I apologize for my English, this is machine translation.
I faced a problem after switching to LDAP authentication from HTTPBasic.
Initially for login customers used
Code: Select all
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@DOMEN.COM';
$Self->{CustomerUser} = {
Name => 'LDAP ALEX AD',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'ldap://dc01-dc1.domen.com/',
# ldap base dn
BaseDN => 'DC=domen,DC=com',
SSCOPE => 'sub',
UserDN => 'CN=SVC-OTRSQuery,OU=OTRS,OU=ServiceAccounts,DC=domen,DC=com',
UserPw => 'zaq1@WSX',
AlwaysFilter => '(&(objectCategory=organizationalPerson)(objectClass=User)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
CacheTTL => 30,
Map => [
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserDepartment', 'Department', 'department', 1, 0, 'var', '', 0 ],
[ 'UserOffice', 'Office', 'office', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
It started to look like this
Code: Select all
---------------------------------------------------- #
# User Configurations - Domain 1 #
# ---------------------------------------------------- #
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'dc01-dc1.domen.com';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=domen,dc=com';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::GroupDN3'} = 'CN=OTRS Users,OU=OTRS,OU=Groups,DC=domen,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=SVC-OTRSQuery,OU=OTRS,OU=ServiceAccounts,DC=domen,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'pass';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# ---------------------------------------------------- #
# User Configurations - Domain 2 #
# ---------------------------------------------------- #
$Self->{'AuthSyncModule2'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host2'} = 'ad-dc1.domen2.com';
$Self->{'AuthSyncModule::LDAP::BaseDN2'} = 'dc=domen2,dc=com';
$Self->{'AuthSyncModule::LDAP::UID2'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr2'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr2'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN2'} = 'CN=Moodle Service,OU=Service Accounts,DC=domen2,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw2'} = 'pass2';
$Self->{'AuthSyncModule::LDAP::UserSyncMap2'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# ---------------------------------------------------- #
# LDAP Configuration Settings for Domain 1 Customers #
# ---------------------------------------------------- #
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'ldap://dc01-dc1.domen.com/';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=domen,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=SVC-OTRSQuery,OU=OTRS,OU=ServiceAccounts,DC=domen,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'pass';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{CustomerUser1} = {
Name => 'LDAP Backend1',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'dc01-dc1.domen.com',
BaseDN => 'DC=domen,DC=com',
SSCOPE => 'sub',
UserDN => 'CN=SVC-OTRSQuery,OU=OTRS,OU=ServiceAccounts,DC=domen,DC=com',
UserPw => 'pass',
AlwaysFilter => '(objectclass=user)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
CacheTTL => 0,
Map => [
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserDepartment', 'Department', 'department', 1, 0, 'var', '', 0 ],
[ 'UserOffice', 'Office', 'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
# ---------------------------------------------------- #
# LDAP Configuration Settings for Domain 2 Customers #
# ---------------------------------------------------- #
$Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host2'} = 'ldap://ad-dc1.domen2.com/';
$Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=domen2,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr2'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::AccessAttr2'} = 'member';
$Self->{'AuthModule::LDAP::GroupDN4'} = 'CN=OTRS Users,OU=OTRS,OU=Groups,DC=domen2,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=Moodle Service,OU=Service Accounts,DC=domen2,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'pass2';
$Self->{'Customer::AuthModule::LDAP::Params2'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{CustomerUser2} = {
Name => 'LDAP Backend2',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'ad-dc1.domen2.com',
BaseDN => 'DC=domen2,DC=com',
SSCOPE => 'sub',
UserDN => 'CN=Moodle Service,OU=Service Accounts,DC=domen2,DC=com',
UserPw => 'pass2',
AlwaysFilter => '(objectclass=user)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
CacheTTL => 0,
Map => [
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserDepartment', 'Department', 'department', 1, 0, 'var', '', 0 ],
[ 'UserOffice', 'Office', 'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
kerberos authorization window pops up, and it accepts only accounts of the old domain, accounts of the new domain it does not accept.
If you pass authorization in this window, then the portal window appears, and both domain accounts work there.
What can it be?