root@localhost funktioniert nach LDAP Anbindung nicht mehr

[StephanR1]

Hallo zusammen,

habe mich in den letzten Tagen zum Thema LDAP Anbindung hier im Forum und im Wiki etwas belesen, inzwischen klappt die LDAP Anbindung für die Agents und Kunden wunderbar. Leider kann ich mich mit root@localhost nicht mehr anmelden und den Agents steht der Admin Bereich nicht zur Verfügung. Wie kann ich root@localhost trotz LDAP Anbindung verwenden oder muss ein Agent in die Admin Rolle schlüpfen? Was scheinbar mit diesem /otrs.AddUser2Group.pl -g admin -u username -p rw Befehl funktionieren würde.

Beste Grüße,

Stephan

[Rooobaaat]

Du hast das das interne Auth-Backend mit deinem LDAP wahrscheinlich überschrieben....

[StephanR1]

Das ist sehr gut möglich, könntest du bitte einen Blick auf meine Konfig werfen?

#------------------------------------------------------------------------------------------------------------------------------#
# LDAP Anbindung Firma #
#------------------------------------------------------------------------------------------------------------------------------#

#------------------------------------------------------------------------------------------------------------------------------#
# Agents #
#------------------------------------------------------------------------------------------------------------------------------#
#
# # This is an example configuration for using an MS AD backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'dc01.firma.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=firma,DC=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=ROLE-OTRS-Agent,OU=OTRS,OU=Delegation,OU=Groups,OU=Standort,OU=Germany,DC=firma,DC=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=SVC-LDAP-OTRS,OU=Service Accounts,OU=Users,OU=Standort,OU=Germany,DC=firma,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '0tr$ReadPWD';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'dc01.firma.de';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=firma,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=SVC-LDAP-OTRS,OU=Service Accounts,OU=Users,OU=Standort,OU=Germany,DC=firma,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '0tr$ReadPWD';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
#------------------------------------------------------------------------------------------------------------------------------#
# Customer #
#------------------------------------------------------------------------------------------------------------------------------#
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc01.firma.de';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} ='DC=firma,DC=com'; # hier die DN
# in der eure User liegen, kommt halt drauf an wie eurer AD strukturiert ist
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=ROLE-OTRS-User,OU=OTRS,OU=Delegation,OU=Groups,OU=Standort,OU=Germany,DC=firma,DC=com'; # das gleiche wie bei den Agents
# nur wer in der Gruppe 'otrscustomer' ist darf sich einloggen
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member'; #s.o.
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=SVC-LDAP-OTRS,OU=Service Accounts,OU=Users,OU=Standort,OU=Germany,DC=firma,DC=com'; #s.o. das hier wäre dann der userPrincipalName
#ob es irgenwelche Nachteile hat wenn man den userPrincipalName anstatt der DN nimmt weiss ich nicht...
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '0tr$ReadPWD';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

#------------------------------------------------------------------------------------------------------------------------------#
# LDAP System Users #
#------------------------------------------------------------------------------------------------------------------------------#
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'dc01.firma.de';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=firma,DC=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=SVC-LDAP-OTRS,OU=Service Accounts,OU=Users,OU=Standort,OU=Germany,DC=firma,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '0tr$ReadPWD';
$Self->{'AuthModule::LDAP::Params'} = {
'async' => '0',
'timeout' => '120',
'version' => '3',
'port' => '389'
};

$Self->{'AuthModule::LDAP::Die'} = 1;

#------------------------------------------------------------------------------------------------------------------------------#
# UserSyncLDAPMap #
#------------------------------------------------------------------------------------------------------------------------------#

$Self->{'UserSyncLDAPMap'} = {
'UserEmail' => 'mail',
'UserFirstname' => 'givenName',
'UserLastname' => 'sn',
'UserLogin' => 'sAMAccountName'
};

$Self->{CustomerUser} = {
Name => 'Plastic Logic',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'dc01.firma.de',
BaseDN => 'DC=firma,DC=com',
SSCOPE => 'sub',
UserDN => 'CN=SVC-LDAP-OTRS,OU=Service Accounts,OU=Users,OU=Standort,OU=Germany,DC=firma,DC=com', # wieder DN oder UserPrincipalName
UserPw => '0tr$ReadPWD',
AlwaysFilter => '(&(objectclass=user)(mail=*.*@firma.com..))',
# falls ihr was ausschliessen wollt:
# AlwaysFilter => '(&(objectclass=user)(mail=*.*@Firma.de..)(!((was auch immer)))',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserSearchListLimit => 1000, # die Anzahl der User die in euerer Kundenübersicht maximal angezeit werden.
# die Zeile muss nicht rein, macht aber bei uns hier Sinn.

Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
],
};
#------------------------------------------------------------------------------------------------------------------------------#
# Firma Ende #
#------------------------------------------------------------------------------------------------------------------------------#
################################################################################################################################