail /var/log/messages
Oct 14 16:32:10 Snakeeyes OTRS-CGI-10[8272]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='cn=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=hawkman)'! (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:32:10 Snakeeyes OTRS-CGI-10[8272]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman'!
Oct 14 16:32:26 Snakeeyes OTRS-CGI-10[8274]: [Notice][Kernel::System::Auth::LDAP::Auth] User: Hawkman@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=Hawkman@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:32:26 Snakeeyes OTRS-CGI-10[8274]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'Hawkman@sumitrustusa.ad'!
Oct 14 16:32:37 Snakeeyes OTRS-CGI-10[8276]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=hawkman@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:32:37 Snakeeyes OTRS-CGI-10[8276]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
Oct 14 16:33:09 Snakeeyes OTRS-CGI-10[8278]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman authentication failed, no LDAP group entry foundGroupDN='cn=otrs,ou=security groups,dc=sumitrustusa,dc=ad', Filter='(memberUid=CN=Hawkman,OU=Service Accounts,DC=sumitrustusa,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:33:09 Snakeeyes OTRS-CGI-10[8278]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman'!
Oct 14 16:35:23 Snakeeyes OTRS-CGI-10[8281]: [Notice][Kernel::System::Auth::LDAP::Auth] User: hawkman@sumitrustusa.ad authentication failed, no LDAP entry found!BaseDN='dc=sumitrustusa,dc=ad', Filter='(sAMAccountName=hawkman@sumitrustusa.ad)', (REMOTE_ADDR: 10.10.5.6).
Oct 14 16:35:23 Snakeeyes OTRS-CGI-10[8281]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'hawkman@sumitrustusa.ad'!
[root@Snakeeyes Kernel]#
I wonder if its still space issue between the "ou"'s name like service accounts.
marc
Re: single signon with active directory
hey in that wiki link you gave me
they have 'member'; and not memberuid . Which should be used?
it has this $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
You have this
# $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
they have 'member'; and not memberuid . Which should be used?
it has this $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
You have this
# $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
Re: single signon with active directory
i am noticing that my linux server is 5 mins behind my domain controller. Would that affect it?
Re: single signon with active directory
i now move my otrs group to a another ou in ad with out a space
I now see these messages in the log
Oct 15 17:36:52 Snakeeyes OTRS-CGI-10[8982]: [Error][Kernel::System::Auth::LDAP::Auth][Line:276]: Search failed! base='cn=otrs,ou=Test,dc=sumitrustusa,dc=ad', filter='(memberUid=CN=Ritorto\\,Marc,OU=User Accounts,DC=sumitrustusa,DC=ad)', Success
Oct 15 17:36:52 Snakeeyes OTRS-CGI-10[8982]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'mritorto'!
I have tried both mritorto and mritorto@domainname.ad
still can't get in
see current config.pm
# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2009 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --
package Kernel::Config;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
#Customized LDAP Settings by Marc J. Ritorto MCSE#
##---------------------------------------------------------#
##----------------------------------------------------------#
#CN=Hawkman,OU=Service Accounts,DC=sumitrustusa,DC=ad
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkmanxx,ou=Service Accounts,dc=sumitrustusas,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Meanpwd!';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusas.ad';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusas.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusax,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawkmanxx,ou=Service Accounts,dc=sumitrustusas,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Meanpwd!';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
########################################################################################
####single sign on" solution for all your agents, you can use HTTP basic authentication
####(for all your systems) and the HTTPBasicAuth module for OTRS. ##########################
# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
# $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
# $Self->{LoginURL} = 'http://10.10.2.14/not-authorised-for-otrs.html';
# $Self->{LogoutURL} = 'http://10.10.2.14/thanks-for-using-otrs.html';
# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'Lookatme!';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';
# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$
$Self->{'SystemID'} = 10;
$Self->{'SecureMode'} = 1;
$Self->{'Organization'} = 'Sumitomo Trust & Banking CO. (USA)';
$Self->{'LogModule::LogFile'} = '/tmp/otrs.log';
$Self->{'LogModule'} = 'Kernel::System::Log::SysLog';
$Self->{'FQDN'} = 'Snakeeyes.sumitrustusa.ad';
$Self->{'DefaultLanguage'} = 'en';
$Self->{'AdminEmail'} = 'itadmin@stbusax.com';
$Self->{'DefaultCharset'} = 'utf-8';
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}
# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;
use vars qw(@ISA $VERSION);
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');
use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.21 $)[1];
# -----------------------------------------------------#
1;
I now see these messages in the log
Oct 15 17:36:52 Snakeeyes OTRS-CGI-10[8982]: [Error][Kernel::System::Auth::LDAP::Auth][Line:276]: Search failed! base='cn=otrs,ou=Test,dc=sumitrustusa,dc=ad', filter='(memberUid=CN=Ritorto\\,Marc,OU=User Accounts,DC=sumitrustusa,DC=ad)', Success
Oct 15 17:36:52 Snakeeyes OTRS-CGI-10[8982]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'mritorto'!
