single signon with active directory

[valdoltra]

I am able to succesfully configure LDAP auth with SSO with no problems. Works like a charm. Bu I stumpled upon bigger problem which I cannot solve. If I want to access OTRS page with my tablet/mobile phone or a computer that is not member of AD I get a popup window asking for authentication. Is there a way to configure Apache to not ask for authentication if machine is not in AD. I have tried multiple ways but here is what I get If I have both modules enabled (HTTPBasicAuth and ldap):
Agents
- I don't get the window but I still need to enter user/pass.
Customers
- Can't open customer.pl

Code: Select all

	##LDAP Config users
	# CustomerUser
	# (customer user ldap backend and settings)
   $Self->{CustomerUser} = {
       Name => 'LDAP Backend',
       Module => 'Kernel::System::CustomerUser::LDAP',
       Params => {
           # ldap host
           Host => '2008segr.tg.corp',
           # ldap base dn
           BaseDN => 'dc=tg,dc=corp',
           # search scope (one|sub)
           SSCOPE => 'sub',
           # The following is valid but would only be necessary if the
           # anonymous user does NOT have permission to read from the LDAP tree
           UserDN => 'CN=LDAP_BIND,CN=Users,DC=tg,DC=corp',
           UserPw => 'LDAP_BIND',
           # in case you want to add always one filter to each ldap query, use
           # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
           AlwaysFilter => '(objectclass=user)',
           # if both your frontend and your LDAP are unicode, use this:
           SourceCharset => 'utf-8',
           DestCharset   => 'utf-8',
           # if your frontend is unicode and the charset of your
           # ldap server is iso-8859-1, use these options.
           # SourceCharset => 'iso-8859-1',
           # DestCharset => 'utf-8',
           # die if backend can't work, e. g. can't connect to server
           Die => 0,
           # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
           Params => {
               port    => 389,
               timeout => 120,
               async   => 0,
               version => 3,
           },
       },
       # customer unique id
       CustomerKey => 'sAMAccountName',
       # customer #
       CustomerID => 'mail',
       CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 250,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       # show now own tickets in customer panel, CompanyTickets
       CustomerUserExcludePrimaryCustomerID => 0,
       # add a ldap filter for valid users (expert setting)
       # CustomerUserValidFilter => '(!(description=gesperrt))',
       # admin can't change customer preferences
       AdminSetPreferences => 0,
       # cache time to live in sec. - cache any ldap queries
       CacheTTL => 0,
       Map => [
           # note: Login, Email and CustomerID needed!
           # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
           [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
           [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
           [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
           [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
           [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
           [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
           # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
           [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
           [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
           [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
       ],
   };
	##LDAP Auth Users    
   $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
   $Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@TG.CORP';
   $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
   $Self->{'Customer::AuthModule::LDAP::Host'} = '2008segr.tg.corp';
   $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=tg,dc=corp';
   $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
   $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=LDAP_BIND,CN=Users,DC=tg,DC=corp';
   $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'LDAP_BIND';
   $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@tg.corp';
   $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Domain Users,CN=Users,DC=tg,DC=corp';
   $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
   $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

#LDAP Auth Agents
    $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';
    $Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@TG.CORP';
    $Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = '2008segr.tg.corp';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=TG,dc=corp';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrs admins,CN=Users,DC=tg,DC=corp';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=LDAP_BIND,CN=Users,DC=tg,DC=corp';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'LDAP_BIND';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
     };

    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = '2008segr.tg.corp';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=TG,dc=corp';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=LDAP_BIND,CN=Users,DC=tg,DC=corp';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'LDAP_BIND';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

   $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'admin',
    ];

   $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
       # ldap group
       'CN=otrs admins,CN=Users,DC=tg,DC=corp' => {
           # otrs group
           'admin' => {
               # permission
               rw => 1,
               ro => 1,
           },
           'faq' => {
               rw => 1,
               ro => 1,
           },
       },
       # 'cn=agent2,o=otrs' => {
           # 'users' => {
               # rw => 1,
               # ro => 1,
           # },
       # }
   };

    $Self->{'AuthModule::LDAP::Die'} = 1;

	};

