OTRS SSO from Windows AD users

[stratus66]

Hello all.
I have installed the latest otrs and trying to achieve users from Windows 2008 R2 AD to be able to login using SSO to customer.pl.
I have read bits and pieces from articles around but I have not a complete article to test on.

My otrs server is on ubuntu 14.04.3 LTS and is placed yesterday in a AD Domain. I have now in Virtualbox the same systems as in fabric..and try to do that. Please help me at least with bullets of how to start.
Thanks in advance

[crythias]

You might browse viewtopic.php?t=15422 for some insights.

[stratus66]

Well I made some progress.
1. Edited Config.pm replaced bits and pieces to suit my environment...
2. I think this is works but need fine tuning. If otrsuser or otrs2 users trying to connect it logs them in but there is a message error:

Error: Need CustomerID!!!

Comment:

Traceback:
ERROR: OTRS-CGI-51 Perl: 5.18.2 OS: linux Time: Tue Nov 3 23:34:50 2015

Message: Need CustomerID!!!

RemoteAddress: 192.168.1.4
RequestURI: /otrs/customer.pl?Action=CustomerTicketOverview;Subaction=MyTickets

Traceback (1471):
Module: Kernel::Output::HTML::Layout::CustomerError Line: 3982
Module: Kernel::Modules::CustomerTicketOverview::Run Line: 52
Module: Kernel::System::Web::InterfaceCustomer::Run Line: 1201
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_customer_2epl::handler Line: 40
Module: (eval) (v1.99) Line: 206
Module: ModPerl::RegistryCooker::run (v1.99) Line: 206
Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 172
Module: ModPerl::Registry::handler (v1.99) Line: 31

If anyone else trying to login simply they DO NOT...because there are not in the group.
Help and corrections are welcomed please

///////////////////////////////////////////////////////////////////////////////////////////////////

Code: Select all

# --
# Copyright (C) 2001-2015 xxx, http://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> Most OTRS configuration should be done via the OTRS web interface
#       and the SysConfig. Only for some configuration, such as database
#       credentials and customer data source changes, you should edit this
#       file. For changes do customer data sources you can copy the definitions
#       from Kernel/Config/Defaults.pm and paste them in this file.
#       Config.pm will not be overwritten when updating OTRS.
# --

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{'DatabaseHost'} = '127.0.0.1';

    # The database name
    $Self->{'Database'} = "otrs";

    # The database user
    $Self->{'DatabaseUser'} = "otrs";

    # The password of database user. You also can use bin/otrs.Console.pl Maint::Database::PasswordCrypt
    # for crypted passwords
    $Self->{'DatabasePw'} = '@@@@@@@@@@@@@@@@';

    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";

    # The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a TCP/IP connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # The database DSN for Microsoft SQL Server - only supported if OTRS is
    # installed on Windows as well
#    $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

    # The database DSN for Oracle ==> more: "perldoc DBD::oracle"
#    $Self->{DatabaseDSN} = "DBI:Oracle://$Self->{DatabaseHost}:1521/$Self->{Database}";
#
#    $ENV{ORACLE_HOME}     = '/path/to/your/oracle';
#    $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
#    $ENV{NLS_LANG}        = 'AMERICAN_AMERICA.AL32UTF8';
# ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$

  # This is an example configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'win-p4fqb4l61v8.otrs.pliot.gr';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=otrs,dc=pliot,dc=gr';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    #$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=posixGroups,dc=otrs,dc=pliot,dc=gr';
    #$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    #$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrsuser@otrs.pliot.gr';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password1@';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
 
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '';
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
		sscope => 'sub'
    };
 
    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'win-p4fqb4l61v8.otrs.pliot.gr';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=otrs,dc=pliot,dc=gr';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otrsuser@otrs.pliot.gr';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password1@';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'customer_user',
    ];
	
	#Enable LDAP authentication for Customers / Users
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'win-p4fqb4l61v8.otrs.pliot.gr';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=otrs,dc=pliot,dc=gr';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrsuser@otrs.pliot.gr';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password1@';

