LDAP

Moderator: crythias

Locked
stevo300
Znuny newbie
Posts: 10
Joined: 01 May 2013, 12:55
Znuny Version: 3.2.6
Real Name: Steve

LDAP

Post by stevo300 »

Hello,

I have tried to follow many guides to achieve customer login via LDAP but to no avail.

If I configure the settings solely in from within sysConfig, I get the error message: 'Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.'

So after googling this I found some more guides. but never got past this point.

I also found that you can configure more than one back end authentication protocol (so I have attempted this as well to also include the DB just in case.

Here is my zzzAuto.pm:

Code: Select all

# OTRS config file (automatically generated)
# VERSION:1.1
package Kernel::Config::Files::ZZZAuto;
use strict;
use warnings;
use utf8;
sub Load {
    my ($File, $Self) = @_;
$Self->{'CustomerPanelBodyNewAccount'} =  'Hi <OTRS_USERFIRSTNAME>,

You or someone impersonating you has created a new OTRS account for
you.

Full name: <OTRS_USERFIRSTNAME> <OTRS_USERLASTNAME>
User name: <OTRS_USERLOGIN>
Password : <OTRS_USERPASSWORD>

You can log in via the following URL. We encourage you to change your password
via the Preferences button after logging in.

<OTRS_CONFIG_HttpType>://<OTRS_CONFIG_FQDN>/<OTRS_CONFIG_ScriptAlias>customer.pl';
$Self->{'CustomerPanelBodyLostPassword'} =  'Hi <OTRS_USERFIRSTNAME>,


New password: <OTRS_NEWPW>

<OTRS_CONFIG_HttpType>://<OTRS_CONFIG_FQDN>/<OTRS_CONFIG_ScriptAlias>customer.pl';
$Self->{'CustomerPanelBodyLostPasswordToken'} =  'Hi <OTRS_USERFIRSTNAME>,

You or someone impersonating you has requested to change your OTRS
password.

If you want to do this, click on this link. You will receive another email containing the password.

<OTRS_CONFIG_HttpType>://<OTRS_CONFIG_FQDN>/<OTRS_CONFIG_ScriptAlias>customer.pl?Action=CustomerLostPassword;Token=<OTRS_TOKEN>

If you did not request a new password, please ignore this email.';
delete $Self->{'PreferencesGroups'}->{'SpellDict'};
$Self->{'SendmailModule::Port'} =  '25';
$Self->{'SendmailModule::Host'} =  '192.168.16.241';
$Self->{'SendmailModule'} =  'Kernel::System::Email::SMTP';
$Self->{'LogModule::LogFile'} =  'C:/PROGRA~2/OTRS/OTRS/var/log/otrs.log';
$Self->{'LogModule'} =  'Kernel::System::Log::File';
$Self->{'CustomerHeadline'} =  'CME Medical Helpdesk';
$Self->{'DefaultLanguage'} =  'en_GB';
$Self->{'Organization'} =  'CME Medical';
$Self->{'AdminEmail'} =  'swatson@cmemedical.co.uk';
$Self->{'FQDN'} =  'cme-mckinley.local';
$Self->{'SecureMode'} =  1;
}
1;
This is the snippet from the config.pm for what i have edited... (below 'data inserted by installer' and above 'end of your own config options!!! ')

Code: Select all

# This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = '192.168.16.240';
   $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=domain,dc=local';
   $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccoutName';

    # # The following is valid but would only be necessary if the
    # # anonymous user do NOT have permission to read from the LDAP tree
   $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=otrs_ldap,ou=service_accounts,ou=Users,ou=MyBusiness,dc=domain,dc=local';
   $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'password';

    # # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
   $Self->{'AuthModule::LDAP::Params1'} = {
       port    => 389,
       timeout => 120,
       async   => 0,
       version => 3,
   };