My conf file is unchanged except for the addition of:

Code: Select all

<Directory "/opt/otrs/bin/cgi-bin/">
  AllowOverride None
  AuthType Kerberos
  AuthName "OTRS"
  Krb5Keytab /etc/httpd/keytabs/otrsserver.keytab
  KrbAuthRealms TG.CORP
  KrbMethodNegotiate on
  KrbSaveCredentials  Off
  KrbMethodK5Passwd on
  #Require valid-user
  Satisfy Any
  Order allow,deny
  Allow from all
</Directory>

Source: http://www.midwesternmac.com/blogs/jeff ... entication

If I comment Satisfy any and enable Require valid-user then SSO works fine but I can't get to enter username and password on starting site on my mobile/tablet.

geez I hope I was clear enough

[crythias]

If I want to access OTRS page with my tablet/mobile phone or a computer that is not member of AD I get a popup window asking for authentication

Of course you do. The device isn't trusted on the network as being authenticated against AD.

Is there a way to configure Apache to not ask for authentication if machine is not in AD.

maybe...

[valdoltra]

Of course you do. The device isn't trusted on the network as being authenticated against AD.

I know and this seems logical.

However with current configuration I have achieved that machines that are not in AD forward me to index.pl whre I enter user/pass (which is what I wanted). But this works only for Agents. For customers no luck. Maybe the problem itself doesn't lie in conf file but Config.pm or the customer module itself?

Btw, I'd rather stay away from certificates, but I do appreciate your suggestion

[crythias]

I have achieved that machines that are not in AD forward me to index.pl whre I enter user/pass (which is what I wanted).

The problem is more likely to be within Apache than OTRS, though you'll want an additional Customer Auth backend.

I think you may want to make sure that apache has no fallback for kerberos authentication so it doesn't ask for password ever.
Then you'd have to set up multiple backends for CustomerAuth. (concepts apply between auth and customer Auth.

[valdoltra]

I have achieved that machines that are not in AD forward me to index.pl whre I enter user/pass (which is what I wanted).

The problem is more likely to be within Apache than OTRS, though you'll want an additional Customer Auth backend.

I think you may want to make sure that apache has no fallback for kerberos authentication so it doesn't ask for password ever.
Then you'd have to set up multiple backends for CustomerAuth. (concepts apply between auth and customer Auth.

I believe we misunderstud eachother. If I want to access helpdesk from my mobile/tablet I want Apache to fallback and let me enter username and password. If I connect from a random LINUX PC which is not in AD, Apache let's me through but doesn't pass my credentials to OTRS Authmodule. Then I enter my AD username and password and I am logged in as an agent. But this works only for agents and I want it to work for customers too. Let's say my user's computer dies. He is then unable to log on to OTRS from any device. I hope this cleared the picture.

Also if your statement about problem being in Apache was true, than this wouldn't work for agents either?

I will try with multiple backends but I think that is more of a long shot.

[crythias]

You can use multiple back ends. You'd use kerberos/sso via apache and ldap auth via OTRS.

[valdoltra]

so you suggest something like this:

Code: Select all

	##LDAP Auth Users    
   $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
   $Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp1'} ='@TG.CORP';
   $Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
   $Self->{'Customer::AuthModule::LDAP::Host2'} = '2008segr.tg.corp';
   $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=tg,dc=corp';
   $Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';
   $Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=LDAP_BIND,CN=Users,DC=tg,DC=corp';
   $Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'LDAP_BIND';
   #$Self->{'Customer::AuthModule::LDAP::UserSuffix2'} = '@tg.corp';
   $Self->{'Customer::AuthModule::LDAP::GroupDN2'} = 'CN=Domain Users,CN=Users,DC=tg,DC=corp';
   $Self->{'Customer::AuthModule::LDAP::AccessAttr2'} = 'member';
   $Self->{'Customer::AuthModule::LDAP::UserAttr2'} = 'DN';

If yes then I still have no luck...

[ksbuchanan]

Here is my config for customer AD SSO, and for the customer DB integration with AD.

...read carefully...you need to update with your specific domain settings.