    # CustomerUser
    # (customer user database backend and settings)
    $Self->{CustomerUser} = {
       Module => 'Kernel::System::CustomerUser::LDAP',
       Params => {
          Host => 'win-p4fqb4l61v8.otrs.pliot.gr',
          BaseDN => 'DC=otrs,DC=pliot,DC=gr',
          SSCOPE => 'sub',
          UserDN =>'otrsuser@otrs.pliot.gr',
          UserPw => 'password1@',
       },

	   # customer unique id
       CustomerKey => 'sAMAccountName',
       # customer #
       CustomerID => 'mail',
       CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 250,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       Map => [
          # note: Login, Email and CustomerID needed!
          # var, frontend, storage, shown, required, storage-type
          #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
          [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
          [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
          [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
          [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
          [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
          [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
          #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
          #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
       ],
    };
	
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #

use base qw(Kernel::Config::Defaults);

# -----------------------------------------------------#

1;

//////////////////////////////////////////////////////////////////////////////////////////////////////

[stratus66]

I also tried to login with full email otrs2@otrs.pliot.gr but that had not login at all.
Finally all OU's from my pilot AD have come inside to Customer Users.
Changes in my pilot AD reflected in Customer User Management thus I am convinced that both otrs & AD talk to each other. It is a matter of fine tuning further on.
Any help would appreciated.

[coolmf]

Error: Need CustomerID!!!
and
CustomerID => 'mail'

So im guessing that otrsuser and otrs2 is missing email setting in AD

We get the same some times when users forget to update their profile with a valid email address

[stratus66]

I figure out that when I change settings in Config.pm trying to authenticate via LDAP that my admin user is locked out. Thus I have to include authentication for agents in LDAP?

[stratus66]

Furthemore to my problems I found out using LDAP query from my terminal that my connection is good
ldapsearch -x -LLL -h win-p4fqb4l61v8.otrs.pliot.gr -D otrs_ldap -w qwaszxQWASZX1 -b"dc=otrs,dc=pliot,dc=gr" -s sub "(objectClass=user)" givenName

I have these below problems:
0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
Wed Nov 4 18:41:19 2015 error OTRS-CGI-51 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:

What am I missing?

[stratus66]

This would become a blog in my case...
Now I manage to read groups ans users only in a specific OU. The user does not be able to login though.

[murdo]

My guess is the base DN your using as root of your search should be a level higher?

My top tip here is to use SysInternals AD Explorer https://technet.microsoft.com/en-us/sys ... 63907.aspx
With this you can navigate your AD tree and gather the following credentials

The DN of the top level domain
The DN of the username you're using to authenticate with AD

Does the base DN for your search contain any users? Try changing the BaseDN to top domain object class, e.g. you might want to do sub search from

-b "dc=pliot,dc=gr"

I found that our AD needed authentication to search you have use the DN for a user account with the '-D' switch

e.g. -D "cn=otrs_ldap,dc=otrs,dc=pliot,dc=gr"

the default search is sub so you don't need to specify this.

You can use -d9 to enabled debugging, this should tell you if LdapSearch is connecting and authenticating with AD

So something like the following works for me:

Code: Select all

ldapsearch -h win-p4fqb4l61v8.otrs.pliot.gr -D "cn=otrs_ldap,dc=otrs,dc=pliot,dc=gr" -w qwaszxQWASZX1 -b"dc=otrs,dc=pliot,dc=gr-W  -LLL '(&(objectclass=user)(mail=*)(givenname=*)(sn=*))' -d1 sAMAccountNAme givenName mail

The above example filter works better for OTRS as it only returns users that have email address, and full names

I use actually use this as my LDAP filter for AD

Code: Select all

'(&(objectclass=user)(mail=*)(givenname=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'

The userAccountControl entry filters out disabled accounts in AD, see http://social.technet.microsoft.com/wik ... ageIndex=1

[stratus66]

After 4 days of trying end up with results...of a customer not being able to login over and over again no matter what type of config use.