    # Die if backend can't work, e. g. can't connect to server.
    $Self->{'AuthModule::LDAP::Die'} = 1;

$Self->{'Customer::AuthModule1'} =  'Kernel::System::CustomerAuth::LDAP';
 # --------------------------------------------------- #
    # authentication sync settings                        #
    # (enable agent data sync. after succsessful          #
    # authentication)                                     #
    # --------------------------------------------------- #
    # This is an example configuration for an LDAP auth sync. backend.
    # (take care that Net::LDAP is installed!)
   $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
   $Self->{'AuthSyncModule::LDAP::Host1'} = '192.168.16.240';
   $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=domain,dc=local';
   $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
   $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'cn=otrs_ldap,ou=service_accounts,ou=Users,ou=MyBusiness,dc=domain,dc=local';
   $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'password';



    # AuthSyncModule::LDAP::UserSyncMap
    # (map if agent should create/synced from LDAP to DB after successful login)
   $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
       # DB -> LDAP
       UserFirstname => 'givenName',
       UserLastname  => 'sn',
       UserEmail     => 'mail',
   };
   
   $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
    'users',
];

    # In case you need to use OTRS in iso-charset, you can define this
    # by using this option (converts utf-8 data from LDAP to iso).
#    $Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
#    $Self->{'AuthSyncModule::LDAP::Params'} = {
#        port    => 389,
#        timeout => 120,
#        async   => 0,
#        version => 3,
#    };

    # Die if backend can't work, e. g. can't connect to server.
#    $Self->{'AuthSyncModule::LDAP::Die'} = 1;
at the moment I am getting the errors '[Wed May 1 11:53:04 2013][Notice][Kernel::System::CustomerAuth::DB::Auth] CustomerUser: No auth record in 'customer_user' for .....'

If anyone can point me in the right direction I would appreciate it
OTRS 3.2.6
Windows Server 2012
MYSQL
Top
crythias
Moderator
Posts: 10170
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:
Contact crythias

Re: LDAP

Post by crythias »

viewtopic.php?f=60&t=16543
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Top
stevo300
Znuny newbie
Posts: 10
Joined: 01 May 2013, 12:55
Znuny Version: 3.2.6
Real Name: Steve

Re: LDAP

Post by stevo300 »

My Apologies for being a noob with this, I have looked at the howto you gave me, and also some other threads and this is what I have now...

config.pm

Code: Select all


	# ---------------------------------------------------- #
	# ---------------------------------------------------- #
	#                                                      #
	# LDAP CONFIGURATION                                   #
	#                                                      #
	# ---------------------------------------------------- #
	# Globals                                              #
	  my $BaseDn = 'dc=cme-mckinley,dc=local';
	  my $Host = '192.168.16.240';
	  my $SearchUserDN = 'CN=otrs_ldap,OU=service_accounts,OU=Users,OU=MyBusiness,DC=domain,DC=local';
	  my $SearchUserPW = 'xxxx';
	  my $customerGroup = 'CN=otrs_allow_c,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local';
	  my $agentGroup = 'CN=otrs_allow_a,OU=MyBusiness,DC=cme-mckinley,DC=local';
	# ---------------------------------------------------- #
	# ---------------------------------------------------- #
	#                                                      #
	# Agent LDAP                                           #
	#                                                      #
	# ---------------------------------------------------- #
	# ---------------------------------------------------- #
	
    # Enable LDAP Authentication for Agent #
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '192.168.16.240';
$Self->{'AuthModule::LDAP::BaseDN1'} = $BaseDN;
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN1'} = $agentGroup;
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = $SearchUserDN;
$Self->{'AuthModule::LDAP::SearchUserPW1'} = $SearchUserPW;
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Enable LDAP Authentication Sync for Agent #
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '192.168.16.240';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = $BaseDN;
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = $SearchUserDN;
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = $SearchUserPW;

# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];

	# ---------------------------------------------------- #
	# ---------------------------------------------------- #
	#                                                      #
	# Customer LDAP                                        #
	#                                                      #
	# ---------------------------------------------------- #
	# ---------------------------------------------------- #
	
