How to configure SSO correctly in Config.pm

sommer106 · Post by **sommer106** » 30 Apr 2020, 16:16

Hi all,
I'd like to to implement a configuration for otrs6 that authenticates against AD and synchronizes the agents from AD.
so far the LDAP-Login works. Next is to login via Kerberos (Single Sign On):
But it does not work like this. Background: We have a Debian 10.3 system with apache2 as base, kinit works on the console.
So the config.pm must be wrong!? Any ideas would be great:

Code: Select all

$Self->{'Customer::AuthModule'} =
 'Kernel::System::CustomerAuth::HTTPBasicAuth';
   $Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} = 
 '@WIN.IEHK.RWTH-AACHEN.DE';
 
    $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = '[redacted]'; 
    $Self->{'AuthModule::LDAP::BaseDN1'} = 
 'ou=xx,ou=xx,dc=win,dc=xx,dc=xxx,dc=xx';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'iehk-ad\xxx';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = '';
    $Self->{'AuthModule::LDAP::Params1'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3, };
 
 ##
 ## Kerberos-Auth=Single Sign on der Agenten-DB über LDAP ##
 
   $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
   $Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '@xyz.xyz.DE';
 
 # AuthSyncModule::LDAP::UserSyncInitialGroups
 # (sync following group with rw permission after initial create of  first agent # login)
   $Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
 
   $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
   $Self->{'AuthSyncModule::LDAP::Host1'} = 'x.x.rwth-xxx.de';
   $Self->{'AuthSyncModule::LDAP::BaseDN1'} =  'ou=x,ou=x,dc=win,dc=iehk,dc=rwth-xxx,dc=de';
   $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
   $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'xxx-ad\xxx';
   $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} =' xx';
   $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',};
 
   $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [    'Users',
 ];
 
 
 ## Agenten DB als Customer definieren
 
    # Second auth-backend: The OTRS DB
    $Self->{'Customer::AuthModule0'}                       =
 'Kernel::System::CustomerAuth::DB';
    $Self->{'Customer::AuthModule::DB::Table0'}            =
 'customer_user';
    $Self->{'Customer::AuthModule::DB::CustomerKey0'}      = 'x';
    $Self->{'Customer::AuthModule::DB::CustomerPassword0'} = 'xx';
 
 $Self->{CustomerUser0} = {
    Name => 'Database Datasource',
    Module => 'Kernel::System::CustomerUser::DB',
    Params => {
    Table => 'customer_user',
        },
 # customer unique id
    CustomerKey => 'login',
 
 # customer #
   CustomerID => 'customer_id',
   CustomerValid => 'valid_id',
   CustomerUserListFields => ['first_name', 'last_name', 'email'],
   CustomerUserSearchFields => ['login', 'last_name', 'customer_id'],
   CustomerUserSearchPrefix => '',
   CustomerUserSearchSuffix => '*',
   CustomerUserSearchListLimit => 250,
   CustomerUserPostMasterSearchFields => ['email'],
   CustomerUserNameFields => ['title','first_name','last_name'],
   CustomerUserEmailUniqCheck => 1,
          Map => [
 
              [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
              [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
              [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
              [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
              [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
              [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
              [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
              [ 'UserOffice',      'Office',    'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
        ],
    };
 
 #### Customer Auth
 
    $Self->{'Customer::AuthModule1'} =
 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host1'} = 'x.xrwth-aachen.de'; 
    $Self->{'Customer::AuthModule::LDAP::BaseDN1'} => 'ou=x,ou=x,dc=win,dc=iehk,dc=rwth-aachen,dc=de';
    $Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'iehk-ad\xxxx';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'x';
 
   $Self->{CustomerUser1} = {
        Name => 'LDAP Data Source',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => 'x.x.rwth-aachen.de',
            BaseDN => 'ou=Users,ou=x,dc=x,dc=iehk,dc=rwth-aachen,dc=de',
            SSCOPE => 'sub',
            UserDN => 'xx',
            UserPw => 'xx',
            AlwaysFilter => '(&)',
 		},
          CustomerKey => 'sAMAccountName',
          CustomerID => 'mail',
          CustomerUserListFields => ['cn', 'mail'],
          CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
          CustomerUserSearchPrefix => '',
          CustomerUserSearchSuffix => '*',
          CustomerUserSearchListLimit => 250,
          CustomerUserPostMasterSearchFields => ['mail'],
          CustomerUserNameFields => ['givenname', 'sn'],
          # show not own tickets in customer panel, CompanyTickets
          CustomerUserExcludePrimaryCustomerID => 0,
          AdminSetPreferences => 0,
 
 #          CustomerUserValidFilter => '(!(description=gesperrt))',
          CacheTTL => 0,
          Map => [
 
              [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
              [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
              [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
           [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
              [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
              [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
              [ 'UserOffice',      'Office',    'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
        ],
    };

Post by **root** » 30 Apr 2020, 20:12

Hi,

Do you have the Apache configured? mod_auth_kerb or mod_auth_gssapi?

- Roy

Post by **crythias** » 02 May 2020, 06:32

Note also that the site has to be in Internet Options, Local Intranet in order to pass credentials to the site.

sommer106 · Post by **sommer106** » 04 May 2020, 09:21

root wrote: ↑30 Apr 2020, 20:12 Hi,

Do you have the Apache configured? mod_auth_kerb or mod_auth_gssapi?

- Roy

Hallo Roy, thanks for the fast reply! Yes, I can start "kinit@Domäne" and prouve the kerberos-ticket with klist:
Standard-Principal: sommer@DOMAIN.RWTH-AACHEN.DE

Valid starting Expires Service principal
04.05.2020 09:19:14 04.05.2020 19:19:14 krbtgt/DOMAIN.RWTH-AACHEN.DE@DOMAIN.RWTH-AACHEN.DE
erneuern bis 05.05.2020 09:19:06

Post by **root** » 04 May 2020, 09:48

sommer106 wrote: ↑04 May 2020, 09:21
root wrote: ↑30 Apr 2020, 20:12 Hi,

Do you have the Apache configured? mod_auth_kerb or mod_auth_gssapi?

- Roy
Hallo Roy, thanks for the fast reply! Yes, I can start "kinit@Domäne" and prouve the kerberos-ticket with klist:
Standard-Principal: sommer@DOMAIN.RWTH-AACHEN.DE

Valid starting Expires Service principal
04.05.2020 09:19:14 04.05.2020 19:19:14 krbtgt/DOMAIN.RWTH-AACHEN.DE@DOMAIN.RWTH-AACHEN.DE
erneuern bis 05.05.2020 09:19:06

Hi,

Checking kinit is the first step. You have to configure the Apache httpd, that's what I asked for. If not, do this first.

- Roy

Znuny and ((OTRS)) Community Edition

How to configure SSO correctly in Config.pm

How to configure SSO correctly in Config.pm

Re: How to configure SSO correctly in Config.pm

Re: How to configure SSO correctly in Config.pm

Re: How to configure SSO correctly in Config.pm

Re: How to configure SSO correctly in Config.pm