My latest brings all AD inside but customer cannot login. What am I missing? Using latest otrs 5 in ubuntu and trying to authenticate via otrs to AD...
PLEASE HELP

Code: Select all

# ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$

  # This is an example configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'servername.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    #$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS_Groups,dc=companyname,dc=local';
    #$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    #$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'username@domain.local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
 
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '';
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
		sscope => 'sub'
    };
 
    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'servername.domain.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'username@domain.local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'customer_user',
    ];
	
	#Enable LDAP authentication for Customers / Users
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'servername.domain.local';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'username@domain.local';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

    # CustomerUser
    # (customer user database backend and settings)
    $Self->{CustomerUser} = {
       Module => 'Kernel::System::CustomerUser::LDAP',
       Params => {
          Host => 'servername.domain.local',
          BaseDN => 'DC=domain,DC=local',
          SSCOPE => 'sub',
          UserDN =>'username@domain.local',
          UserPw => 'password',
       },

	   # customer unique id
       CustomerKey => 'sAMAccountName',
       # customer #
       CustomerID => 'mail',
       CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 250,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       Map => [
          # note: Login, Email and CustomerID needed!
          # var, frontend, storage, shown, required, storage-type
          #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
          [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
          [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
          [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
          [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
          [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
          [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
          #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
          #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
       ],
    };

[stratus66]

And all of this sudden works YEAH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[robcar]

And all of this sudden works YEAH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Does SSO work too?
It should authenticate users to customer portal without asking them username or password.
AFAIS in the forum this feature cannot be achieved.

[stratus66]

Dear robcar...this is in our next step goal. I will keep the progress in this topic so stay tuned. Finally I think that the think that made the thing work it was at the user search description....When used mail as you see in config.pm the whole thing worked.
The ldap is dynamic thus when ad is down noone can work so think a solution to this and posted as well to help each other.

[stratus66]

The problem needs to be solved in this project is that when an LDAP is taken into account the admin of the otrs is locked out...and using the same credentials in AD managed to login.

[crythias]

It should authenticate users to customer portal without asking them username or password.
AFAIS in the forum this feature cannot be achieved.

I've done this multiple times. It certainly works. see this thread

[crythias]

The problem needs to be solved in this project is that when an LDAP is taken into account the admin of the otrs is locked out...and using the same credentials in AD managed to login.

Note that you can use multiple back ends to handle this issue. One can be database and one can be LDAP. Or you can also add an authorized LDAP user to the admin group through command line.

in version 5, commands are handled through bin/otrs.Console.pl

[stratus66]

Thanks for the answer. I just saw .otrs.Console.pl and is very helpful. However since I am not yet a guru of otrs please give me a hint in how to use both LDAP & DB DDB's? You said: (One can be database and one can be LDAP.)
Thanks in advance

[crythias]

Here's some old threads:
viewtopic.php?t=10605
viewtopic.php?t=26902
viewtopic.php?t=6619

and current docs:
http://otrs.github.io/doc/manual/admin/ ... kends.html

[stratus66]

Trying to add DB authentication I notice that Customers can login to index.pl as well. There is nothing to do in there since there is no queue assigned into them but would be more convenience customers not be able to login to index.pl.
Is that feasible?

[stratus66]

Here's some old threads:
viewtopic.php?t=10605
viewtopic.php?t=26902
viewtopic.php?t=6619

and current docs:
http://otrs.github.io/doc/manual/admin/ ... kends.html

Could not find something that satisfies me complete, however I got the idea behind it. Taking a piece from here ( http://itsm-demo.otrs.com/otrs/public.p ... ItemID=219 ) using this bits

# Second backend, internal OTRS DB
$Self->{'AuthModule2'} = 'Kernel::System::Auth::DB';
$Self->{'AuthModule2::DB::CryptType2'} = 'SHA-2';

Ending with bit in my config:

# This is an example configuration for using an MS AD backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'win-p4fqb4l61v8.otrs.pliot.gr';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=otrs,dc=pliot,dc=gr';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Second backend, internal OTRS DB
$Self->{'AuthModule2'} = 'Kernel::System::Auth::DB';
$Self->{'AuthModule2::DB::CryptType2'} = 'SHA-2';

Now create an agent, login in with the details, freeze the AD login logout with no problem even with AD absent.

