[otrs] Kerberos and LDAP Authentication
417 views
Skip to first unread message
Juan Manuel Clavero Almirón
Nov 9, 2012, 5:46:31 AM11/9/12
to ot...@otrs.org
Hi all,
our company network offers Domain (Kerberos) and LDAP authentification. Since the beginning of the OTRS project, we've been using LDAP Auth, but people in Domain would like to enable Kerberos Auth in OTRS.
I've succesfully enabled Kerberos in Apache and AuthModule = 'Kernel::System::Auth::HTTPBasicAuth', but now people not in domain are not able to login.
I've tried with 2 AuthModules ($Self->{AuthModule1} = 'Kernel::System::Auth::HTTPBasicAuth' and $Self->{AuthModule2} = 'Kernel::System::Auth::LDAP'), but OTRS never gets to the LDAP Auth
Has anyone tried such a configuration? Anyone has a hint?
Kind regards,
Juan Clavero
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
our company network offers Domain (Kerberos) and LDAP authentification. Since the beginning of the OTRS project, we've been using LDAP Auth, but people in Domain would like to enable Kerberos Auth in OTRS.
I've succesfully enabled Kerberos in Apache and AuthModule = 'Kernel::System::Auth::HTTPBasicAuth', but now people not in domain are not able to login.
I've tried with 2 AuthModules ($Self->{AuthModule1} = 'Kernel::System::Auth::HTTPBasicAuth' and $Self->{AuthModule2} = 'Kernel::System::Auth::LDAP'), but OTRS never gets to the LDAP Auth
Has anyone tried such a configuration? Anyone has a hint?
Kind regards,
Juan Clavero
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Roy Kaldung
Nov 9, 2012, 11:42:09 AM11/9/12
to User questions and discussions about OTRS.
On Nov 9, 2012, at 11:46 AM, Juan Manuel Clavero Almirón <juanm....@ibsalut.es> wrote:
> Hi all,
> our company network offers Domain (Kerberos) and LDAP authentification. Since the beginning of the OTRS project, we've been using LDAP Auth, but people in Domain would like to enable Kerberos Auth in OTRS.
>
> I've succesfully enabled Kerberos in Apache and AuthModule = 'Kernel::System::Auth::HTTPBasicAuth', but now people not in domain are not able to login.
>
> I've tried with 2 AuthModules ($Self->{AuthModule1} = 'Kernel::System::Auth::HTTPBasicAuth' and $Self->{AuthModule2} = 'Kernel::System::Auth::LDAP'), but OTRS never gets to the LDAP Auth
>
> Has anyone tried such a configuration? Anyone has a hint?
Do you have any errors in your log?
> Hi all,
> our company network offers Domain (Kerberos) and LDAP authentification. Since the beginning of the OTRS project, we've been using LDAP Auth, but people in Domain would like to enable Kerberos Auth in OTRS.
>
> I've succesfully enabled Kerberos in Apache and AuthModule = 'Kernel::System::Auth::HTTPBasicAuth', but now people not in domain are not able to login.
>
> I've tried with 2 AuthModules ($Self->{AuthModule1} = 'Kernel::System::Auth::HTTPBasicAuth' and $Self->{AuthModule2} = 'Kernel::System::Auth::LDAP'), but OTRS never gets to the LDAP Auth
>
> Has anyone tried such a configuration? Anyone has a hint?
Did you configured the Auth::Sync::Module or are the agents already created?
-Roy
--
Roy Kaldung
e-mail: r...@kaldung.com
Juan Manuel Clavero Almirón
Nov 12, 2012, 2:06:54 AM11/12/12
to User questions and discussions about OTRS.
Hi Roy,
before changing the config, auth and sync were LDAP. I changed auth to Kerberos, but sync was still LDAP.
Un saludo,
Juan Clavero Almirón
Gestiò d’Identitats, Firma i Custòdia
Oficina de Tecnologies, Informació i Comunicacions (OTIC)
Servei de Salut de les Illes Balears
C/ de les Escoles, s/n - 07181 Bendinat - Mallorca
Telf. +34 971.42.65.30
-----Mensaje original-----
De: Roy Kaldung [mailto:r...@kaldung.com]
Enviado el: viernes, 09 de noviembre de 2012 17:42
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] Kerberos and LDAP Authentication
before changing the config, auth and sync were LDAP. I changed auth to Kerberos, but sync was still LDAP.