	#This is an example configuration for an LDAP auth. backend.
#(make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = $Host;
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = $BaseDN;
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN1'} = $customerGroup;
$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = $SearchUserDN;
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = $SearchUserPW;

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter1'} = '';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params1'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};
	
	# CustomerUser
# (customer ldap backend and settings)
$Self->{CustomerUser1} = {
    Name => 'Customer',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => $Host,
        # ldap base dn
        BaseDN => $BaseDN,
        # search scope (one|sub)
        SSCOPE => 'sub',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => $SearchUserDN,
        UserPw => $SearchUserPW,
        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '',
            # if both your frontend and your LDAP are unicode, use this:
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',
            # if your frontend is unicode and the charset of your
            # ldap server is iso-8859-1, use these options.
            # SourceCharset => 'iso-8859-1',
            # DestCharset => 'utf-8',
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
    },
    # customer unique id
    CustomerKey => 'uid',
    # customer #
    CustomerID => 'sAMAccountName',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['uid', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add an ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # administrator can't change customer preferences
    AdminSetPreferences => 0,
#    # cache time to live in sec. - cache any database queries
#    CacheTTL => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
#        [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
        [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
        [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
        [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
    ],
};

	
	# ---------------------------------------------------- #
	# ---------------------------------------------------- #
	#                                                      #
	# End of LDAP CONFIGURATION                            #
	#                                                      #
	# ---------------------------------------------------- #
	# ---------------------------------------------------- #

ZZZAuto.pm

Code: Select all

# OTRS config file (automatically generated)
# VERSION:1.1
package Kernel::Config::Files::ZZZAuto;
use strict;
use warnings;
use utf8;
sub Load {
    my ($File, $Self) = @_;
$Self->{'Customer::AuthModule::LDAP::Params'} =  {
  'async' => '0',
  'port' => '389',
  'timeout' => '120',
  'version' => '3'
};
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} =  'xxxxx';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =  'cn=otrs_ldap,ou=service_accounts,ou=Users,ou=MyBusiness,dc=domain,dc=local';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} =  'DN';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} =  'member';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} =  'CN=otrs_allow_c,OU=Security Groups,ou=MyBusiness,dc=domain,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} =  'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} =  'dc=cme-mckinley,dc=local';
$Self->{'Customer::AuthModule::LDAP::Host'} =  '192.168.16.240';
$Self->{'Customer::AuthModule'} =  'Kernel::System::CustomerAuth::LDAP';
$Self->{'CustomerPanelBodyNewAccount'} =  'Hi <OTRS_USERFIRSTNAME>,

You or someone impersonating you has created a new OTRS account for
you.

Full name: <OTRS_USERFIRSTNAME> <OTRS_USERLASTNAME>
User name: <OTRS_USERLOGIN>
Password : <OTRS_USERPASSWORD>

You can log in via the following URL. We encourage you to change your password
via the Preferences button after logging in.

<OTRS_CONFIG_HttpType>://<OTRS_CONFIG_FQDN>/<OTRS_CONFIG_ScriptAlias>customer.pl';
$Self->{'CustomerPanelBodyLostPassword'} =  'Hi <OTRS_USERFIRSTNAME>,


New password: <OTRS_NEWPW>

<OTRS_CONFIG_HttpType>://<OTRS_CONFIG_FQDN>/<OTRS_CONFIG_ScriptAlias>customer.pl';
$Self->{'CustomerPanelBodyLostPasswordToken'} =  'Hi <OTRS_USERFIRSTNAME>,

You or someone impersonating you has requested to change your OTRS
password.

If you want to do this, click on this link. You will receive another email containing the password.