Typing all this they might help others as well.

Guess what...I really love this product...

[stratus66]

The last part of this is to read from only one group...and finish. Next is SSO.

[stratus66]

with a little help from an AD guy finish that as well.

[stratus66]

Hi all.
I have problem to read multiple OU's in a single AD directory...
Tried to do that below:

This is an example configuration for using an MS AD backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'dc2.kek.ine';
$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=users,DC=koko,DC=in;
$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=users2,DC=koko,DC=in;

But this is reaf only users from users and not from users2....

Please Help

[crythias]

Either filter or multiple backends.

[stratus66]

Hello. I am stuck. Currently I can read and authenticate any AD OU but I cannot read contents of an AD group such as domain users, or incorporate multiple ou's in my pm file.

What do I need to do to read multiple ou's or a single group name such as domain users?

Below is my .pm

Code: Select all

# --
# Copyright (C) 2001-2015 xxx, http://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> Most OTRS configuration should be done via the OTRS web interface
#       and the SysConfig. Only for some configuration, such as database
#       credentials and customer data source changes, you should edit this
#       file. For changes do customer data sources you can copy the definitions
#       from Kernel/Config/Defaults.pm and paste them in this file.
#       Config.pm will not be overwritten when updating OTRS.
# --

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{'DatabaseHost'} = '127.0.0.1';

    # The database name
    $Self->{'Database'} = "otrs";

    # The database user
    $Self->{'DatabaseUser'} = "otrs";

    # The password of database user. You also can use bin/otrs.Console.pl Maint::Database::PasswordCrypt
    # for crypted passwords
    $Self->{'DatabasePw'} = 'v2wPvtVzC3VtSn9l';

    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";

    # The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a TCP/IP connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # The database DSN for Microsoft SQL Server - only supported if OTRS is
    # installed on Windows as well
#    $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

    # The database DSN for Oracle ==> more: "perldoc DBD::oracle"
#    $Self->{DatabaseDSN} = "DBI:Oracle://$Self->{DatabaseHost}:1521/$Self->{Database}";
#
#    $ENV{ORACLE_HOME}     = '/path/to/your/oracle';
#    $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
#    $ENV{NLS_LANG}        = 'AMERICAN_AMERICA.AL32UTF8';

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$
  # This is an example configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'win-p4fqb4l61v8.otrs.pliot.gr';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=otrs,dc=pliot,dc=gr';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
  # Second backend, internal OTRS DB
    $Self->{'AuthModule2'} = 'Kernel::System::Auth::DB';
    $Self->{'AuthModule2::DB::CryptType2'} = 'SHA-2';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    #$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS_Groups,dc=companyname,dc=local';
    #$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    #$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrs_ldap@otrs.pliot.gr';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'qwaszxQWASZX1';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
 
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '@otrs.pliot.gr';
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
		sscope => 'sub'
    };
 
    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'win-p4fqb4l61v8.otrs.pliot.gr';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=otrs,dc=pliot,dc=gr';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otrs_ldap@otrs.pliot.gr';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'qwaszxQWASZX1';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'customer_user',
    ];
	
	#Enable LDAP authentication for Customers / Users
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'win-p4fqb4l61v8.otrs.pliot.gr';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=otrs,dc=pliot,dc=gr';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs_ldap@otrs.pliot.gr';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'qwaszxQWASZX1';

    # CustomerUser
    # (customer user database backend and settings)
    $Self->{CustomerUser} = {
       Module => 'Kernel::System::CustomerUser::LDAP',
       Params => {
          Host => 'win-p4fqb4l61v8.otrs.pliot.gr',
          BaseDN => 'dc=otrs,dc=pliot,dc=gr',
          SSCOPE => 'sub',
          UserDN =>'otrs_ldap@otrs.pliot.gr',
          UserPw => 'qwaszxQWASZX1',
       },

