Ubuntu apache2 SSO

[jhag]

Hi,

I trying to configure SSO on my OTRS system.

What I have read I need to add changes to my /etc/apache2/conf.d/otrs.conf and /opt/otrs/Kernel/Config.pm files.

This is what I have right now in otrs.conf

Code: Select all

# --
# added for OTRS (http://otrs.org/)
# --

ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"

# activate this if you are using an Oracle database
#SetEnv ORACLE_HOME /path/to/your/oracle/
#SetEnv ORACLE_SID YOUR_SID
#SetEnv NLS_LANG AMERICAN_AMERICA.UTF8
#SetEnv NLS_DATE_FORMAT 'YYYY-MM-DD HH24:MI:SS'

<IfModule mod_perl.c>

    # Setup environment and preload modules
    Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl

    # Reload Perl modules when changed on disk
    PerlModule Apache2::Reload
    PerlInitHandler Apache2::Reload

    # general mod_perl2 options
    <Location /otrs>
#  ErrorDocument 403 /otrs/customer.pl
  PerlAuthenHandler Apache2::AuthenNTLM
  AuthType ntlm,basic
  AuthName Basic
  require valid-user
  PerlAddVar ntdomain "domain.LOCAL SRV2 SRV3"
  PerlSetVar defaultdomain domain.LOCAL
  PerlSetVar splitdomainprefix 1
#  Require group otrs_allow_c
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv
        Order allow,deny
        Allow from all
    </Location>

    # mod_perl2 options for GenericInterface
    <Location /otrs/nph-genericinterface.pl>
        PerlOptions -ParseHeaders
    </Location>

</IfModule>

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
    Options +ExecCGI -Includes
    Order allow,deny
    Allow from all

    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json
        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json
    </IfModule>
</Directory>

<Directory "/opt/otrs/var/httpd/htdocs/">
    AllowOverride None
    Order allow,deny
    Allow from all

    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json
    </IfModule>
</Directory>

<IfModule mod_headers.c>
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
        <FilesMatch "\.(css|CSS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>

    <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>
</IfModule>

# Limit the number of requests per child to avoid excessive memory usage
MaxRequestsPerChild 4000

/opt/otrs/Kernel/Config.pm

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@YOURDOMAIN';

# Note:
#
# If you use this module, you should use as fallback
# the following config settings if user isn't login through
# apache ($ENV{REMOTE_USER})

$Self->{LoginURL} = 'http://your_webserver_fqdn/otrs-web/not-authorised-for-otrs.html';
$Self->{LogoutURL} = 'http://your_webserver_fqdn/otrs-web/thanks-for-using-otrs.html';

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@YOURDOMAIN';

      $Self->{CustomerUser} = {
             Module => 'Kernel::System::CustomerUser::LDAP',
             Params => {
               Host => '192.168.x.xxx',
               BaseDN => 'dc=domain,dc=local',
               SSCOPE => 'sub',
               UserDN => 'CN=otrs_ldap,CN=Users,DC=domain,DC=local',
              UserPw => 'password',
             },
             CustomerKey => 'sAMAccountName',
             CustomerID => 'mail',
             CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
             CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
            CustomerUserPostMasterSearchFields => ['mail'],
             CustomerUserNameFields => ['givenname', 'sn'],
             Map => [
               # note: Login, Email and CustomerID needed!
               # var, frontend, storage, shown, required, storage-type
         #       [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
                 [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
                 [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
                 [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
                 [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
                 [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
         #       [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
         #       [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
         #       [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
             ],
           };

Its not working. What have I done wrong?
I have another conf which works whit LDAP.

Thanks in advance /Joakim

[jojo]

check your apache and otrs logfiles

[jhag]

check your apache and otrs logfiles

apache log file

Code: Select all

[Thu Oct 10 13:43:24 2013] [error] Bad/Missing NTLM/Basic Authorization Header for /otrs/index.pl
[Thu Oct 10 13:43:25 2013] [error] Wrong password/user (rc=3/1/327681): DOMAIN.LOCAL\\joakim for /otrs/index.pl
[Thu Oct 10 13:43:34 2013] [error] Wrong password/user (rc=3/1/327681): DOMAIN\\joakim for /otrs/index.pl
[Thu Oct 10 13:44:05 2013] [error] Wrong password/user (rc=3/1/327681): DOMAIN.local\\joakim for /otrs/index.pl
[Thu Oct 10 13:44:07 2013] [error] [client 192.168.26.12] File does not exist: /var/www/favicon.ico
[Thu Oct 10 13:44:13 2013] [error] Bad/Missing NTLM/Basic Authorization Header for /otrs/customer.pl
[Thu Oct 10 13:44:27 2013] [error] Wrong password/user (rc=3/1/327681): DOMAIN.local\\joakim for /otrs/customer.pl

"Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."

But I have the correct username and password.

I have no OTRS log file under /opt/otrs/var/log

Thanks /Joakim

[jojo]

so this is an apache issue right now...

[jhag]

so this is an apache issue right now...

okey, thanks. Do you know where to begin ?

[jhag]

Hi, I found the solution, Not a good one.

You have to turn on "Send LM & NTLM - use NTLMv2 session security if negotiated" on win7 machines.

[jhag]

as it is now, everyone with a AD account can log on to customer.pl och index.pl. How do I restrict access to index.pl with a AD group?

Many thanks /Joakim

[crythias]

everyone with a AD account can log on to customer.pl och index.pl. How do I restrict access to index.pl with a AD group?

ldap group membership for otrsadmins in Config.pm