AD mit Subdomains

Hilfe zu Znuny Problemen aller Art
Forum rules
Locked
oellae
Znuny newbie
Posts: 12
Joined: 18 Jun 2008, 09:51

AD mit Subdomains

Post by oellae »

Hallo zusammen,

ich habe Probleme mit der Anbindung einer Subdomain für die Benutzeranmeldung. Während die LDAP-Authentifizierung gegen die Haupt-Domain reibungslos funktioniert, bekommen User der Subdomain beim Einloggen die Meldung "Anmeldung fehlgeschlagen! Benutzername oder Passwort falsch." Die error_log des Apaches sagt dazu Folgendes:

Code: Select all

[Fri Jul 11 21:06:32 2008] [error] [client 192.168.154.213] ERROR: OTRS-CGI-10 Perl: 5.8.8 OS: linux Time: Fri Jul 11 21:06:32 2008, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:32 2008] [error] [client 192.168.154.213] , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:32 2008] [error] [client 192.168.154.213]  Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:32 2008] [error] [client 192.168.154.213] , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:32 2008] [error] [client 192.168.154.213]  Traceback (7048): , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:32 2008] [error] [client 192.168.154.213]    Module: Kernel::System::CustomerUser::LDAP::new (v1.34) Line: 136, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:32 2008] [error] [client 192.168.154.213]    Module: Kernel::System::CustomerUser::new (v1.32) Line: 86, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:32 2008] [error] [client 192.168.154.213]    Module: Kernel::System::Web::InterfaceCustomer::Run (v1.20.2.1) Line: 158, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:32 2008] [error] [client 192.168.154.213]    Module: /opt/otrs/bin/cgi-bin/customer.pl (v1.37) Line: 47, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:32 2008] [error] [client 192.168.154.213] , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213] ERROR: OTRS-CGI-10 Perl: 5.8.8 OS: linux Time: Fri Jul 11 21:06:33 2008, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213] , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]  Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213] , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]  Traceback (7048): , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]    Module: Kernel::System::CustomerUser::LDAP::new (v1.34) Line: 136, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]    Module: Kernel::System::CustomerUser::new (v1.32) Line: 86, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]    Module: Kernel::System::Ticket::new (v1.275.2.16) Line: 133, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]    Module: Kernel::System::Web::InterfaceCustomer::Run (v1.20.2.1) Line: 165, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]    Module: /opt/otrs/bin/cgi-bin/customer.pl (v1.37) Line: 47, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213] , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213] ERROR: OTRS-CGI-10 Perl: 5.8.8 OS: linux Time: Fri Jul 11 21:06:33 2008, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213] , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]  Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213] , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]  Traceback (7048): , referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]    Module: Kernel::System::CustomerUser::LDAP::new (v1.34) Line: 136, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]    Module: Kernel::System::CustomerUser::new (v1.32) Line: 86, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]    Module: Kernel::System::CustomerAuth::new (v1.12) Line: 74, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]    Module: Kernel::System::Web::InterfaceCustomer::Run (v1.20.2.1) Line: 191, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213]    Module: /opt/otrs/bin/cgi-bin/customer.pl (v1.37) Line: 47, referer: http://192.168.146.41/otrs/customer.pl
[Fri Jul 11 21:06:33 2008] [error] [client 192.168.154.213] , referer: http://192.168.146.41/otrs/customer.pl


Der entsprechende Teil der Config.pm sieht so aus:

Code: Select all

#Active Directory Anbindung Agenten
#-----------------------------------------

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'xxx.xxx.xxx.xxx';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain, dc=de';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agenten,ou=Groups,dc=domain,dc=de';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrs';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthModule::LDAP::Params'} = {
         port => 389,
        version => 3,
        scope => 'sub',
    };



$Self->{UserSyncLDAPMap} = {

UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

$Self->{'CheckMXRecord'} = 0; 


#Active Directory Anbindung Customer Subdomain
#----------------------------------------------------------

  $Self->{CustomerUser} = {

 Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      Host => 'xxx.xxx.xxx.xxx',
      BaseDN => 'dc=subdomain, dc=domain, dc=de',
      SSCOPE => 'sub',
      UserDN => 'otrs1',
      UserPw => 'password',

    },

    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],

    Map => [

 
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],

    ],

  };


#Active Directory Anbindung Customer Domain
#-----------------------------------------------------


  $Self->{CustomerUser2} = {

    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      Host => 'xxx.xxx.xxx.xxx',
      BaseDN => 'dc=domain, dc=de',
      SSCOPE => 'sub',
      UserDN => 'otrs2',
      UserPw => 'password',

    },

    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],

    Map => [

      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],

    ],

  };
Die IP-Adressen und AD Credentials habe ich mehrfach überprüft. Auch das Ändern der Reihenfolge von {Agents}, {Customer} und {Customer2} in der Config.pm hat nicht den gewünschten Effekt gebracht.

