Integration with AD by LDAP

[Ribravo]

hi,

We already integrate OTRS with AD, but it brings all of the tree below the user domain. We need to bring information from the user only a group of AD.

Below is our current code. Could you help us?

$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'brspopl001.dedic-br.dedic.corp',
BaseDN => 'DC=dedic-br,DC=dedic,DC=corp',
SSCOPE => 'sub',
UserDN => 'CN=OTRS Homolog,OU=ger_eng,OU=services,OU=all_users,DC=dedic,DC=corp',
UserPw => '******',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'sAMAccountName', 0, 1, 'var' ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],

],
};

Thank you

[crythias]

You have no filter and no groupdn. Where did you get the documentation for this that ignored those parts?
viewtopic.php?f=60&t=16543

[Ribravo]

Hi,

I got this information somewhere on this forum, I do not remember where. Can you help me configure?

[crythias]

Can you help me configure?

Yes. I already did. I provided a hint, troubleshooting, and links to documentation.

http://doc.otrs.org/3.1/en/html/auth-ba ... ckend-ldap

Code: Select all

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';

Also,
http://doc.otrs.org/3.1/en/html/custome ... ckend-ldap

But maybe I don't understand what you want.

[crythias]

We already integrate OTRS with AD, but it brings all of the tree below the user domain.

It brings all of the tree below your BaseDN.

We need to bring information from the user only a group of AD.

Change your BaseDN or use GroupDN (see my previous post).

Below is our current code

And the code is only about retrieving information based upon sAMAccountName.
It's not about authentication, but let's tackle your question:
"We need to bring information from the user only a group of AD"[sic]

• You will *only* bring in information for a customer that matches the sAMAccountName, and
• that is (should be) unique across your AD structure, and
• you'd only bring in information for a user that has already been authenticated.

If you're having a problem restricting who can log in, the code you presented doesn't affect that at all.

[Ribravo]

Hi,

I made the change to the code that you asked, now is not finding any OTRS user. Need to add some more information in the code?

Here's the code below:

$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'brspopl003.dedic.corp',
BaseDN => 'DC=dedic,DC=corp',
SSCOPE => 'sub',
UserDN => 'CN=OTRS Homolog,OU=ger_eng,OU=services,OU=all_users,DC=dedic,DC=corp',
UserPw => 'Dedic@10',
GroupDN => 'CN=Processos TI,OU=tecnologia,OU=distribution_group,OU=all_groups,DC=dedic,DC=corp',
AccessAttr => 'memberUid',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'sAMAccountName', 0, 1, 'var' ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

[crythias]

I don't think you understand what I said.

• The code you're providing is based upon grabbing information after authentication
• At that point, your restriction is too late, because you've already authenticated someone potentially outside the scope of your "get information" restriction.

Maybe this diagram might help.

LDAP -OTRS.png

When you show "CustomerUser", that's information.
When you (haven't shown) "CustomerAuth", that's authentication.

[Ribravo]

Hi,

Do you have any sample code? because I made the changes you asked for and still is not working. I understand the diagram above, but could not step into the code.

Thank you.

[crythias]

Show me yours and I'll show you mine. So far, you haven't shown me one thing about CustomerAuth.

[crythias]

I should also mention that you're probably using the database for Authentication and ldap for information, if you don't have any CustomerAuth in Config.pm.

If you need both, you need to add CustomerAuth LDAP as an additional backend, which has been discussed at the ldap link given above.

By default, authentication for Users and Customer Users come from DB.
When you added CustomerUser pointing to LDAP, you are grabbing information from a source that is authenticating via DB.

Then, you asked the question which pertains explicitly to this. You are authenticating to DB, then querying your AD which is a different scope than the DB authentication. Specifically, you can authenticate a user in DB that is outside the scope of information provided by Active Directory.

Once you've authenticated with DB, you are using Active Directory as the only source of information about customers. (CustomerUser)

If you want both DB and AD information, change CustomerUser to CustomerUser1.

However, that still allows authentication that is a different scope than information.

If you want both DB and AD authentication, add CustomerAuth (see documentation in previous linked information) as an additional backend (append 1). Again, check the link above for information on this.

[Ribravo]

Hi,

I set up the code according to the document:

http://doc.otrs.org/3.1/en/html/auth-backends.html # customer-auth-backend-ldap

Now does not bring any information from AD.

Let me explain what we need:

We have a group in AD called Users_OTRS structure that is:

Users_OTRS CN =​​, OU = Technology, OU = distribution_group, OR = all_groups, Dedic DC =, DC = corp

We need only the users of this group have permission to access OTRS.

In the previous setup I made, is bringing all of our domain users.

[crythias]

Please post your Config.pm. I cannot help you any more without it.

[Ribravo]

package Kernel::Config;

use utf8;

sub Load {
my $Self = shift;

# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'brspopl003.br.dedic.corp';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=dedic,DC=corp';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Users_OTRS,OU=tecnologia,OU=distribution_group,OU=all_groups,DC=dedic,DC=corp';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Homolog,OU=ger_eng,OU=services,OU=all_users,DC=dedic,DC=corp';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '******';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'brcasqc030.dedic.corp';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs_dev';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs_dev';
# DatabasePw
# (The password of database user. You also can use bin/otrs.CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'otrs_dev';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{'DatabaseDSN'} = "DBI:mysql:database=otrs_dev;host=brcasqc030";

# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
# $Self->{DatabasePostgresqlBefore82} = 1;

# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';

# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;

# ---------------------------------------------------- #


# ---------------------------------------------------- #

# ---------------------------------------------------- #

# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.25 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

[crythias]

Code: Select all

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'brspopl003.br.dedic.corp';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=dedic,DC=corp';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Users_OTRS,OU=tecnologia,OU=distribution_group,OU=all_groups,DC=dedic,DC=corp';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Homolog,OU=ger_eng,OU=services,OU=all_users,DC=dedic,DC=corp';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '******';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

Now does not bring any information from AD.