	
	   # customer unique id
       CustomerKey => 'sAMAccountName',
       # customer #
       CustomerID => 'mail',
       CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 250,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       Map => [
          # note: Login, Email and CustomerID needed!
          # var, frontend, storage, shown, required, storage-type
          #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
          [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
          [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
          [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
          [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
          [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
          [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
          #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
          #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
       ],
	      };
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #

use base qw(Kernel::Config::Defaults);

# -----------------------------------------------------#

1;

[crythias]

Another link: viewtopic.php?f=60&t=16543

If you need multiple OUs, you may set them as BaseDNs of different backends.

[stratus66]

Hello Crythias..
Is it possible to have a sample copy of 2 or more backends in order to read from active directory two or more organizational units.? I really messed up when writing in config.pm.

Is there any problem with AlwaysFilter ? I tried as well to read cn=domain users,cn=users,dc=otrs,dc=pliot,dc=gr in order to read domain users and avoid to have multiple backends but seems not operational...I tried lots of things though...

[crythias]

OK. Let's start with Defaults.pm is already useful for DB backend, so we don't need to overwrite its setup to provide LDAP, so we'll increment the index for the first OU/BaseDN:

Per the documentation/my HowTO:

$Self->{'Customer::AuthModule'} (Customer::AuthModule::LDAP, etc) is for Customer authentication (permission) (customer.pl)
$Self->{CustomerUser} is for Data (information)
$Self->{AuthModule} is for Agent (User) authentication (index.pl)
$Self->{'AuthSyncModule'} is for Agent (User) Data

Current (v5) Defaults.pm:
https://github.com/OTRS/otrs/blob/rel-5 ... ts.pm#L392

Code: Select all

    $Self->{'AuthModule::UseSyncBackend1'} = '1';

    # This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = 'ldap.example.com';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'OU=MyOU1,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
    # This is optional unless you need to check against a single group membership
    # this works the same as if you searched for
    # memberUid = (fully displayed UID or DN) within cn=otrsallow,ou=posixGroups,dc=example,dc=com
#    $Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
#    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'memberUid';
    # for ldap posixGroups objectclass (just uid)
#    $Self->{'AuthModule::LDAP::UserAttr1'} = 'UID';
    # for non ldap posixGroups objectclass (with full user dn)
#    $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    # Hint: In ActiveDirectory, you need this for permission to bind. It does NOT have to be a domain admin!
    # It can be a non-privileged authenticated user
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = '';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = '';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    # or if you want to filter with a logical OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))'
    # https://www.petri.com/ldap_search_samples_for_windows_2003_and_exchange as examples
    # below is an example. Change as you need.
    $Self->{'AuthModule::LDAP::AlwaysFilter1'} = '(|(mail=*abc.com)(objectclass=user))';

    # in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
#    $Self->{'AuthModule::LDAP::UserSuffix1'} = '@domain.com';

    # In case you want to convert all given usernames to lower letters you
    # should activate this option. It might be helpfull if databases are
    # in use that do not distinguish selects for upper and lower case letters
    # (Oracle, postgresql). User might be synched twice, if this option
    # is not in use.
#    $Self->{'AuthModule::LDAP::UserLowerCase1'} = 0;

    # In case you need to use OTRS in iso-charset, you can define this
    # by using this option (converts utf-8 data from LDAP to iso).
#    $Self->{'AuthModule::LDAP::Charset1'} = 'iso-8859-1';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
#    $Self->{'AuthModule::LDAP::Params1'} = {
#        port    => 389,
#        timeout => 120,
#        async   => 0,
#        version => 3,
#    };

    # Die if backend can't work, e. g. can't connect to server.
#    $Self->{'AuthModule::LDAP::Die1'} = 1;

    # This is an example configuration for an LDAP auth sync. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'ldap.example.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=example,dc=com';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'uid';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = '';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = '';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    # or if you want to filter with a logical OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))'
#    $Self->{'AuthSyncModule::LDAP::AlwaysFilter1'} = '';