<OTRS_CONFIG_HttpType>://<OTRS_CONFIG_FQDN>/<OTRS_CONFIG_ScriptAlias>customer.pl?Action=CustomerLostPassword;Token=<OTRS_TOKEN>

If you did not request a new password, please ignore this email.';
delete $Self->{'PreferencesGroups'}->{'SpellDict'};
$Self->{'SendmailModule::Port'} =  '25';
$Self->{'SendmailModule::Host'} =  '192.168.16.241';
$Self->{'SendmailModule'} =  'Kernel::System::Email::SMTP';
$Self->{'LogModule::LogFile'} =  'C:/PROGRA~2/OTRS/OTRS/var/log/otrs.log';
$Self->{'LogModule'} =  'Kernel::System::Log::File';
$Self->{'CustomerHeadline'} =  'CME Medical Helpdesk';
$Self->{'DefaultLanguage'} =  'en_GB';
$Self->{'Organization'} =  'CME Medical';
$Self->{'AdminEmail'} =  'swatson@cmemedical.co.uk';
$Self->{'FQDN'} =  'cme-mckinley.local';
$Self->{'SecureMode'} =  1;
}
1;
when I try and log on as an agent i get the error message:

[Wed May 1 16:00:27 2013][Notice][Kernel::System::Auth::DB::Auth] User: swatson doesn't exist or is invalid!!! (REMOTE_ADDR: 192.168.16.20)
[Wed May 1 16:00:27 2013][Error][Kernel::System::User::UserLookup][795] No UserID found for 'swatson'!

when I try and log on as a customer i get the error message:

[Wed May 1 16:09:55 2013][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: swatson (CN=Stephen Watson,OU=IT,OU=Users,OU=MyBusiness,DC=domainy,DC=local) authentication ok (REMOTE_ADDR: 192.168.16.20).
[Wed May 1 16:09:55 2013][Error][Kernel::System::CustomerUser::SetPreferences][546] No such user 'swatson'!

any ideas?
OTRS 3.2.6
Windows Server 2012
MYSQL
Top
crythias
Moderator
Posts: 10170
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:
Contact crythias

Re: LDAP

Post by crythias »

ZZZAuto.pm means you're trying to do this through SysConfig. I don't recommend this, but it's there, and is possibly going to conflict with Config.pm, which is the only place I recommend making connections to backends.

Read the post again.

Authentication is permission. CustomerUser is demographics.

read the three links in the post. copy the doc examples to Config.pm.

"No User found" means nothing for CustomerUser or AuthSync.

Note that you need to create at least one admin user with full access before switching to ldap, or use the bin/otrs.AddUser.pl script.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Top
stevo300
Znuny newbie
Posts: 10
Joined: 01 May 2013, 12:55
Znuny Version: 3.2.6
Real Name: Steve

Re: LDAP

Post by stevo300 »

Thanks again for your assistance,

I have uninstalled and reinstalled to clear all the files back to default so I can start afresh.

I have copied all the LDAP specific code from the 3 links as you have suggested.

I also created an admin agent with full permissions as you also suggested.

My question is, is there a specific order the code must go in, or a specific place?
Secondly I can see in your post on the line $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; you don't have the apostrophes around AuthModule, but the links do, does it matter which I use?

The reason I ask these is because for both the customer and agent login, the log is still saying they are looking at the DB rather than LDAP

[Thu May 2 10:06:42 2013][Notice][Kernel::System::Auth::DB::Auth] User: swatson doesn't exist or is invalid!!! (REMOTE_ADDR: 192.168.16.20)
[Thu May 2 10:06:42 2013][Error][Kernel::System::User::UserLookup][795] No UserID found for 'swatson'!
[Thu May 2 10:08:50 2013][Notice][Kernel::System::CustomerAuth::DB::Auth] CustomerUser: No auth record in 'customer_user' for 'swatson' (REMOTE_ADDR: 192.168.16.20)

I feel I am only missing something subtle

my config.pm now has the following additions (right above the 'end of your own config options!!!' box)