Das Netz gibt leider wenig an Informationen zu dem Thema her, daher würde es mir sehr helfen, falls das der Eine oder Andere etwas zur Problemfindung beitragen könnte. Danke dafür schonmal im Voraus!

Oellae

OSS 10.3
Apache 2.2.4
OTRS 2.2.7
Top
oellae
Znuny newbie
Posts: 12
Joined: 18 Jun 2008, 09:51

AD mit Subdomains

Post by oellae »

Problem ist gelöst. Bei Bedarf poste ich die Config.pm noch mal.

Oellae
Top
Andre Bauer
Znuny guru
Posts: 2189
Joined: 08 Dec 2005, 17:01
Znuny Version: 5.0.x
Real Name: André Bauer
Company: Magix Software GmbH
Location: Dresden
Contact:
Contact Andre Bauer

AD mit Subdomains

Post by Andre Bauer »

Immer her damit ;-)
Prod: Ubuntu Server 16.04 / Zammad 1.2

DO NOT PM ME WITH OTRS RELATED QUESTIONS! ASK IN THE FORUMS!

OtterHub.org
Top
oellae
Znuny newbie
Posts: 12
Joined: 18 Jun 2008, 09:51

AD mit Subdomains

Post by oellae »

So, mit diesen Settings läuft es bei mir tadellos:

Code: Select all

# ---------------------------------- #
# Active Directory Anbindung Agenten #
# ---------------------------------- #


$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'xxx.xxx.xxx.xxx';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain, dc=de';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agenten,ou=Groups,dc=domain,dc=de';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'user';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthModule::LDAP::Params'} = {
    
        port => 389,
        version => 3,
        scope => 'sub',
    };

$Self->{UserSyncLDAPMap} = {

UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'CheckMXRecord'} = 0; 




# --------------------------------------------- #
# Active Directory Anbindung Customer Subdomain #
# --------------------------------------------- #


$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'xxx.xxx.xxx.xxx';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=Subdomain, dc=Domain, dc=de';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'user';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'password';


  $Self->{CustomerUser1} = {

    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      Host => 'xxx.xxx.xxx.xxx',
      BaseDN => 'dc=Subdomain, dc=Domain, dc=de',
      SSCOPE => 'sub',
      UserDN => 'user',
      UserPw => 'password',
   
    },

    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],

    Map => [

      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      
    ],

  };




# ------------------------------------------ #
# Active Directory Anbindung Customer Domain #
# ------------------------------------------ #


$Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host2'} = 'xxx.xxx.xxx.xxx';
$Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=Domain, dc=de';
$Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'user';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'password';


  $Self->{CustomerUser2} = {

    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      Host => 'xxx.xxx.xxx.xxx',
      BaseDN => 'dc=Domain, dc=de',
      SSCOPE => 'sub',
      UserDN => 'user',
      UserPw => 'password',

    },

    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],

    Map => [

     [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
     [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
     [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
     [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
     [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],

    ],

  };
Der Searchuser muss übrigens mit vollem Namen angegeben werden, das Windows Login-Kürzel funktioniert an dieser Stelle nicht!

VG
Oellae
Top
michael_maurer
Znuny advanced
Posts: 146
Joined: 07 Aug 2008, 09:20
Znuny Version: 2.4.9
Contact:
Contact michael_maurer

AD mit Subdomains

Post by michael_maurer »

Bei 2 Subdomains ist das ja schön und gut... Wenn ich aber Benutzern aus 12 Subdomains auf diesem Wege die Anmeldung ermöglichen muss, habe ich so ein massives Performanceproblem, da jeder User gegen jeden DC geworfen werden muss...

Hat jemand eine Idee, wie man das sinnvoll realisieren kann?

Thx!

mfg
Michael
Wer Deutsch sät, wird Verständnis ernten!

Prod & Test jeweils:
OTRS 2.4.9
OTRS ITSM 2.1.1
MySQL
Apache
SLES11 SP0
Top
Locked

Return to “Hilfe”