Hello,
I know there are a lot of LDAP posts on here but I couldn't find this exact problem. Sorry in advance if this has already been resolved elsewhere.
I am using v.3.2.8 on Ubuntu Server 10.04 LTS and am trying to pull my agent information from our Active Directory for my technicians login. I would like to also use the local database, if for no other reason than to login at the root user if I have any problems down the road. We are an internal Helpdesk, so my customers will be my user base, who will report problems mostly using our helpdesk email box. Voicemails left for the helpdesk will be forwarded to the helpdesk mailbox as a WAV file, so it is important that the attachments work correctly.
I made what I think are the appropriate changes in Config.pm, following both the online documentation I found, other people's examples, and the video that is posted on Youtube by Shawn Beasley. The end result so far is I'm not able to login to OTRS using my LDAP credentials - here's what I see in my /var/log/messages log:
Jul 23 08:50:20 HelpdeskSVR OTRS-CGI-10[4306]: [Notice][Kernel::System::Auth::DB::Auth] User: 5189 doesn't exist or is invalid!!! (REMOTE_ADDR: 10.0.1.76)
What I notice in this error is that it seems to be trying to use the DB::Auth module instead of the LDAP::Auth module. I have tried using both, and I have tried using just the LDSP module, but either way the error shows it is using the DB module.
Is there another error log I can check?
How do I force the system to use the LDAP module instead of the internal DB?
Any help is greatly appreciated.
My Config.pm follows. I have most of it commented out as I'm just trying to get the basics working before I get too fancy.
----------------------------------------
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule1'} = 'Kernel::System::Auth::DB';
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'server.COMPANY.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=COMPANY,DC=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# defines AuthSyncBackend (AuthSyncModule) for AuthModule
# if this key exists and is empty, there won't be a sync.
# example values: AuthSyncBackend, AuthSyncBackend2
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'server.COMPANY.com';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=COMPANY,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap,OU=COMPANY_Users,DC=COMPANY,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
#$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=COMPANY_Users,DC=COMPANY,DC=com';
#$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap,OU=COMPANY_Users,DC=COMPANY,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
# In case you want to convert all given usernames to lower letters you
# should activate this option. It might be helpfull if databases are
# in use that do not distinguish selects for upper and lower case letters
# (Oracle, postgresql). User might be synched twice, if this option
# is not in use.
# $Self->{'AuthModule::LDAP::UserLowerCase'} = 0;
# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
# $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub'
};
# --------------------------------------------------- #
# authentication sync settings #
# (enable agent data sync. after succsessful #
# authentication) #
# --------------------------------------------------- #
# This is an example configuration for an LDAP auth sync. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'server.COMPANY.com';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=COMPANY,DC=com';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap,OU=COMPANY_Users,DC=COMPANY,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';
# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# # DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
OTRS not using LDAP
Moderator: crythias
OTRS not using LDAP
Last edited by warrenhk on 24 Jul 2013, 15:09, edited 1 time in total.
OTRS v3.2.8 on Ubuntu Server 10.04 LTS with MySQL database.
-
nbacon
- Znuny newbie
- Posts: 34
- Joined: 03 Jul 2013, 19:56
- Znuny Version: 3.2.9
- Real Name: Nick Bacon
- Company: Datalink
Re: OTRS not using LDAP
The below configuration is what I"m using. I am not syncing users to OTRS though, as we want to control who can log in or not and have a very small base of users who have access.
# Enable LDAP Authentication for agent #
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'server.COMPANY.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=COMPANY,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
#$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=LDAP USER,ou=Utility Accounts,ou=Users,dc=COMPANY,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'mypassword';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Enable LDAP Authentication for agent #
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'server.COMPANY.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=COMPANY,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
#$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=LDAP USER,ou=Utility Accounts,ou=Users,dc=COMPANY,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'mypassword';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
OTRS 3.2.9 / ITSM 3.2.7 on CentOS 6.4 with MySQL database.