    # AuthSyncModule::LDAP::UserSyncMap
    # (map if agent should create/synced from LDAP to DB after successful login)
    # you may specify LDAP-Fields as either
    #  * list, which will check each field. first existing will be picked ( ["givenName","cn","_empty"] )
    #  * name of an LDAP-Field (may return empty strings) ("givenName")
    #  * fixed strings, prefixed with an underscore: "_test", which will always return this fixed string
    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # In case you need to use OTRS in iso-charset, you can define this
    # by using this option (converts utf-8 data from LDAP to iso).
#    $Self->{'AuthSyncModule::LDAP::Charset1'} = 'iso-8859-1';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
#    $Self->{'AuthSyncModule::LDAP::Params1'} = {
#        port    => 389,
#        timeout => 120,
#        async   => 0,
#        version => 3,
#    };

    # Die if backend can't work, e. g. can't connect to server.
#    $Self->{'AuthSyncModule::LDAP::Die1'} = 1;

    # Attributes needed for group syncs
    # (attribute name for group value key)
#    $Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'memberUid';
    # (attribute for type of group content UID/DN for full ldap name)
#    $Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'UID';
#    $Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'DN';

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
#    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
#        'users',
#    ];

    # AuthSyncModule::LDAP::UserSyncGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs groups, define the following.)
#    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition1'} = {
#        # ldap group
#        'cn=agent,o=otrs' => {
#            # otrs group
#            'admin' => {
#                # permission
#                rw => 1,
#                ro => 1,
#            },
#            'faq' => {
#                rw => 0,
#                ro => 1,
#            },
#        },
#        'cn=agent2,o=otrs' => {
#            'users' => {
#                rw => 1,
#                ro => 1,
#            },
#        }
#    };

    # AuthSyncModule::LDAP::UserSyncRolesDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs roles, define the following.)
#    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition1'} = {
#        # ldap group
#        'cn=agent,o=otrs' => {
#            # otrs role
#            'role1' => 1,
#            'role2' => 0,
#        },
#        'cn=agent2,o=otrs' => {
#            'role3' => 1,
#        }
#    };

    # AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # attributes to otrs groups, define the following.)
#    $Self->{'AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition1'} = {
#        # ldap attribute
#        'LDAPAttribute' => {
#            # ldap attribute value
#            'LDAPAttributeValue1' => {
#                # otrs group
#                'admin' => {
#                    # permission
#                    rw => 1,
#                    ro => 1,
#                },
#                'faq' => {
#                    rw => 0,
#                    ro => 1,
#                },
#            },
#        },
#        'LDAPAttribute2' => {
#            'LDAPAttributeValue' => {
#                'users' => {
#                    rw => 1,
#                    ro => 1,
#                },
#            },
#         }
#    };

    # AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # attributes to otrs roles, define the following.)
#    $Self->{'AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition1'} = {
#        # ldap attribute
#        'LDAPAttribute' => {
#            # ldap attribute value
#            'LDAPAttributeValue1' => {
#                # otrs role
#                'role1' => 1,
#                'role2' => 1,
#            },
#        },
#        'LDAPAttribute2' => {
#            'LDAPAttributeValue1' => {
#                'role3' => 1,
#            },
#        },
#    };

# Above generally optional

Again, check my HowTo.
Use what you need. To add another back end, copy and change the one to a 2 and change values.
Use variables if you want (check my HowTo) to hold repeating values.

[stratus66]

Dear users...
I finally quit trying to read members of a group and finally decided to read the root of the AD otrs.pliot.gr and filtered the users. It was trouble to use alwaysfilter, was not working until I placed in :

# CustomerUser
# (customer user database backend and settings)
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'win-p4fqb4l61v8.otrs.pliot.gr',
BaseDN => 'dc=otrs,dc=pliot,dc=gr',
SSCOPE => 'sub',
AlwaysFilter => '(objectclass=user)',
UserDN =>'otrs_ldap@otrs.pliot.gr',
UserPw => 'qwaszxQWASZX1',

The rest of them are simple history.