Un saludo,
Juan Clavero Almirón
Gestiò d’Identitats, Firma i Custòdia
Oficina de Tecnologies, Informació i Comunicacions (OTIC)
Servei de Salut de les Illes Balears
C/ de les Escoles, s/n - 07181 Bendinat - Mallorca
Telf. +34 971.42.65.30
-----Mensaje original-----
De: Roy Kaldung [mailto:r...@kaldung.com]
Enviado el: viernes, 09 de noviembre de 2012 17:42
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] Kerberos and LDAP Authentication
Roy Kaldung
Nov 13, 2012, 12:47:21 PM11/13/12
to User questions and discussions about OTRS.
On Nov 12, 2012, at 8:06 AM, Juan Manuel Clavero Almirón <juanm....@ibsalut.es> wrote:
> Hi Roy,
> before changing the config, auth and sync were LDAP. I changed auth to Kerberos, but sync was still LDAP.
>
Check your sync parameter. With mod_auth_kerb you'll get the samaccountname with or without - depends on your configuration - the domain in uppercase.
> Hi Roy,
> before changing the config, auth and sync were LDAP. I changed auth to Kerberos, but sync was still LDAP.
>
Do you sync against the samaccountname?
Juan Manuel Clavero Almirón
Nov 14, 2012, 7:33:26 AM11/14/12
to User questions and discussions about OTRS.
Hi Roy,
yes, I do sync against the samaccountname. I capture it from the kerb login using HTTPBasicAuth::ReplaceRegExp
But that's not the problem: the problem is for the users that cannot do kerberos authentification. I need them to be able to do LDAP auth using OTRS login page, as they did before. Instead, they just get a 'forbidden' error and doesn't get any login page.
Kind regards,
Juan Clavero
Enviado el: martes, 13 de noviembre de 2012 18:47
yes, I do sync against the samaccountname. I capture it from the kerb login using HTTPBasicAuth::ReplaceRegExp
But that's not the problem: the problem is for the users that cannot do kerberos authentification. I need them to be able to do LDAP auth using OTRS login page, as they did before. Instead, they just get a 'forbidden' error and doesn't get any login page.
Kind regards,
Juan Clavero
Enviado el: martes, 13 de noviembre de 2012 18:47
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] Kerberos and LDAP Authentication
Asunto: Re: [otrs] Kerberos and LDAP Authentication
Steven Carr
Nov 14, 2012, 10:58:24 AM11/14/12
to User questions and discussions about OTRS.
It's not really an OTRS issue as Apache is the one handling the actual
authentication. The problem is you can't have a fallback when using
Apache Kerberos authentication (many people have tried [and failed]
google "apache kerberos ldap fallback"). If you fail Kerberos
authentication then Apache will deny you access to any resources.
authentication. The problem is you can't have a fallback when using
Apache Kerberos authentication (many people have tried [and failed]
google "apache kerberos ldap fallback"). If you fail Kerberos
authentication then Apache will deny you access to any resources.
Steve
On 14 November 2012 12:33, Juan Manuel Clavero Almirón
<juanm....@ibsalut.es> wrote:
> Hi Roy,
> yes, I do sync against the samaccountname. I capture it from the kerb login using HTTPBasicAuth::ReplaceRegExp
>
> But that's not the problem: the problem is for the users that cannot do kerberos authentification. I need them to be able to do LDAP auth using OTRS login page, as they did before. Instead, they just get a 'forbidden' error and doesn't get any login page.
>
>
> Kind regards,
> Juan Clavero
Juan Manuel Clavero Almirón
Nov 14, 2012, 12:58:03 PM11/14/12
to User questions and discussions about OTRS.
Hi Steven,
I was afraid this would be the answer: OR kerberos OR OTRS auth...
well, we can't have it all, can we?
Kind regards,
Juan Clavero
-----Mensaje original-----
De: Steven Carr [mailto:sjc...@gmail.com]
Enviado el: miércoles, 14 de noviembre de 2012 16:58
I was afraid this would be the answer: OR kerberos OR OTRS auth...
well, we can't have it all, can we?
Kind regards,
Juan Clavero
-----Mensaje original-----
Enviado el: miércoles, 14 de noviembre de 2012 16:58
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] Kerberos and LDAP Authentication
Asunto: Re: [otrs] Kerberos and LDAP Authentication
Reply all
Reply to author
Forward
0 new messages