ich bin mit meinem Latein am Ende und komm nicht mehr weiter.
Ich versuche seit Tagen das Single Sign On über ein AD einzurichten. Teilweise funktioniert es auch. Solange die Benutzer keine Umlaute in den Namen haben, geht alles wunderbar.
Sobald aber ein Kunde ein Umlaut hat, funktioniert es nicht mehr (siehe log). Wenn ich die Anmeldung ohne SSO einrichte, klappt das auch mit Umlauten. Config habe ich beigefügt, so dass mir vllt jemand hilft und ein Blick drauf wirft. Der Header der Webseite sagt mir, dass es sich um UTF-8 handelt, was ja soweit ja auch korrekt ist. Also sollte der Webserver richtig eingestellt sein.
Log-File:
Code: Select all
[Fri Jan 14 12:30:18 2011][Notice][Kernel::System::CustomerAuth::HTTPBasicAuth::Auth] User: Vorname.L[b]ü[/b]ngen Authentication ok (REMOTE_ADDR: 172.20.4.15).
[Fri Jan 14 12:30:18 2011][Error][Kernel::System::CustomerUser::SetPreferences][493] No such user 'Vorname.L[b]ü[/b]ngen'!Code: Select all
<Directory "D:/OTRS/Apache/cgi-bin">
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain stadtcuxhaven.intern
# SSPIUsernameCase lower
SSPIOfferBasic On
Require valid-user
Options +ExecCGI -Includes
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Location /OTRS/>
AuthName "My OTRS"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain stadtcuxhaven.intern
SSPIOmitDomain off
# SSPIUsernameCase lower
# SSPIOfferBasic on
Require valid-user
</Location>
<Directory /OTRS>
Options FollowSymLinks
AllowOverride None
AuthName "---!"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain stadtcuxhaven.intern
SSPIOmitDomain off
# SSPIUsernameCase lower
# SSPIOfferBasic on
Require valid-user
</Directory>
<Location /otrs/>
AuthName "My OTRS"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain stadtcuxhaven.intern
SSPIOmitDomain off
# SSPIUsernameCase lower
# SSPIOfferBasic on
Require valid-user
</Location>
<Directory /otrs>
Options FollowSymLinks
AllowOverride None
AuthName "---!"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain stadtcuxhaven.intern
SSPIOmitDomain off
# SSPIUsernameCase lower
# SSPIOfferBasic on
Require valid-user
</Directory>Code: Select all
# ---------------------------------------------------- #
# INTEGRATION ACTIVE DIRECTORY
# ---------------------------------------------------- #
#$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
#$Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'DOMAIN\\';
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'xxx.xx.x.x:3268';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=Domain,DC=intern';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
#$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS-Gruppe,CN=Users,DC=Domain,DC=intern';
#$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# for non ldap posixGroups objectclass (with full user dn)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'OU=Test,OU=Users,OU=Abteilung,DC=Domain,DC=intern';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=Benutzer,CN=Users,DC=Domain,DC=intern';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Passwort';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthModule::LDAP::Die'} = 1;
# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login)
# --------------------------------------------------- #
# authentication sync settings #
# (enable agent data sync. after succsessful #
# authentication) #
# --------------------------------------------------- #
# This is an example configuration for an LDAP auth sync. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
#$Self->{'AuthSyncModule::LDAP::Charset'} = 'UTF-8';
$Self->{'AuthSyncModule::LDAP::Host'} = 'xxx.xx.x.x:3268';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=Domain,DC=intern';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=Benutzer,CN=Users,DC=stadtcuxhaven,DC=intern';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Passwort';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';
# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
# UserEmail => 'mail',
};
# Kunden-Login
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
#$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = '@Domain.intern';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = 'DOMAIN\\';
#$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'xxx.xx.x.x:3268';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=Domain,DC=intern';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=Benutzer,CN=Users,DC=Domain,DC=intern';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Passwort';
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Name => 'LDAP Datenquelle',
Params => {
Host => 'xxx.xx.x.x:3268',
BaseDN => 'DC=Domain,DC=intern',
SSCOPE => 'sub',
UserDN => 'CN=Benutzer,CN=Users,DC=Domain,DC=intern',
UserPw => 'Passwort',
AlwaysFilter => '(&(!(objectclass=computer))(objectclass=user))',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
#CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
#CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
#CustomerUserPostMasterSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 1,
Map => [
#note: Login, Email and CustomerID needed!
#var, frontend, storage, shown, required, storage-type
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserCustomerIDs', 'CustomerIDs', 'customer_ids', 1, 0, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
#UserSyncLDAPMap
$Self->{'UserSyncLDAPMap'} = {
Firstname => 'givenName',
Lastname => 'sn',
Email => 'mail',
};Gruß aus dem Norden.