SSO implementation

[Pranali]

Hi ,

I am able to authenticate agents with AD , but when i m enabling code
$Self->{'AuthModule1'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::Replace1'} = 'DOMAIN\\';

in config.pm

i m getting this error

User: No $ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: 192.168.1.90).
User: username authentication with wrong Pw!!! (Method: sha256, REMOTE_ADDR: 192.168.1.90)

Please help me
Thanks in Advance

[jojo]

you have to configure apache also to to the sso

[Pranali]

what is PDC and BDC where do i find this in AD or Ubuntu?

Please help

Its already configured

PerlAuthenHandler Apache2::AuthenNTLM
AuthType ntlm
AuthName basic
require valid-user
PerlAddVar ntdomain "Domain pdc bdc"
PerlSetVar defaultdomain estomi
PerlSetVar splitdomainprefix 1
PerlSetVar ntlmdebug 10
PerlSetVar ntlmauthoritative off
now i m getting an error
[7337] AuthenNTLM: Got: 78 84 76 77 83 83 80 0 1 0 0 0 7 130 8 162 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 0 113 23 0 0 0 15
[7337] AuthenNTLM: protocol=NTLMSSP, type=1, flags1=7(NEGOTIATE_UNICODE,NEGOTIATE_OEM,REQUEST_TARGET), flags2=130(NEGOTIATE_ALWAYS_SIGN,NEGOTIATE_NTLM), domain length=0, domain offset=0, host length=0, host offset=0, host=, domain=
[7337] handler type == 1
[7337] AuthenNTLM: Connect to pdc = WIN-HGF9I4YYFWQ bdc = domain = Domain
[7337] AuthenNTLM: enter lock
[7337] AuthenNTLM: verify handle smbhandle == 0
[Fri Feb 28 15:51:23 2014] [error] Connect to SMB Server failed (pdc = WIN-HGF9I4YYFWQ bdc = domain = Domain error = -11/0) for /otrs/index.pl
[7337] AuthenNTLM: leave lock
[Fri Feb 28 15:51:23 2014] [error] Cannot get nonce
[Fri Feb 28 15:51:23 2014] [crit] [client 192.168.1.90] configuration error: couldn't check user. Check your authn provider!: /otrs/index.pl

What i m missing here .

[crythias]

PDC = primary domain controller
BDC = backup domain controller

These are servers that provide authentication for your domain.

[Pranali]

Hi ,

where can i find this in AD orUbuntu?

I m getting an error
connect to smb server failed

[jojo]

where did you get the code from? it points to IPs which seems not to be existent in your network.

[Pranali]

I got this code in OTRS forum only .

Please anyone help me
how to setup this PDC and BDC in AD.

now i m working in local domain.

Thanks in Advance

[crythias]

Don't thanks in advance. That's just lazy.
http://catb.org/~esr/faqs/smart-questions.html#before
viewtopic.php?f=60&t=16543'
http://wiki.otterhub.org/index.php?titl ... ith_Apache

Domain = YOUR ACTIVE DIRECTORY DOMAIN NAME. IN ALL CAPS.
pdc = YOUR Active directory domain controller. As I said, you should know. The server name or ip address that authenticates your domain.

PerlAddVar ntdomain "ESTOMI ServerAd1 ServerAd2"

It might be "Server" or "ESTOMIAD01" or ... if you don't know, ask your domain admin.

[jojo]

also read the troubleshooting section of the wiki link you posted.

[Pranali]

Hi ,

Thanks for Suggestions Crythias and jojo.

I m getting an sso credential window .

when i m trying to logs in its shows 500 internal server error .

in log files
[Sun Mar 02 10:41:34 2014] [error] Bad/Missing NTLM/Basic Authorization Header for /otrs/index.pl
[Sun Mar 02 10:42:50 2014] [error] Connect to SMB Server failed (pdc = bdc = domain = error = -11/0) for /otrs/index.pl
[Sun Mar 02 10:42:50 2014] [error] Cannot get nonce
[Sun Mar 02 10:42:51 2014] [error] [client 192.168.2.3] File does not exist: /var/www/favicon.ico


This is my Config.pm file

Code: Select all

# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2013 xxx, http://otrs.org/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> Most OTRS configuration should be done via the OTRS web interface
#       and the SysConfig. Only for some configuration, such as database
#       credentials and customer data source changes, you should edit this
#       file. For changes do customer data sources you can copy the definitions
#       from Kernel/Config/Defaults.pm and paste them in this file.
#       Config.pm will not be overwritten when updating OTRS.
# --

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{'DatabaseHost'} = 'localhost';

    # The database name
    $Self->{'Database'} = "otrs";

    # The database user
    $Self->{'DatabaseUser'} = "otrs";

    # The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords
    $Self->{'DatabasePw'} = 't61bApTAkfkxARcF';

    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";

    # The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a TCP/IP connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
    # if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
#    $Self->{DatabasePostgresqlBefore82} = 1;

    # The database DSN for Microsoft SQL Server - only supported if OTRS is
    # installed on Windows as well
#    $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

