Agent LDAP auth

[atetz]

Hi all!

At the moment I've got a test environment running to check out OTRS. Standard server 2008 with AD, local hMailserver and a clean install of otrs-3.0.10-win-installer-2.4.
All is good except I can't get the agent LDAP auth running. LDAP customer database is running though!

AD looks like this (all names are fictional):

Parent OU: Servicedesk.
Applications Organizational Unit - Contains: APP_OTRS_AGENT Security Group - Global
Management Organizational Unit
HumanResources Organizational Unit
FrontOffice Organizational Unit

BackOffice Organizational Unit
contains:

Name Type Description
Jack Salvatore User 3rd level
Deanna Lehmann User 3rd level
Cody Beckerman User 2nd level
BackOffice_GG Security Group - Global (all users in OU are member)
BackOffice_DL Security Group - Domain Local (department GG is member)
Ann Wozniak User 2nd level

I want all Backoffice users to have LDAP acces to OTRS so I made Backoffice_GG member of APP_OTRS_AGENT. I also made sure that one of these users already existed in OTRS. (In this situation a.wozniak)

So this is what I put in config.pm:

#Enable LDAP authentication for Customers / Users
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '192.168.150.128';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=servicedesk,dc=test';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Service_ldap,cn=users,dc=servicedesk,dc=test';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxx';

# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login)
$Self->{UserSyncLDAPMap} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# UserSyncLDAPGroups
# (If "LDAP" was selected for AuthModule, you can specify
# initial user groups for first login.)
$Self->{UserSyncLDAPGroups} = [
'users',
];

# UserTable
$Self->{DatabaseUserTable} = 'users';
$Self->{DatabaseUserTableUserID} = 'id';
$Self->{DatabaseUserTableUserPW} = 'pw';
$Self->{DatabaseUserTableUser} = 'login';

#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
$Self->{'AuthModule::LDAP::GroupDN'} ='CN=APP_OTRS_AGENT,OU=Applications,OU=Servicedesk,DC=servicedesk,DC=test';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

But OTRS does not let me in, not even with the credentials that I put in manually. There are also no error messages in OTRS\Apache\logs\error.txt

Does anyone have a suggestion?

[atetz]

Anybody?

[crythias]

start here: http://wiki.otrs.org/index.php?title=Us ... for_agents

[atetz]

Now I got this:

# This is an example configuration for using an MS AD backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '192.168.150.128';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=servicedesk,dc=test';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=APP_OTRS_AGENT,ou=Applications,ou=Servicedesk,DC=servicedesk,DC=test';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Service_ldap,cn=users,dc=servicedesk,dc=test';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxx';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '192.168.150.128';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=servicedesk,dc=test';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=Service_ldap,cn=users,dc=servicedesk,dc=test';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxx';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];

but still the same issue

[ferrosti]

WHICH issue?
What exactly is the problem? What does your log say?

[atetz]

OTRS does not let me in, not even with the credentials that I put in manually. There are also no error messages in OTRS\Apache\logs\error.txt

[ferrosti]

What does your OTRS log say?

[crythias]

yes, you should check
otrs\var\log\otrs.log

[atetz]

Thanks all for your replies. My issue is solved.

I checked the log and it stated that there was no user "xx"foud in the "LDAP" group. (The department group was member of the app group.) But now it works when I made the users member of the app group.