OTRS AD Auth

Hilfe zu Znuny Problemen aller Art
Forum rules
Locked
Andi0r
Znuny newbie
Posts: 5
Joined: 16 Dec 2014, 18:05
Znuny Version: 4.0.3
Real Name: Andreas Lechner

OTRS AD Auth

Post by Andi0r »

Hi,

ich bin gerade dabei OTRS bei uns lokal zu installieren und würde gerne die User Authentifierzung über AD Lösen.
Dazu gibt es ja sehr viele Scripts jedoch schaffe ich es nicht zum laufen zu bekommen.
Ich verwende folgendes Script:

Code: Select all

	#Enable LDAP authentication for Customers / Users
  $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host'} = 'xxx.xxx.xxx.xxx';
  $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=xx,dc=xx,dc=xx;
  $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
  $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=LDAP.OTRS,OU=xx,DC=xx,DC=xx,DC=xx';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xx';

#CustomerUser
#(customer user database backend and settings)
    $Self->{CustomerUser} = {
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
      Host => 'xxx.xxx.xxx.xxx',
      BaseDN => 'dc=xx,dc=xx,dc=xx',
      SSCOPE => 'sub',
      UserDN =>'otrsldap.at',
      UserPw => 'XXX',
    },
# customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 1000,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
      #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
      #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  };
 
#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
#example: $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=BaseOU, dc=example, dc=com';
  $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRS_allow_C,CN=Users,DC=at,DC=chiesigroup,DC=lan';
  $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
  $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'
Der User mit dem ich es probiere ist auch in der OTRS_allow_C gruppe und bekomme beim Login folgende Fehlermeldung:
Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.

hat jemand von euch eine Idee?
Im message log am server finde ich folgende Meldung:
Dec 17 08:20:50 localhost OTRS-CGI-78[17060]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: XXX (CN=XXX Andreas,OU=OU Test User,OU=OU User,OU=XX,DC=XX,DC=XX,DC=XX) authentication ok (REMOTE_ADDR: xxx.xxx.xxx.xxx).

Leider bin ich etwas ratlos :(
Ich verwende folgende OTRS Version: 4.0.1



vielen Dank für eure Hilfe und liebe Grüße
Andreas
Top
Rooobaaat
Znuny wizard
Posts: 432
Joined: 11 Sep 2014, 16:28
Znuny Version: OTRS 5.0.x

Re: OTRS AD Auth

Post by Rooobaaat »

Nutze mal folgende Config:
$Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host2'} = 'dc.Firma2.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'DC=Firma2, DC=local';
$Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'binduser2@Firma2.local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'Password2';


$Self->{CustomerUser2} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'dc.Firma2.local',
BaseDN => 'DC=Firma2, DC=local',
SSCOPE => 'sub',
UserDN => 'binduser2@Firma2.local',
UserPw => 'Password2',
AlwaysFilter => '(&(objectclass=user)(mail=*.*@Firma2.de..))',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'facsimileTelephoneNumber', 1, 1, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],

Wenn das nichts bringt, dann stelle mal
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
auf
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
My english is better than your german :P

"Produktiv": OTRS: 5.0.x, OTRS::ITSM 5.0.x
"Testing": OTRS 6 git
OS: Debian 8.0 (Jessie)
Apache2.4.10/MySQL 5.5.41
Top
Andi0r
Znuny newbie
Posts: 5
Joined: 16 Dec 2014, 18:05
Znuny Version: 4.0.3
Real Name: Andreas Lechner

Re: OTRS AD Auth

Post by Andi0r »

Hi,

vielen Dank für deine Antwort.
Bei dem Script von dir bekomm ich leider gleich einen Internal Server Error.

Wenn ich member auf memberUid ändere bekomm ich folgende Fehlermeldung im Interface:
Login failed! Your user name or password was entered incorrectly.

und in den Logs:
Dec 17 17:32:10 localhost OTRS-CGI-78[3121]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: a.XXX authentication failed, no LDAP group entry foundGroupDN='CN=OTRS_allow_C,CN=XX,DC=XX,DC=XX,DC=XX', Filter='(memberUid=CN=XXX,OU=OU Test User,OU=XX,OU=XX,DC=XX,DC=XX,DC=lan)'! (REMOTE_ADDR: 10.72.10.129).

Der User zum testen ist in der Gruppe OTRS_allow_C :(

Mir ist das mit der Gruppe im Moment gar nicht so wichtig, von mir aus darf sich jeder aus dem AD einloggen, aber auch wenn ich es auskommentiere bekmm ich wieder die Fehlermeldung: Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.

LG
Andreas
Top
Rooobaaat
Znuny wizard
Posts: 432
Joined: 11 Sep 2014, 16:28
Znuny Version: OTRS 5.0.x

Re: OTRS AD Auth

Post by Rooobaaat »

Okay... Damit wir den Lösungsprozess etwas beschleunigen... Schau mal hier: viewtopic.php?t=26432


Da hatte ein User auch das Problem.
Du hast eine Windows-Domäne richtig? Dann muss das AccessAttr natürlich member sein :)
My english is better than your german :P

"Produktiv": OTRS: 5.0.x, OTRS::ITSM 5.0.x
"Testing": OTRS 6 git
OS: Debian 8.0 (Jessie)
Apache2.4.10/MySQL 5.5.41
Top
Locked

Return to “Hilfe”