Agent LDAP Authentication config

[iztok]

I'm using this config for Agent authentication, however it doesn't work - neither any error is seen in the log files. Please advise

Code: Select all

 #OK now lets have our agents use LDAP
  $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrs,OU=Users,OU=Express,OU=Companies,DC=extra,DC=local';
  $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
  $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRSGroup,OU=TT,OU=Security,OU=Global,OU=Groups,OU=Express,OU=Companies,DC=extra,DC=local';
  $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
  $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

  # UserSyncLDAPMap
  # (map if agent should create/synced from LDAP to DB after login must match your AD)
  $Self->{UserSyncLDAPMap} = {
  # DB -> LDAP
     Firstname => 'givenName',
     Lastname => 'sn',
     Email => 'userPrincipalName',
  };

    # UserSyncLDAPGroups
    # (If "LDAP" was selected for AuthModule, you can specify
    # initial user groups for first login.)
    $Self->{UserSyncLDAPGroups} = [
        'users',
    ];

[jojo]

please use search in the forum, have a look in the wiki and copy needed Parts to you Config.pm from Defaults.pm

At least Hostname for Auth and Sync Part is missing

[iztok]

If I use search function (which I already did), searching for keywords "agent ldap" or similiar, it won't provide any results since its commonly used search pattern. That's why I've asked for help here

[jojo]

you also mixing up Agent Auth and Customer Auth

Have a look on this: http://forums.otrs.org/viewtopic.php?f= ... 26&p=25756

[iztok]

Alright, sorry for the first confusion. I've only snipped some part of config from config.pm. Here is the full config ... While customer part works, the agent auth does not work - can't even login as root anymore...

Values in config were modified for obvious reason Also made 2 comments on 2 variables, on which I'm not sure what to change there.

Code: Select all

 #we want to use LDAP for Auth
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'dc02.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'otrs';
    #The username and password of the user you setup to access LDAP information in AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs,OU=Users,OU=Company,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

    #We want our Customer/users to Auth using LDAP
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'dc02.domain.local';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=local';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'otrs';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs,OU=Users,OU=Company,DC=domain,DC=local';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

    $Self->{CustomerUser} = {
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
      Host => 'dc02.domain.local',
      BaseDN => 'DC=domain,DC=local',
      SSCOPE => 'sub',
    UserDN => 'CN=otrs,OU=Users,OU=Company,DC=domain,DC=local',
      UserPw => 'password',
    },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'userPrincipalName',
    CustomerUserListFields => ['displayName', 'userPrincipalName'],
    CustomerUserSearchFields => ['displayName', 'userPrincipalName'],
    CustomerUserPostMasterSearchFields => userPrincipalName,
    CustomerUserNameFields => ['givenName', 'sn'],
    #the following must map to valid fields in your AD (givenname,sn,sAMAccountName,...)
    Map => [
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'userPrincipalName', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'userPrincipalName', 0, 1, 'var' ],
    ],
  };


  #OK now lets have our agents use LDAP
  $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=SA,OU=Groups,OU=Company,DC=domain,DC=local';
  $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; - do i need to change this to something?
  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; - do i need to change this to something?
  $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=SA,OU=Groups,OU=Company,DC=domain,DC=local';
  $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
  $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

  # UserSyncLDAPMap
 # (map if agent should create/synced from LDAP to DB after login must match your AD)
  $Self->{UserSyncLDAPMap} = {
  # DB -> LDAP
     Firstname => 'givenName',
     Lastname => 'sn',
     Email => 'userPrincipalName',
  };

    # UserSyncLDAPGroups
    # (If "LDAP" was selected for AuthModule, you can specify
    # initial user groups for first login.)
    $Self->{UserSyncLDAPGroups} = [
        'users',
    ];

[iztok]

bump?

[jojo]

$Self->{'AuthModule::LDAP::UID'} = 'otrs'; is wrong!

$Self->{'AuthModule::LDAP::UID'} = 'samaccountname'; for Active Directory

[iztok]

Ok now everything works, I also had some issues with syncing LDAP to DB, but managed to fix it on my own.

Next questions is, how to escalate myself to have admin rights on otrs? I cannot login anymore with "root@localhost", and when I login with my domain account, I do not have those permissions?

[iztok]

Fixed that myself aswell. Disabled LDAP auth in Config, logged in as root, applied permissions to my LDAP username, restored config and now I'm admin Thanks for your help jojo!