AD LDAP backend conf

[balagab]

Hi,

I've modified the config.pm based on below. In agent/admin interface I can see the AD users in customer menu. However I can not login with customer on customer interface (wrong username/password). Something is missing for authetication. Could you please help me? Thanks.

Code: Select all

# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = ...;
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = '...;
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = '...';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrs_ldap,ou=...,dc=...,dc=hu';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '...';

#CustomerUser
 #(customer user database backend and settings)
     $Self->{CustomerUser} = {
       Module => 'Kernel::System::CustomerUser::LDAP',
       Params => {
       Host => '...',
       BaseDN => '...',
       SSCOPE => 'sub',
       UserDN =>'...',
       UserPw => '...',
     },

 # customer unique id
     CustomerKey => 'sAMAccountName',
     # customer #
     CustomerID => 'mail',
     CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
     CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
     CustomerUserSearchPrefix => '',
     CustomerUserSearchSuffix => '*',
     CustomerUserSearchListLimit => 250,
     CustomerUserPostMasterSearchFields => ['mail'],
     CustomerUserNameFields => ['givenname', 'sn'],
     Map => [
       # note: Login, Email and CustomerID needed!
       # var, frontend, storage, shown, required, storage-type
       #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
       [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
       [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
       [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
       [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
       [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
       [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
       #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
       #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
     ],
   };

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

Mod note: Please don't hijack other threads for your questions. -- also added code tags

[crythias]

The logs (var\log\otrs.log or System Log) will generally tell you what it used for login username. If you're getting a problem, it could be that you're attempting to use Domain\username instead of simply "username"

The access failure could also be related to the otrs machine not allowed to authenticate or other issues not related to OTRS or this config.

[balagab]

I've tried with domain\username, with single username, but no success. The content of the config (except the own company datas: "...") is right?
Is there anything which is missing from it?
Thanks

[crythias]

but no success

I don't know what this means. You must provide more diagnostic information -- the logs will tell you why it failed.

[balagab]

[Fri May 10 08:21:00 2013][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: balagab authentication failed, no LDAP group entry foundGroupDN='cn=Domain Users,cn=Users,dc='...',dc=hu', Filter='(memberUid=balagab)'! (REMOTE_ADDR: 127.0.0.1).

If the OTRS is not able to find this LDAP entry, how is it possible that I see all of the users (including balagab) in the customer menu in admin?
The only problem is the authentication.
Thanks

[crythias]

$Self->{'Customer::AuthModule::LDAP::GroupDN'} = '...';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';

viewtopic.php?f=60&t=16543

$Self->{'...::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com'; #directly assigned members of this group are allowed to authenticate

$Self->{'...::LDAP::AccessAttr'} = 'memberUid'; #only relevant if GroupDN is specified. This is an attribute that exists only to indicate group membership. (See also member, or memberOf for instance)

If the OTRS is not able to find this LDAP entry, how is it possible that I see all of the users (including balagab) in the customer menu in admin?

You mean how is it that CustomerUser, that doesn't have GroupDN filter, lists more than Customer authentication, which does and can't find it?

Or: tl/dr: try to change memberUid to "member" and see if it works.