If what you gave me is your complete Config.pm, you will not retrieve any information from AD, because you are not querying information from AD.

The first thing you posted was information, but not authentication. The last thing you posted was authentication, but not information.

If you want to authenticate against AD, keep this. If you want information from AD, add the CustomerUser entry you had before.

Note also that this only affects customers, people who log in to customer.pl. *most* of the time, you probably want customer.pl to be as available as possible, though you'll want to be restrictive on Users/agents/people who log in to index.pl

[Ribravo]

Hi,

Thanks for the help,

can only verify if the complete code is correct before inserting on the server?

Here's the code below:

sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# CustomerUser1
# (customer user ldap backend and settings)
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'brspopl003.dedic.corp',
BaseDN => 'DC=dedic,DC=corp',
SSCOPE => 'sub',
UserDN => 'CN=OTRS Homolog,OU=ger_eng,OU=services,OU=all_users,DC=dedic,DC=corp',
UserPw => '*******',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'sAMAccountName', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP',
$Self->{'Customer::AuthModule::LDAP::Host'} = 'brspopl003.br.dedic.corp',
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=dedic,DC=corp',
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid',
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Users_OTRS,OU=tecnologia,OU=distribution_group,OU=all_groups,DC=dedic,DC=corp',
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid',
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID',
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Homolog,OU=ger_eng,OU=services,OU=all_users,DC=dedic,DC=corp',
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '*******',
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)',
$Self->{'Customer::AuthModule::LDAP::Params'} = [
port => 389,
timeout => 120,
async => 0,
version => 3,
],
};

[crythias]

Code: Select all

[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP',

probably needs to be

Code: Select all

[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP',

I don't know if there are other issues, though. The logs and your experience should bear that out.
oh. and I believe there are are a lot of commas that need to be replaced by semicolons.

[crythias]

Bad:

Code: Select all

Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP',
$Self->{'Customer::AuthModule::LDAP::Host'} = 'brspopl003.br.dedic.corp',
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=dedic,DC=corp',
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid',
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Users_OTRS,OU=tecnologia,OU=distribution_group,OU=all_groups,DC=dedic,DC=corp',
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid',
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID',
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Homolog,OU=ger_eng,OU=services,OU=all_users,DC=dedic,DC=corp',
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '*******',
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)',

good:

Code: Select all

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'brspopl003.br.dedic.corp';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=dedic,DC=corp';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Users_OTRS,OU=tecnologia,OU=distribution_group,OU=all_groups,DC=dedic,DC=corp';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Homolog,OU=ger_eng,OU=services,OU=all_users,DC=dedic,DC=corp';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '*******';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

[Ribravo]

I inserted the code in Config.pm server,

Now with the following error log:

Wed Aug 15 18:28:27 2012 error OTRS-CGI-10 sizelimit exceeded

This error is related to the code?

[crythias]

Probably. I'll have to rebuild the config in a demo environment until it works. There's likely to be a configuration option or three that are misconfigured, not terminated properly, or something else.

At this point, I don't know what it is, and yet I figure you'd have an otrs.log or apache error.log telling you more of what's broken where.

[Ribravo]

Hi,

Now is experiencing this error message when the user authenticate tenat:

failed authentication, the LDAP group entry foundGroupDN

[ciprianodf]

Hello!

I'm having the same problem ...

Code: Select all

[Thu Mar  7 07:54:06 2013][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: rafael.bastos@domain.local authentication failed, no LDAP entry found!BaseDN='OU=Usuarios XYZ,OU=hp,OU=NESA,DC=domain,DC=local', Filter='(&(sAMAccountName=rafael.bastos@domain.local)(mail=*))', (REMOTE_ADDR: ::1).

Code: Select all

[Thu Mar  7 07:59:40 2013][Error][Kernel::System::CustomerUser::LDAP::CustomerSearch][363] Sizelimit exceeded

config.pm

Code: Select all

########------------------------------------#######
########-------------CLIENTS----------------#######
########------------------------------------#######
# Configuration for a LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'host.domain.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=Usuarios ,OU=hp,OU=xyz,DC=domain,DC=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
#------------

#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRS_customers,CN=Users,DC=domain,DC=local';
#$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_search,CN=Users,DC=domain,DC=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Nesa123';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
 port => 389,
 timeout => 120,
 async => 0,
 version => 3,
};

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
#-------------
#-------------


 $Self->{CustomerUser} = {
Name => 'LDAP Backend',
 Module => 'Kernel::System::CustomerUser::LDAP',
 Params => {
 Host => 'iriri1-10-2.norteenergia.local',
 BaseDN => 'OU=Usuarios,OU=NEPA,OU=xyz,DC=domain,DC=local',
 SSCOPE => 'sub',
 UserDN => 'CN=otrs_search,CN=Users,DC=domain,DC=local',
 UserPw => 'Nesa123',
 },
 CustomerKey => 'sAMAccountName',
 CustomerID => 'sAMAccountName',
 CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
 CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
 CustomerUserPostMasterSearchFields => ['mail'],
 CustomerUserNameFields => ['givenname', 'sn'],
 Map => [
 [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
 [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
 [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
 [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
 [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
 [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
 [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
 };	

Can someone help me ...



Thaks!

[lexsys]

Someone we help?