I'd like to to implement a configuration for otrs6 that authenticates against AD and synchronizes the agents from AD.
so far the LDAP-Login works. Next is to login via Kerberos (Single Sign On):
But it does not work like this. Background: We have a Debian 10.3 system with apache2 as base, kinit works on the console.
So the config.pm must be wrong!? Any ideas would be great:
Code: Select all
$Self->{'Customer::AuthModule'} =
'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} =
'@WIN.IEHK.RWTH-AACHEN.DE';
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '[redacted]';
$Self->{'AuthModule::LDAP::BaseDN1'} =
'ou=xx,ou=xx,dc=win,dc=xx,dc=xxx,dc=xx';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'iehk-ad\xxx';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = '';
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3, };
##
## Kerberos-Auth=Single Sign on der Agenten-DB über LDAP ##
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '@xyz.xyz.DE';
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent # login)
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'x.x.rwth-xxx.de';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'ou=x,ou=x,dc=win,dc=iehk,dc=rwth-xxx,dc=de';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'xxx-ad\xxx';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} =' xx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [ 'Users',
];
## Agenten DB als Customer definieren
# Second auth-backend: The OTRS DB
$Self->{'Customer::AuthModule0'} =
'Kernel::System::CustomerAuth::DB';
$Self->{'Customer::AuthModule::DB::Table0'} =
'customer_user';
$Self->{'Customer::AuthModule::DB::CustomerKey0'} = 'x';
$Self->{'Customer::AuthModule::DB::CustomerPassword0'} = 'xx';
$Self->{CustomerUser0} = {
Name => 'Database Datasource',
Module => 'Kernel::System::CustomerUser::DB',
Params => {
Table => 'customer_user',
},
# customer unique id
CustomerKey => 'login',
# customer #
CustomerID => 'customer_id',
CustomerValid => 'valid_id',
CustomerUserListFields => ['first_name', 'last_name', 'email'],
CustomerUserSearchFields => ['login', 'last_name', 'customer_id'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['email'],
CustomerUserNameFields => ['title','first_name','last_name'],
CustomerUserEmailUniqCheck => 1,
Map => [
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserOffice', 'Office', 'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
],
};
#### Customer Auth
$Self->{'Customer::AuthModule1'} =
'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'x.xrwth-aachen.de';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} => 'ou=x,ou=x,dc=win,dc=iehk,dc=rwth-aachen,dc=de';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'iehk-ad\xxxx';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'x';
$Self->{CustomerUser1} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'x.x.rwth-aachen.de',
BaseDN => 'ou=Users,ou=x,dc=x,dc=iehk,dc=rwth-aachen,dc=de',
SSCOPE => 'sub',
UserDN => 'xx',
UserPw => 'xx',
AlwaysFilter => '(&)',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
# CustomerUserValidFilter => '(!(description=gesperrt))',
CacheTTL => 0,
Map => [
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserOffice', 'Office', 'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
],
};