Userabgleich über Active Directory

Sv3n · Post by **Sv3n** » 03 Aug 2009, 16:10

Hey hey..

ja, ich bin neuer nutzer von OTRS..
daher kommen sicherlich in der nächsten zeit so die ein oder anderen fragen..

hier mal meine erste..

also, ich habe soeben OTRS in der Version 2.4.2 installiert.. Soweit, so gut..
Wie kann ich nun OTRS mit meinem Active Directory abgleichen?
Sinn ist, ich habe keine lust 90 User mit per hand in OTRS einzutackern..

Hoffe mir kann geholfen werden..

LG Sven

heindl · Post by **heindl** » 03 Aug 2009, 21:59

Hi!

Ich bin auch neu und hab eine Antwort auf deine Frage in der Admin-Doku unter <OTRSHOME>/OTRS/doc/manual/de/pdf im Kapitel 11.2.2 LDAP gefunden. Achtung: bei mir ist Cut & Paste nicht gegangen - man muss die ´ mit ' ersetzen.

lg

Charly

garwen · Post by **garwen** » 04 Aug 2009, 09:58

Erstmal musst du in der AD LDAP einrichten, wenn Du das nicht schon gemacht hast.

Dann liest Du in der Docu Kapitel 11.2.2
http://doc.otrs.org/2.4/de/html/x1907.h ... ckend-ldap

Da steht alles, wie man OTRS via LDAP ans AD anhängt.

Sv3n · Post by **Sv3n** » 05 Aug 2009, 10:17

also, bin wie in der anleitung vorgegangen. doch i-wie will das ganze dennoch net..
sobald ich die datei editiert habe und otrs wieder im browser starte, bekomme ich folgende fehlermeldung:

Software error:

Not a code reference at C:/PROGRA~1/OTRS/OTRS//Kernel/Config/Defaults.pm line 2224
For help, please send mail to the webmaster (webmaster@somenet.com), giving this error message and the time and date of the error.

Dabei habe ich doch nur folgendes der Datei hinzugefügt:

Code: Select all

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = 'C:/PROGRA~1/OTRS/OTRS';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # CustomerUser
    # (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
    	Name => ;LDAP-Datenquelle;,
    	Module => ;Kernel::System::CustomerUser::LDAP;,
    	Params => {
    		# ldap host
    		Host => ;server1.domain.de;,
    		# ldap base dn
    		BaseDN => ;cn=xxxxxxxxxxxxxxxxxxx;,
    		# search scope (one|sub)
    		SSCOPE => ;sub;,
    # 		  # The following is valid but would only be necessary if the
    # 		  # anonymous user does NOT have permission to read from the LDAP tree
    		UserDN => ",
    		UserPw => ",
    		# in case you want to add always one filter to each ldap query, use
    		# this option. e. g. AlwaysFilter => ;(mail=*); or AlwaysFilter => ;(objectclass
    		AlwaysFilter => ",
    		# if your frontend is e. g. iso-8859-1 and the charset of your
    		# ldap server is utf-8, use this options (if not, ignore it)
    # 		  SourceCharset => ;utf-8;,
    # 		  DestCharset => ;iso-8859-1;,
    		# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    		Params => {
    		    port => 389,
    		    timeout => 120,
    		    async => 0,
    		    version => 3,
    		},
    	},
    	# customer uniq id
    	CustomerKey => ;uid;,
    	# customer #
    	CustomerID => ;mail;,
    	CustomerUserListFields => [;cn;, ;mail;],
    	CustomerUserSearchFields => [;uid;, ;cn;, ;mail;],
    	CustomerUserSearchPrefix => ",
    	CustomerUserSearchSuffix => ;*;,
    	CustomerUserSearchListLimit => 250,
    	CustomerUserPostMasterSearchFields => [;mail;],
    	CustomerUserNameFields => [;givenname;, ;sn;],
    	# show now own tickets in customer panel, CompanyTickets
    	CustomerUserExcludePrimaryCustomerID => 0,
    	# add a ldap filter for valid users (expert setting)
    # 	CustomerUserValidFilter => ;(!(description=gesperrt));,
    	# admin can;t change customer preferences
    	AdminSetPreferences => 0,
    	Map => [
    	# note: Login, Email and CustomerID needed!
    	# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-[ ;UserSalutation;, ;Title;, ;title;, 1, 0, ;var;, ", 0 ],
    	[ ;UserFirstname;, ;Firstname;, ;givenname;, 1, 1, ;var;, ", 0 ],
    	[ ;UserLastname;, ;Lastname;, ;sn;, 1, 1, ;var;, ", 0 ],
    	[ ;UserLogin;, ;Username;, ;uid;, 1, 1, ;var;, ", 0 ],
    	[ ;UserEmail;, ;Email;, ;mail;, 1, 1, ;var;, ", 0 ],
    	[ ;UserCustomerID;, ;CustomerID;, ;mail;, 0, 1, ;var;, ", 0 ],
    	# [ ;UserCustomerIDs;, ;CustomerIDs;, ;second_customer_ids;, 1, 0, ;var;, ", 0 ],
    	[ ;UserPhone;, ;Phone;, ;telephonenumber;, 1, 0, ;var;, ", 0 ],
    	[ ;UserAddress;, ;Address;, ;postaladdress;, 1, 0, ;var;, ", 0 ],
    	[ ;UserComment;, ;Comment;, ;description;, 1, 0, ;var;, ", 0 ],
    	],
    };