Code: Select all

# ---------------------------------------------------- #
	# ---------------------------------------------------- #
	#                                                      #
	# LDAP CONFIGURATION                                   #
	#                                                      #
	# ---------------------------------------------------- #
	# Globals                                              #
	  my $BaseDn = 'dc=domain,dc=local';
	  my $Host = '192.168.16.240';
	  my $SearchUserDN = 'CN=otrs_ldap,OU=service_accounts,OU=Users,OU=MyBusiness,DC=domain,DC=local';
	  my $SearchUserPW = 'xxxxx';
	  my $customerGroup = 'CN=otrs_allow_c,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local';
	  my $agentGroup = 'CN=otrs_allow_a,OU=MyBusiness,DC=domain,DC=local';
	  
	# ---------------------------------------------------- #
	# ---------------------------------------------------- #
	#                                                      #
	# Customer LDAP                                        #
	#                                                      #
	# ---------------------------------------------------- #
	# ---------------------------------------------------- #

	# CustomerUser
# (customer ldap backend and settings)
$Self->{CustomerUser} = {
    Name => 'LDAP Data Source',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => $Host,
        # ldap base dn
        BaseDN => $BaseDN,
        # search scope (one|sub)
        SSCOPE => 'sub',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => $SearchUserDN,
        UserPw => $SearchUserPW,
        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '',
            # if both your frontend and your LDAP are unicode, use this:
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',
            # if your frontend is unicode and the charset of your
            # ldap server is iso-8859-1, use these options.
            # SourceCharset => 'iso-8859-1',
            # DestCharset => 'utf-8',
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
    },
    # customer unique id
    CustomerKey => 'uid',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['uid', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add an ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # administrator can't change customer preferences
    AdminSetPreferences => 0,
#    # cache time to live in sec. - cache any database queries
#    CacheTTL => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
#        [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
        [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
        [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
        [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
    ],
};


# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = $Host;
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = $BaseDN;
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccount';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = $customerGroup;
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = $SearchUserDN;
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = $SearchUserPW;

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

	# ---------------------------------------------------- #
	# ---------------------------------------------------- #
	#                                                      #
	# Agent LDAP                                           #
	#                                                      #
	# ---------------------------------------------------- #
	# ---------------------------------------------------- #


# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = $Host;
$Self->{'AuthModule::LDAP::BaseDN'} = $BaseDN;
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = $agentGroup;
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = $SearchUserDN;
$Self->{'AuthModule::LDAP::SearchUserPw'} = $SearchUserPW;

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#    $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

# defines AuthSyncBackend (AuthSyncModule) for AuthModule
# if this key exists and is empty, there won't be a sync.
# example values: AuthSyncBackend, AuthSyncBackend2
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = $Host;# 'ldap://192.168.16.240/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = $BaseDN;
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = $SearchUserDN;
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = $SearchUserPW;
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
};
[...]

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];
I have also run otrs.checkmodules and NET::LDAP is definitely installed

i tried to view the German Howto you posted, however the script that was posted was not available for me.
OTRS 3.2.6
Windows Server 2012
MYSQL
Top
stevo300
Znuny newbie
Posts: 10
Joined: 01 May 2013, 12:55
Znuny Version: 3.2.6
Real Name: Steve

Re: LDAP

Post by stevo300 »

OK totally by accident I realised my two newbie mistakes.

1) I had a typo (declared a variable as $BaseDn but was using $BaseDN)
2) I wasn't restarting the otrs services.

I now have the agents LDAP working well. I can log on as either a DB user (for the admin) and as LDAP users.

I am getting the 'Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator' error now. I am going off now to find the answer to that.
OTRS 3.2.6
Windows Server 2012
MYSQL
Top
stevo300
Znuny newbie
Posts: 10
Joined: 01 May 2013, 12:55
Znuny Version: 3.2.6
Real Name: Steve

Re: LDAP

Post by stevo300 »

I found this guide that completed the job perfectly.

http://deckerix.com/blog/configura-tu-o ... orte-ldap/

Thank you for all your help
OTRS 3.2.6
Windows Server 2012
MYSQL
Top
Locked

Return to “Help”