Code: Select all

# --------------------------------------------------------------------------------------------------------
# 	Customer Database Integration with AD
# --------------------------------------------------------------------------------------------------------

		$Self->{CustomerUser} = {
				Name => 'Users',
				Module => 'Kernel::System::CustomerUser::LDAP',
				Params => {
					Host => 'YOUR_DC_SERVER_FQDN',
					BaseDN => 'dc=yourdomain,dc=yourdomain',
					SSCOPE => 'sub',

					UserDN => 'CN=IT Helpdesk Ticketing System,OU=Service Accounts,OU=Information Technology,DC=yourdomain,DC=yourdomain',
					UserPw => 'YOURPASSWORD',
					AlwaysFilter => '(&(objectclass=user) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
					Params => {
						port => 389,
						timeout => 120,
						async => 0,
						version => 3,
					},
				},
				CustomerKey => 'sAMAccountName',
				CustomerID => 'mail',
				CustomerUserListFields => ['cn', 'mail'],
				CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
				CustomerUserSearchListLimit => 250,
				CustomerUserPostMasterSearchFields => ['mail'],
				CustomerUserNameFields => ['givenname', 'sn'],
				CustomerUserExcludePrimaryCustomerID => 0,
				AdminSetPreferences => 0,
				Map => [
				   [ 'UserSalutation', 'Title',      'title',           1, 0, 'var', '', 0 ],
					[ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
					[ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
					[ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
					[ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
					[ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
					[ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
					[ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
					[ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
				],
			};


# --------------------------------------------------------------------------------------------------------
# 	Customer Authentication - NOTE: Make sure Net::LDAP is installed!
# --------------------------------------------------------------------------------------------------------

		$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
		$Self->{'Customer::AuthModule::LDAP::Host'} = 'YOUR_DC_SERVER_FQDN';
		$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=yourdomain,dc=yourdomain';
		$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
		$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=IT Helpdesk Ticketing System,OU=Service Accounts,DC=yourdomain,DC=yourdomain';
		$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'yourpassword';
		$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
		$Self->{'Customer::AuthModule::LDAP::Params'} = {
				port => 389,
				timeout => 120,
				async => 0,
				version => 3,
			};

# --------------------------------------------------------------------------------------------------------
# 	Customer Single Signon SSO 
# --------------------------------------------------------------------------------------------------------
		    	$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';

[valdoltra]

Here is my config for customer AD SSO, and for the customer DB integration with AD.

...read carefully...you need to update with your specific domain settings.

I have read your code and mine and as I said SSO works fine. Now let's say I want to connect from my mobile phone, tablet or another machine not in my domain. At that point Kerberos fails and should point me to customer.pl or index.pl and let me enter my username and password manually. (Up to here everything makes sense). Now this works for Agents (index.pl) but not for customers. What I think is that Auth Module isn't comfortable with that.
Kerberos auth protects only a Directory or Location which in this case is cgi-bin. So if Kerberos fails but let's me through to index.pl shouldn't it be the same for customers.pl?

[crythias]

my question is more along the lines of both roads lead to Rome.

That is to say, the practical difference between the popup window requesting login and the full web page login is cosmetic.

[valdoltra]

my question is more along the lines of both roads lead to Rome.

That is to say, the practical difference between the popup window requesting login and the full web page login is cosmetic.

This is not entirely true. Pop up window is Apache's authentication request while full web page login is OTRS's. The point about it is when first fails I should be able to get to the second one. As I found out with my diging it's not the Apache's fault but OTRS's (not not the right word but there's probably something in my configuration that I missed).

[crythias]

Pop up window is Apache's authentication request while full web page login is OTRS's.

This depends on whether OTRS relies on external authentication.

If both roads require LDAP connection to authenticate, it doesn't matter the provider of the front-end interface to use the [same] back-end method.

OTRS's reliance on HTTP Auth (where HTTP Auth uses ldap negotiate with kerberos, which falls back to popup window for apache when Krb/sso fails) effectively leaves the "next step" in the hands of Apache. If Apache says it's okay, then OTRS continues.

It's true that the front-end request is provided by different services, but the backend request is essentially the same (unless it's not and you're using multiple backends for Customers and then you're asking for ldap to fall back to database, for instance.