Customer AD Authentication

[IT84]

I can't get customer authentication to work, I was able to get OTRS to populate the customer list from Active Directory, but I've had no success in getting users to be able to login to the customer facing side of OTRS with their AD credentials. When I go to the customer login page and try to login with the AD user “test” I get the follow error: “Login failed! Your username or password was entered incorrectly.”
Below is my config.pm, any help would be greatly appreciated. Thank you.

Code: Select all

# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2009 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> OTRS does have a lot of config settings. For more settings
#       (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
#       LDAP, PostMaster, Session, Preferences, ...) see
#       Kernel/Config/Defaults.pm and copy your wanted lines into "this"
#       config file. This file will not be changed on update!
#
# --

package Kernel::Config;

sub Load {
    my $Self = shift;
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #         Start of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #
    # DatabaseHost
    # (The database host.)
    $Self->{'DatabaseHost'} = 'localhost';
    # Database
    # (The database name.)
    $Self->{'Database'} = 'otrs';
    # DatabaseUser
    # (The database user.)
    $Self->{'DatabaseUser'} = 'otrs';
    # DatabasePw
    # (The password of database user. You also can use bin/CryptPassword.pl
    # for crypted passwords.)
    $Self->{'DatabasePw'} = 'hot';
    # DatabaseDSN
    # (The database DSN for MySQL ==> more: "man DBD::mysql")
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

    # (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a tcpip connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = 'C:/PROGRA~1/OTRS/OTRS';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{'CheckMXRecord'} = 1;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #

    $Self->{LogModule}          = 'Kernel::System::Log::File';
    $Self->{'LogModule::LogFile'} = 'C:/PROGRA~1/OTRS/OTRS/var/log/otrs.log';
    $Self->{SpellChecker}       = '0';
    # $DIBI$
    $Self->{'SystemID'} = 10;
    $Self->{'SecureMode'} = 1;
    $Self->{'Organization'} = 'xxx';
    $Self->{'LogModule'} = 'Kernel::System::Log::File';
    $Self->{'FQDN'} = 'otrsserver.domain.com';
    $Self->{'DefaultLanguage'} = 'en';
    $Self->{'AdminEmail'} = 'admin@domain.com';
    $Self->{'DefaultCharset'} = 'utf-8';


    # ---------------------------------------------------- #
    # Use LDAP for Customer Source                         #
    # ---------------------------------------------------- #


    # CustomerUser
    # (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
        Name => 'LDAP Data Source',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            # ldap host
            Host => 'ldapserver.domain.com',
            # ldap base dn
            BaseDN => 'dc=domain, dc=com',
            # search scope (one|sub)
            SSCOPE => 'sub',
#            # The following is valid but would only be necessary if the
#            # anonymous user does NOT have permission to read from the LDAP tree
            UserDN => 'CN=administrator, CN=users, DC=domain, DC=com',
            UserPw => 'xxxxxxxx',
            # in case you want to add always one filter to each ldap query, use
            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#            AlwaysFilter => '',
            # if your frontend is e. g. iso-8859-1 and the charset of your
            # ldap server is utf-8, use these options.
#            SourceCharset => 'utf-8',
#            DestCharset => 'iso-8859-1',
            # if both your frontend and your LDAP are unicode, use this:
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',

            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
#                port => 389,
                port => 3268,
                timeout => 120,
                async => 0,
                version => 3,
            },
        },
		ReadOnly => 1,
		# customer unique id
        CustomerKey => 'sAMAccountName',
        # customer #
        CustomerID => 'mail',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['cn', 'givenname', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        # show not own tickets in customer panel, CompanyTickets
        CustomerUserExcludePrimaryCustomerID => 0,
        # add an ldap filter for valid users (expert setting)
#       CustomerUserValidFilter => '(!(description=locked))',
        # administrator can't change customer preferences
        AdminSetPreferences => 0,
#        # cache time to live in sec. - cache any database queries
        CacheTTL => 120,
        Map => [
            # note: Login, Email and CustomerID are mandatory!
            # if you need additional attributes from AD, just map them here.
            # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
#            [ 'UserSalutation', 'Title',      'title',           1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',   'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',    'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',    'sAMAccountName',             1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',       'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID',  'mail',            0, 1, 'var', '', 0 ],
#            [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
            [ 'UserPhone',      'Phone',      'telephoneNumber', 1, 0, 'var', '', 0 ],
#            [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
#            [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
            [ 'UserMobile',     'Mobile',      'mobile', 1, 0, 'var', '', 0 ],
            [ 'UserRoom',       'Room',        'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
        ],
    };

##########################################################



# This is an example configuration for an LDAP auth. backend.
    # (make sure Net::LDAP is installed!)
     $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
     $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldapserver.domain.com';
     $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';
     $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
    $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRSAllow,CN=users,DC=domain,DC=com';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
    # for ldap posixGroups objectclass (just uid)
    $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
    # for non ldap posixGroups objectclass (full user dn)
#    $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user does NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=administrator, CN=users, DC=domain, DC=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

    # in case you want to add a suffix to each customer login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
#    $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'Customer::AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };


    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #           End of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.21 $)[1];

# -----------------------------------------------------#

1;

[fbobraga]

I guess the issue is related to this entries, in your Config.pm:

Code: Select all

    $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRSAllow,CN=users,DC=domain,DC=com';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';

... try to comment them out - found the cause, play with it

...and see the the OTRS logs to try to figure out what is going on (with syslog, try something like tail -f /var/log/messages). This must show something like it:

Code: Select all

<date> <host> OTRS-CGI-10[7701]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: <user_mail> (<user_DN>) authentication ok (REMOTE_ADDR: <user_IP>).

this may help: http://forums.otrs.org/viewtopic.php?f= ... 62&start=0

[crythias]

Briefly, it appears your LDAP port is different from database to auth.
database:

Code: Select all

            Params => {
#                port => 389,
                port => 3268,
                timeout => 120,
                async => 0,
                version => 3,
            },

Auth:

Code: Select all

    $Self->{'Customer::AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

But your logs could probably tell you more.