[otrs] OTRS LDAP Agent Authentication
676 views
Skip to first unread message
David Holder
Aug 3, 2009, 3:06:14 PM8/3/09
to User questions and discussions about OTRS.
Hi Chaps,
I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)
########## Start of LDAP Config ##########
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
Output from Log File:
[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1).
[Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'!
[Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'!
[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!
Does anyone have any ideas what is wrong with my config?
Your help is most appreciated.
David
I'm trying to authenticate agents on my OTRS implementation (OTRSforwin) by adopting the LDAP template like so: (Windows Server 2003 Active Directory domain controller)
########## Start of LDAP Config ##########
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'myserver.domain.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS Admins,dc=domain,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=domain,dc=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'myotrspassword';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
Output from Log File:
[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: David Holder (CN=David Holder,OU=IT,DC=domain,DC=local) authentication ok (REMOTE_ADDR: 127.0.0.1).
[Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'!
[Mon Aug 3 19:51:40 2009][Error][Kernel::System::User::UserLookup][680] No UserID found for 'David Holder'!
[Mon Aug 3 19:51:40 2009][Notice][Kernel::System::User::GetUserData] Panic! No UserData for user: 'David Holder'!!!
Does anyone have any ideas what is wrong with my config?
Your help is most appreciated.
David
Michiel Beijen
Aug 3, 2009, 3:25:24 PM8/3/09
to User questions and discussions about OTRS.
You'd need to also configure LDAPSync (and, map attributes from LDAP to OTRS) in order for the accounts to automatically synchronize. See the part under "AuthSyncModule" in the Manual:
http://doc.otrs.org/2.4/en/html/x1826.html
Kind regards,
--
Michiel Beijen
Software Consultant
+31 6 - 457 42 418
Bee Free IT + http://beefreeit.nl
http://doc.otrs.org/2.4/en/html/x1826.html
Kind regards,
--
Michiel Beijen
Software Consultant
+31 6 - 457 42 418
Bee Free IT + http://beefreeit.nl
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
David Holder
Aug 3, 2009, 4:13:01 PM8/3/09
to User questions and discussions about OTRS.
Hi Michiel,
Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out.
Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong:
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'UID';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myotrspassword';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
[...]
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
Any thoughts as to what I'm doing wrong?
Thanks,
David
Thank you for your quick response, I thought the LDAP sync was a performance enhancement rather than a necessity, cheers for pointing that out.
Unfortunately I'm still having issues with it, it seems my OTRS installation is very sensitive to that extra bit of code, I just implemented the below and I was unable to even get into the logon page. Therefore to prevent any major damage I thought I would post it to see where I'm going wrong:
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://myserver.domain.local/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'UID';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=domain,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myotrspassword';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
[...]
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
Any thoughts as to what I'm doing wrong?
Thanks,
David
Michiel Beijen
Aug 3, 2009, 5:01:08 PM8/3/09
to User questions and discussions about OTRS.
Try:
$Self->{'AuthSyncModule::LDAP::Host'} = 'myserver.domain.local';
(without the ldap:// bit)
$Self->{'AuthSyncModule::LDAP::Host'} = 'myserver.domain.local';
(without the ldap:// bit)
David Holder
Aug 3, 2009, 5:08:38 PM8/3/09
to User questions and discussions about OTRS.
Hi Michiel,
Have tried putting that in but when I launch OTRS in firefox i get:
Failed to Connect
The connection was refused when attempting to contact localhost.
Will return to normal if i remove it.....
Any ideas?
David
Have tried putting that in but when I launch OTRS in firefox i get:
Failed to Connect
The connection was refused when attempting to contact localhost.
Will return to normal if i remove it.....
Any ideas?
David
David Holder
Aug 4, 2009, 3:12:45 AM8/4/09
to User questions and discussions about OTRS.
Hi again,
Managed to sort this issue out, now I have all my agents authenticating
into OTRS via LDAP. Thanks for your help.
Just a quick thing, Once an agent logs in they dont have access to the
Admin section of OTRS, nor can i log in as root@localhost.
Is there a way either to give them access to the admin section or log in
as root@localhost?
Thanks,
> '@domain.com <http://domain.com>';
> ------------------------------------------------------------------------
Rory
Aug 4, 2009, 4:27:45 AM8/4/09
to User questions and discussions about OTRS.
Before you implement the LDAP Auth config you need to create a user
for doing ldap lookups who is in both your AD and your DB.
You need to have this user, (or another user who is in both the AD and
the DB) promoted to Admin before you implement the Ldap Auth config.
To get yourself an admin login simply comment out all the Ldap Auth
config so that you are back tp DB authentication, login as
root@localhost and promote one of the users into the Admin group.
Re-apply the Ldap config and then login as the user you have promoted
and you should now have admin access with this user.
for doing ldap lookups who is in both your AD and your DB.
You need to have this user, (or another user who is in both the AD and
the DB) promoted to Admin before you implement the Ldap Auth config.
To get yourself an admin login simply comment out all the Ldap Auth
config so that you are back tp DB authentication, login as
root@localhost and promote one of the users into the Admin group.
Re-apply the Ldap config and then login as the user you have promoted
and you should now have admin access with this user.
Let us know if that works,
Rory
Support my 365 Challenge in aid of the Irish Cancer Society
2009/8/4 David Holder <david....@gmail.com>:
David Holder
Aug 4, 2009, 5:15:10 AM8/4/09
to User questions and discussions about OTRS.
Hi Rory,
Thanks for your comments, that's exactly what I did and now it works fine.
I loged on as myself via LDAP config, then re-applied local config, promoted myself to full rights and then re-applied the LDAP config, therefore I can now have access to the admin area as well as promote other authenticated agents.
Thanks all for your help.
David
Thanks for your comments, that's exactly what I did and now it works fine.
I loged on as myself via LDAP config, then re-applied local config, promoted myself to full rights and then re-applied the LDAP config, therefore I can now have access to the admin area as well as promote other authenticated agents.
Thanks all for your help.
David
Michiel Beijen
Aug 4, 2009, 5:35:26 AM8/4/09
to User questions and discussions about OTRS.
You could have also just ran otrs/bin/otrs.addUser2Group -g admin -u username -p rw
.. but maybe that's for the next time... ;-)
.. but maybe that's for the next time... ;-)
rajaa Jlil
Aug 4, 2009, 5:38:07 AM8/4/09
to ot...@otrs.org
hello;
sorry but i need help, my web installer didn't work
thx for help
Date: Tue, 4 Aug 2009 11:35:26 +0200
From: mic...@beefreeit.nl
To: ot...@otrs.org
Subject: Re: [otrs] OTRS LDAP Agent Authentication
sorry but i need help, my web installer didn't work
thx for help
Cordialement
-JLIL Rajaa-
ESG-Casablanca
tél : 0665 78 86 49
Date: Tue, 4 Aug 2009 11:35:26 +0200
From: mic...@beefreeit.nl
To: ot...@otrs.org
Subject: Re: [otrs] OTRS LDAP Agent Authentication
Partagez vos souvenirs sur le Web avec les personnes de votre choix les personnes de votre choix.
David Holder
Aug 4, 2009, 7:19:19 AM8/4/09
to User questions and discussions about OTRS.
Lol Michiel,
Thanks for that and all your previous help :)
David
Thanks for that and all your previous help :)
David
Reply all
Reply to author
Forward
0 new messages