    # The database DSN for Oracle ==> more: "perldoc DBD::oracle"
#    $ENV{ORACLE_HOME} = '/u01/app/oracle/product/10.2.0/client_1';
#    $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
#    $ENV{NLS_LANG} = "american_america.utf8";

#    $Self->{DatabaseDSN} = "DBI:Oracle:sid=OTRS;host=$Self->{DatabaseHost};port=1522;";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs/';
##########################################

    # $DIBI$ 
     
    
     
        # This is an example configuration for an LDAP auth. backend. 
    # (take care that Net::LDAP is installed!) 
    $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP'; 
    $Self->{'AuthModule::LDAP::Host1'} = '192.168.1.90'; 
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=domain ,dc=com'; 
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName'; 
 
    
 
    # The following is valid but would only be necessary if the 
    # anonymous user do NOT have permission to read from the LDAP tree 
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'nikhil.patil@domain.com'; 
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'otrs@12345'; 
      
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) 
    $Self->{'AuthModule::LDAP::Params1'} = { 
        port    => 389, 
        timeout => 120, 
        async   => 0, 
        version => 3, 
    }; 
    # Die if backend can't work, e. g. can't connect to server. 
#    $Self->{'AuthModule::LDAP::Die'} = 1; 
 
    # --------------------------------------------------- #
    # authentication sync settings                        #
    # (enable agent data sync. after succsessful          #
    # authentication)                                     #
    # --------------------------------------------------- #
    # This is an example configuration for an LDAP auth sync. backend.
    # (take care that Net::LDAP is installed!)
   $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
   $Self->{'AuthSyncModule::LDAP::Host1'} = '192.168.1.90';
   $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=domain,dc=com';
   $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
   $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'nikhil.patil@domain.com';
   $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'otrs@12345';

    
    # AuthSyncModule::LDAP::UserSyncMap
    # (map if agent should create/synced from LDAP to DB after successful login)
    # you may specify LDAP-Fields as either
    #  * list, which will check each field. first existing will be picked ( ["givenName","cn","_empty"] )
    #  * name of an LDAP-Field (may return empty strings) ("givenName")
    #  * fixed strings, prefixed with an underscore: "_test", which will always return this fixed string
   $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
       # DB -> LDAP
       UserFirstname => 'givenName',
       UserLastname  => 'sn',
       UserEmail     => 'mail',
   };

    

    # Die if backend can't work, e. g. can't connect to server.
#    $Self->{'AuthSyncModule::LDAP::Die'} = 1;
     
    $Self->{'AuthModule2'} = 'Kernel::System::Auth::HTTPBasicAuth'; 
    $Self->{'AuthModule::HTTPBasicAuth::Replace2'} = 'DOMAINNAME\\'; 
    # If you use this module, you should use as fallback 
    # the following configuration settings if the user is not authorized 
    #apache ($ENV{REMOTE_USER}) 
    $Self->{LoginURL} = 'http://192.168.2.60/otrs/index.pl'; 
    # or a youtube vid of Rick Astley? 
    #$Self->{LogoutURL} = 'http://192.168.2.60/otrs/index.pl'; 

####################################
my otrs.conf file where i made the changes for authentication

Code: Select all

 <Location /otrs>
        ErrorDocument 403 /otrs/customer.pl
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv
		PerlAuthenHandler Apache2::AuthenNTLM
		  AuthType ntlm,basic
		  AuthName Basic
		  require valid-user
		  PerlAddVar ntdomain "DOMAIN PDC BDC"
		  PerlSetVar defaultdomain DOMAIM
         PerlSetVar splitdomainprefix 1
        <IfModule mod_version.c>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
            <IfVersion >= 2.4>
                Require all granted
            </IfVersion>
        </IfModule>
        <IfModule !mod_version.c>
            Order allow,deny
            Allow from all
        </IfModule>
    </Location>

Am i missing something here
currently i m working in local internet
Please help.

[jojo]

as the error log says:

Sun Mar 02 10:42:50 2014] [error] Connect to SMB Server failed (pdc = bdc = domain = error = -11/0)

you doin't have a server named pdc nor one named bdc.

[Pranali]

Hi jojo ,

Will u please tell me how to find the pdc and bdc in AD , now i m presently working in local internet .

I referred this link
http://support.microsoft.com/kb/816587

but still it doesn't work for me.

[jojo]

Ask your Microsoft admin for assistance and get the IPs of your domain controllers.

[crythias]

Do not ask us again these numbers. We told you that you should know them.

What does local Internet mean?

[Pranali]

Its local domain..

I tried to connect the way that u explained crythias but its not connecting and displaying the same error , so i asked again.

[crythias]

What does local domain mean (to you)? And, to you does this mean that it's on a computer that isn't domain connected?

[crythias]

Code: Select all

        PerlAddVar ntdomain "DOMAIN PDC BDC"
        PerlSetVar defaultdomain DOMAIM

Try this:
open a command prompt.
type:
set userdomain
USERDOMAIN = somevalue

replace DOMAIN in the above with whatever shows in "USERDOMAIN"

[Pranali]

Yes Crythias its on a computer , domain is not connected.

[crythias]

You can't do this.

[Pranali]

it means , i should connect it to the valid domain?(Network Admin).

[crythias]

Buy support

[Pranali]

Thank You Crythias.