    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{'CheckMXRecord'} = 1;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #

hmmmmmmmmmmmm.... was nu?

garwen · Post by **garwen** » 05 Aug 2009, 14:43

Ich glaube das AuthModule fehlt bei Dir.

Code: Select all

#-------------------------------------#
#  LDAP Konfiguration / Kunden Auth   #
#-------------------------------------#
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'pdc.firma.ch';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=firma,dc=ch';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=username,cn=user,dc=firma,dc=ch';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'passwort';

Der Rest ist dann die Kundendaten aus der AD lesen, das hast ja drin.
Ich gehe mal davon die Parameter Host, BaseDN, UserDN und UserPW hast Du in der scharfen config.pm ausgefüllt. Wobei UserDN und UserPW natürlich die Daten Eures LDAP-Users sind.

Code: Select all

#--------------------------------------#
#   LDAP Konfiguration / Kundendaten   #
#--------------------------------------#
$Self->{CustomerUser1} = {
  Name => 'LDAP Datenquelle',
  Module => 'Kernel::System::CustomerUser::LDAP',
  Params => {
    Host => 'pdc.firma.ch',
    BaseDN => 'dc=firma,dc=ch',
    SSCOPE => 'sub',
    UserDN => 'cn=username,cn=user,dc=firma,dc=ch',
    UserPw => 'passwort',
  },
  CustomerKey => 'sAMAccountName',
  CustomerID => 'mail',
  CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
  CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
  CustomerUserPostMasterSearchFields => ['mail'],
  CustomerUserNameFields => ['givenname', 'sn'],
  Map => [
    # note: Login, Email and CustomerID needed!
    # var, frontend, storage, shown, required, storage-type
    [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
    [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#     [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#     [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
  ],
};

Sv3n · Post by **Sv3n** » 05 Aug 2009, 16:19

lol, genau das hat gefehlt.. dankeschön..

ja klar, in der richtigen .pm sind die daten angepasst..

Sv3n · Post by **Sv3n** » 13 Aug 2009, 08:30

Hm,geht doch noch net..

Muss man das Attribut: sAMAccountName auch ändern?

garwen · Post by **garwen** » 13 Aug 2009, 08:41

Nein, sAMAccountName muss so bleiben.

Inwiefern funtkioniert es nicht ? Was passiert und was steht im Logfile ?

Sv3n · Post by **Sv3n** » 14 Aug 2009, 15:42

Naja, ich kann mich zwar als root anmelden aber keine User vom LDAP anmelden geschweigedenn suchen.
Die LDAP-Datenbank wird aber unter "Kunden-Benutzer" angezeigt.

Die Fehlermeldungen im Log zeigen folgendes:

Code: Select all

[Wed Aug 12 14:51:04 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:51:18 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:51:18 2009][Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 1041097d2fce35ff3b25b6bbb9b0022d02.
[Wed Aug 12 14:51:20 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:51:20 2009][Error][Kernel::System::AuthSession::DB::CheckSessionID][60] Got no SessionID!!
[Wed Aug 12 14:51:21 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:51:21 2009][Error][Kernel::System::AuthSession::DB::CheckSessionID][60] Got no SessionID!!
[Wed Aug 12 14:51:22 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:51:22 2009][Error][Kernel::System::AuthSession::DB::CheckSessionID][60] Got no SessionID!!
[Wed Aug 12 14:51:22 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:51:22 2009][Error][Kernel::System::AuthSession::DB::CheckSessionID][60] Got no SessionID!!
[Wed Aug 12 14:53:53 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:53:59 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:53:59 2009][Notice][Kernel::System::Auth::DB::Auth] User: root@localhost authentication ok (REMOTE_ADDR: 127.0.0.1).
[Wed Aug 12 14:53:59 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:55:40 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:55:44 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:55:44 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:56:00 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Wed Aug 12 14:56:00 2009][Error][Kernel::System::CustomerUser::LDAP::new][151] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece