[SOLVED] Customer Authentication

[niki]

Hi there!

I have 4 Domain Controllers with Active Directory on Wndows Server 2003. I need to set up user authentication with LDAP. For configuration we used OTRS Admin Manual.
Agent's synchronization works successfully, but when client tries to authenticate, we receive an error:
[Tue Oct 2 14:14:57 2012][Notice][Kernel::System::CustomerAuth::DB::Auth] CustomerUser: No auth record in 'customer_user' for 'LDAP.USER' (REMOTE_ADDR: OUR_IP)

I can't find out the reason of error, so could you please help us with this problem.

Configuration file "Kernel/Config.pm":

Code: Select all

    # authentication settings
    $Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

    $Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'host.host.host';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=host,DC=host,DC=host';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=it,OU=groups,DC=host,DC=host,DC=host';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=someone,OU=Users,DC=host,DC=host,DC=host';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

    $Self->{'AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

    # authentication sync settings
    $Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'host.host.host';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=host,DC=host,DC=host';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=someone,OU=Users,DC=host,DC=host,DC=host';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    $Self->{'AuthSyncModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';

    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';

    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

    # customer authentication settings
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'host.host.host';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=host,DC=host,DC=host';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

    $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=etnapeople,OU=groups,DC=host,DC=host,DC=host';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';

    $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=someone,OU=Users,DC=host,DC=host,DC=host';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

    $Self->{'Customer::AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

    # CustomerUser
    # (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
        Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => 'host.host.host',
            BaseDN => 'DC=host,DC=host,DC=host',
            SSCOPE => 'sub',
            UserDN => 'CN=someone,OU=Users,DC=host,DC=host,DC=host',
            UserPw => 'someone',
            Params => {
                port    => 389,
                timeout => 120,
                async   => 0,
                version => 3,
            },
        },
        CustomerKey => 'sAMAccountName',
        CustomerID => 'mail',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        CustomerUserExcludePrimaryCustomerID => 0,
        AdminSetPreferences => 0,
        CacheTTL => 0,
        Map => [
            [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',   'mailNickname',    1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
        ],
    };

I replaced usernames, hostnames and IPs for security reasons.

I hope for your help!

[crythias]

viewtopic.php?f=60&t=16543

Do not change Defaults.pm Copy to Config.pm and make changes.

It's not fair to us to wade through 85KB of comments and irrelevant data to get to your config.

[niki]

It's not fair to us to wade through 85KB of comments and irrelevant data to get to your config.

You are absolutely right! I'm sorry. I corrected my mistake.

Do not change Defaults.pm Copy to Config.pm and make changes.

Thank you very much! It works, but there is another problem. How to allow customer users to authenticate from two or more groups?

I would like something like:

Code: Select all

$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=etnagroup1,OU=groups,DC=host,DC=host,DC=host; CN=etnagroup2,OU=groups,DC=host,DC=host,DC=host';

instead of:

Code: Select all

$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=etnapeople,OU=groups,DC=host,DC=host,DC=host';

Is it possible?

I would be very grateful for your help!

[crythias]

You might search a popular search engine for ldap filter queries but this should get you where you want. (Note: leave group BLANK and use this as a FILTER).

Code: Select all

(|(&(objectCategory=user)(memberOf=CN=etnagroup1,OU=groups,DC=host,DC=host,DC=host))(&(objectCategory=user)(memberOf=CN=etnagroup2,OU=groups,DC=host,DC=host,DC=host)))

A breakdown:

Code: Select all

(#start Query
  | #Logical OR (of the next entries in parentheses)
    ( #start OR1
     & #Logical AND (of the next entries)
     (objectCategory=user) #AND1
     (memberOf=CN=etnagroup1,OU=groups,DC=host,DC=host,DC=host) #AND2
    ) #end OR1
    ( #start OR2
     & #Logical AND (of the next entries)
     (objectCategory=user) #AND1
     (memberOf=CN=etnagroup2,OU=groups,DC=host,DC=host,DC=host) #AND2
    ) #end OR2
) #end Query

[niki]

Thanks for your reply!

I would want that any Active Directory user can enter as a customer.
Unfortunately the attribute 'member' of the group 'Domain Users' does not contain all the users. That does not allow me to use this group.
There are two groups, say, 'etnagroup1' and 'etnagroup2', together they include all users.

Is there an easier way to do what I want?

[crythias]

I would want that any Active Directory user can enter as a customer.

Then don't bother with a group.

There are two groups, say, 'etnagroup1' and 'etnagroup2', together they include all users.

then use my filter.

[niki]

Then don't bother with a group.

Excellent! I got exactly what I wanted by removing the following lines:

Code: Select all

    $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=etnapeople,OU=groups,DC=host,DC=host,DC=host';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';

Thanks for the good advice! I think this topic can be closed.