I have tried both mritorto and mritorto@domainname.ad
still can't get in
see current config.pm
# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2009 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --
package Kernel::Config;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
#Customized LDAP Settings by Marc J. Ritorto MCSE#
##---------------------------------------------------------#
##----------------------------------------------------------#
#CN=Hawkman,OU=Service Accounts,DC=sumitrustusa,DC=ad
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkmanxx,ou=Service Accounts,dc=sumitrustusas,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Meanpwd!';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@sumitrustusas.ad';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.sumitrustusas.ad/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusax,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=Hawkmanxx,ou=Service Accounts,dc=sumitrustusas,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Meanpwd!';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
########################################################################################
####single sign on" solution for all your agents, you can use HTTP basic authentication
####(for all your systems) and the HTTPBasicAuth module for OTRS. ##########################
# This is an example configuration for an apache ($ENV{REMOTE_USER})
# auth. backend. Use it if you want to have a singe login through
# apache http-basic-auth
# $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
# Note:
#
# If you use this module, you should use as fallback
# the following configuration settings if the user is not authorized
# apache ($ENV{REMOTE_USER})
# $Self->{LoginURL} = 'http://10.10.2.14/not-authorised-for-otrs.html';
# $Self->{LogoutURL} = 'http://10.10.2.14/thanks-for-using-otrs.html';
# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'Lookatme!';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';
# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$
$Self->{'SystemID'} = 10;
$Self->{'SecureMode'} = 1;
$Self->{'Organization'} = 'Sumitomo Trust & Banking CO. (USA)';
$Self->{'LogModule::LogFile'} = '/tmp/otrs.log';
$Self->{'LogModule'} = 'Kernel::System::Log::SysLog';
$Self->{'FQDN'} = 'Snakeeyes.sumitrustusa.ad';
$Self->{'DefaultLanguage'} = 'en';
$Self->{'AdminEmail'} = 'itadmin@stbusax.com';
$Self->{'DefaultCharset'} = 'utf-8';
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}
# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;
use vars qw(@ISA $VERSION);
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');
use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.21 $)[1];
# -----------------------------------------------------#
1;
Re: single signon with active directory
i noticed otrs is putting // in my username
memberUid=CN=Ritorto\\,Marc,OU=User Accounts,DC=sumitrustusax,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
why is that
memberUid=CN=Ritorto\\,Marc,OU=User Accounts,DC=sumitrustusax,DC=ad)'! (REMOTE_ADDR: 10.10.5.6).
why is that
-
- Znuny newbie
- Posts: 2
- Joined: 18 Oct 2010, 18:26
- Znuny Version: 2.4.7
Re: single signon with active directory
Try This Configuration :
# Enable LDAP Authentication for Agent #
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '10.0.0.80'; // U R Host
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=myserver,DC=com'; // UR Domain Controllers
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
// Code for DB Sync
# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://10.0.0.80';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=myserver,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# Enable LDAP Authentication for Agent #
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '10.0.0.80'; // U R Host
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=myserver,DC=com'; // UR Domain Controllers
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
// Code for DB Sync
# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://10.0.0.80';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=myserver,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
Re: single signon with active directory
what's the difference here
Re: single signon with active directory
my config came from the wiki site
Re: single signon with active directory
whats the difference between member and memberUid?
This "could be" member, but if you want memberUid, keep it.
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
This "could be" member, but if you want memberUid, keep it.
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
Re: single signon with active directory
guys
when I restart otrs serviveI get this message
Starting OTRS..
Checking httpd ... done.
Checking MySQL ... failed.
--> Please start the database at first! (service mysqld start) <--
[root@Snakeeyes ~]#
would that be the cause of why I can't login in with my ad account
when I restart otrs serviveI get this message
Starting OTRS..
Checking httpd ... done.
Checking MySQL ... failed.
--> Please start the database at first! (service mysqld start) <--
[root@Snakeeyes ~]#
would that be the cause of why I can't login in with my ad account
Re: single signon with active directory
guys
I got it to work with these settings
# --
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --
# Enable LDAP Authentication for Agent #
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreen!';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Enable LDAP Authentication Sync for Agent #
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://10.10.2.15:389';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'MeanGreen!';
# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
Is there anyway to have the acct that need admin rights on otrs to be added to right groups thru this proccess.
If not i assume i can use the old config.pm file to logon and add the users I want lised in the otrs db to the right admin groups right.
also is there a way to have the config.pm look at the ad directory and the otrs local db for authentication just in case the domain controller is down or so I can still use the local root acct to manage otrs?
marc
I got it to work with these settings
# --
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --
# Enable LDAP Authentication for Agent #
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.10.2.15';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'MeanGreen!';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Enable LDAP Authentication Sync for Agent #
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://10.10.2.15:389';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=Hawkman,ou=Test,dc=sumitrustusa,dc=ad';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'MeanGreen!';
# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
Is there anyway to have the acct that need admin rights on otrs to be added to right groups thru this proccess.
If not i assume i can use the old config.pm file to logon and add the users I want lised in the otrs db to the right admin groups right.
also is there a way to have the config.pm look at the ad directory and the otrs local db for authentication just in case the domain controller is down or so I can still use the local root acct to manage otrs?
marc
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: single signon with active directory
If the active directory email matches the email address that's already assigned, no further action should be necessary. You'd have been able to test this...
as for backup auth, I believe the sync is supposed to handle that. On the other hand, if either otrs or ad fails in communication, it would appear that bigger problems are likely in your network.
as for backup auth, I believe the sync is supposed to handle that. On the other hand, if either otrs or ad fails in communication, it would appear that bigger problems are likely in your network.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask