[otrs] LDAP: Agent-Login works, but Customer-Login does not. Problem with AuthModule::LDAP::AlwaysFilter
895 views
Skip to first unread message
Stefan Michael Guenther
Aug 27, 2012, 5:42:51 PM8/27/12
to ot...@otrs.org
Hello,
I'm currently trying to setup the LDAP authentication for both agents and customers. While the agents can login without a problem, the customers can't. We checked the logfiles and found out, that OTRS uses "AuthModule::LDAP::AlwaysFilter" for agents and customers, although we have defined "Customer::AuthModule::LDAP::AlwaysFilter". Here are the relevant lines from the config file, did we make a type or misunderstood something in the configuration? BTW, we are using version 3.1.9
sub Load {
my $Self = shift;
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '192.168.10.5';
$Self->{'AuthModule::LDAP::BaseDN'} = 'o=in-put';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrsuser,o=in-put';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(memberOf=cn=OTRS,ou=Gruppen,o=IN-PUT)';
$Self->{'AuthModule::LDAP::Params'} = { port => 389,timeout => 120,async => 0, version => 3,};
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '192.168.10.5';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'o=in-put';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrsuser,o=in-put';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { UserFirstname => 'givenName',UserLastname => 'sn',UserEmail => 'mail', };
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = ['users',];
$Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '192.168.10.5';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=user,o=in-put';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrsuser,o=in-put';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(sn=*)';
$Self->{'Customer::AuthModule::LDAP::Params'} = {port => 389, timeout => 120, async => 0, version => 3,};
$Self->{'Customer::AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'Customer::AuthSyncModule::LDAP::Host'} = '192.168.10.5';
$Self->{'Customer::AuthSyncModule::LDAP::BaseDN'} = 'o=in-put';
$Self->{'Customer::AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'Customer::AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrsuser,o=in-put';
$Self->{'Customer::AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'Customer::AuthSyncModule::LDAP::UserSyncMap'} = {UserFirstname => 'givenName', UserLastname => 'sn',UserEmail => 'mail', };
$Self->{'Customer::AuthSyncModule::LDAP::UserSyncInitialGroups'} = ['customers',];
Thanks for any hints or suggestions,
Stefan
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
I'm currently trying to setup the LDAP authentication for both agents and customers. While the agents can login without a problem, the customers can't. We checked the logfiles and found out, that OTRS uses "AuthModule::LDAP::AlwaysFilter" for agents and customers, although we have defined "Customer::AuthModule::LDAP::AlwaysFilter". Here are the relevant lines from the config file, did we make a type or misunderstood something in the configuration? BTW, we are using version 3.1.9
sub Load {
my $Self = shift;
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '192.168.10.5';
$Self->{'AuthModule::LDAP::BaseDN'} = 'o=in-put';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrsuser,o=in-put';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(memberOf=cn=OTRS,ou=Gruppen,o=IN-PUT)';
$Self->{'AuthModule::LDAP::Params'} = { port => 389,timeout => 120,async => 0, version => 3,};
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '192.168.10.5';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'o=in-put';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrsuser,o=in-put';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { UserFirstname => 'givenName',UserLastname => 'sn',UserEmail => 'mail', };
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = ['users',];
$Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '192.168.10.5';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=user,o=in-put';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrsuser,o=in-put';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(sn=*)';
$Self->{'Customer::AuthModule::LDAP::Params'} = {port => 389, timeout => 120, async => 0, version => 3,};
$Self->{'Customer::AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'Customer::AuthSyncModule::LDAP::Host'} = '192.168.10.5';
$Self->{'Customer::AuthSyncModule::LDAP::BaseDN'} = 'o=in-put';
$Self->{'Customer::AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'Customer::AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrsuser,o=in-put';
$Self->{'Customer::AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'Customer::AuthSyncModule::LDAP::UserSyncMap'} = {UserFirstname => 'givenName', UserLastname => 'sn',UserEmail => 'mail', };
$Self->{'Customer::AuthSyncModule::LDAP::UserSyncInitialGroups'} = ['customers',];
Thanks for any hints or suggestions,
Stefan
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Gerald Young
Aug 27, 2012, 8:05:01 PM8/27/12
to s.gue...@in-put.de, User questions and discussions about OTRS.
$Self->{'Customer::AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
There is no CustomerAuthSync Module
You probably don't want this? $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(sn=*)';
You have no CustomerUser information.
3.1: http://doc.otrs.org/3.1/en/html/customer-user-backend.html#customer-backend-ldap
3.1: http://doc.otrs.org/3.1/en/html/auth-backends.html#customer-auth-backend-ldap
3.1: http://doc.otrs.org/3.1/en/html/auth-backends.html#agent-auth-backend-ldap
3.1: http://doc.otrs.org/3.1/en/html/auth-backends.html#customer-auth-backend-ldap
3.1: http://doc.otrs.org/3.1/en/html/auth-backends.html#agent-auth-backend-ldap
Timothy J. Deerinck
Aug 28, 2012, 12:11:03 AM8/28/12
to s.gue...@in-put.de, User questions and discussions about OTRS.
This is how I made mine work. You can adapt as needed.........
# Enable LDAP Authentication Sync for Agent #
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=yourdomain,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=OTRS,ou=Technical Support,dc=yourdomain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'LookupPasswordHere';
# Enable Agent Mapping from LDAP to DB #
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc1.yourdomain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=yourdomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Users,DC=yourdomain,DC=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS,ou=Technical Support,dc=yourdomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'LookupPasswordHere';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
Owner / Senior Network & Systems Engineer
This e-mail and any attachments may contain confidential and
privileged information. If you are not the intended recipient,
please notify the sender immediately by return e-mail, delete this
e-mail and destroy any copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and is strictly prohibited by law.
# Enable LDAP Authentication Sync for Agent #
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://172.16.223.2:389';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=yourdomain,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=OTRS,ou=Technical Support,dc=yourdomain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'LookupPasswordHere';
# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# Enable Customer Authentication
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc1.yourdomain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=yourdomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Users,DC=yourdomain,DC=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS,ou=Technical Support,dc=yourdomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'LookupPasswordHere';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
Timothy J. Deerinck
port => 389,
timeout => 120,
async => 0,
version => 3,
};
Owner / Senior Network & Systems Engineer
This e-mail and any attachments may contain confidential and
privileged information. If you are not the intended recipient,
please notify the sender immediately by return e-mail, delete this
e-mail and destroy any copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and is strictly prohibited by law.
Stefan Michael Guenther
Aug 29, 2012, 6:16:46 AM8/29/12
to ot...@otrs.org
Hi,
> $Self->{'Customer::AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
> There is no CustomerAuthSync Module
>
hm, now OTRS accepts the login name and the passwords, but since there isn't a corresponding account in OTRS, the customer can not login.
If there isn't a snyc for customers, how should this work?
Stefan
Gadow, Shawn
Aug 29, 2012, 12:46:15 PM8/29/12
to s.gue...@in-put.de, User questions and discussions about OTRS.
Put this in your config file replace any XXXX with your Data
-----------------------------------------------------------------------
# start LDAP AUTH
# -----------------------------------------------------------------------
# OVERALL LDAP AUTH
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=XXXX,dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=XXXXX,cn=XXXX,dc=XXXX,dc=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'XXXX';
# CUSTOMER LDAP AUTH
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=XXXX,dc=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'XXXX';
# USER LDAP SETTINGS WHEN SUBMITTING A TICKET
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'XXXX.XXXX.local',
BaseDN => 'dc=XXXX,dc=local',
SSCOPE => 'sub',
UserDN => 'cn=XXXX,cn=Users,dc=XXXX,dc=local',
UserPw => 'XXXX',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
# -----------------------------------------------------------------------
# end LDAP AUTH
# -----------------------------------------------------------------------
-----------------------------------------------------------------------
# start LDAP AUTH
# -----------------------------------------------------------------------
# OVERALL LDAP AUTH
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'XXXX.XXXX.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=XXXX,dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=XXXXX,cn=XXXX,dc=XXXX,dc=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'XXXX';
# CUSTOMER LDAP AUTH
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'XXXX.XXXX.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=XXXX,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=XXXX,cn=XXXX,dc=XXXX,dc=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'XXXX';
# USER LDAP SETTINGS WHEN SUBMITTING A TICKET
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'XXXX.XXXX.local',
BaseDN => 'dc=XXXX,dc=local',
SSCOPE => 'sub',
UserDN => 'cn=XXXX,cn=Users,dc=XXXX,dc=local',
UserPw => 'XXXX',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
# -----------------------------------------------------------------------
# end LDAP AUTH
# -----------------------------------------------------------------------
Reply all
Reply to author
Forward
0 new messages