Hallo,
im Wiki (http://wiki.otrs.org/index.php?title=LDAP_mit_TLS_bzw._SSL) steht
dass man das Modul Kernel::System::Auth::LDAP nach Kernel::System::Auth::LDAPS
kopieren soll.
Ist doch so gemeint oder?
cp LDAP.pm LDAPS.pm
Dann steht:Im Perl Modul LDAP durch LDAPS ersetzen
Ist doch so gemeint oder?
# --
# Kernel/System/Auth/LDAPS.pm - provides the LDAPS authentication
# Copyright (C) 2001-2010 OTRS AG, http://otrs.org/
# --
# $Id: LDAPS.pm,v 1.58 2010/03/25 14:42:45 martin Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
package Kernel::System::Auth::LDAPS;
use strict;
use warnings;
use Net::LDAPS;
use vars qw($VERSION);
$VERSION = qw($Revision: 1.58 $) [1];
sub new {
my ( $Type, %Param ) = @_;
# allocate new hash for object
my $Self = {};
bless( $Self, $Type );
# check needed objects
for (qw(LogObject ConfigObject DBObject UserObject GroupObject
EncodeObject)) {
$Self->{$_} = $Param{$_} || die "No $_!";
}
# Debug 0=off 1=on
$Self->{Debug} = 0;
# get LDAPS preferences
$Self->{Count} = $Param{Count} || '';
$Self->{Die} = $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::Die' . $Param{Count} );
if ( $Self->{ConfigObject}->Get( 'AuthModule::LDAPS::Host' .
$Param{Count} ) ) {
$Self->{Host} = $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::Host' . $Param{Count} );
}
else {
$Self->{LogObject}->Log(
Priority => 'error',
Message => "Need AuthModule::LDAPS::Host$Param{Count} in
Kernel/Config.pm",
);
return;
}
if ( defined( $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::BaseDN' . $Param{Count} ) ) ) {
$Self->{BaseDN} = $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::BaseDN' . $Param{Count} );
}
else {
$Self->{LogObject}->Log(
Priority => 'error',
Message => "Need AuthModule::LDAPS::BaseDN$Param{Count}
in Kernel/Config.pm",
);
return;
}
if ( $Self->{ConfigObject}->Get( 'AuthModule::LDAPS::UID' .
$Param{Count} ) ) {
$Self->{UID} = $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::UID' . $Param{Count} );
}
else {
$Self->{LogObject}->Log(
Priority => 'error',
Message => "Need AuthModule::LDAPS::UID$Param{Count} in
Kernel/Config.pm",
);
return;
}
$Self->{SearchUserDN}
= $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::SearchUserDN' . $Param{Count} ) || '';
$Self->{SearchUserPw}
= $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::SearchUserPw' . $Param{Count} ) || '';
$Self->{GroupDN} = $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::GroupDN' . $Param{Count} )
|| '';
$Self->{AccessAttr}
= $Self->{ConfigObject}->Get( 'AuthModule::LDAPS::AccessAttr'
. $Param{Count} )
|| 'memberUid';
$Self->{UserAttr} = $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::UserAttr' . $Param{Count} )
|| 'DN';
$Self->{UserSuffix}
= $Self->{ConfigObject}->Get( 'AuthModule::LDAPS::UserSuffix'
. $Param{Count} ) || '';
$Self->{UserLowerCase}
= $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::UserLowerCase' . $Param{Count} ) || 0;
$Self->{DestCharset} = $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::Charset' . $Param{Count} )
|| 'utf-8';
# LDAPS filter always used
$Self->{AlwaysFilter}
= $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::AlwaysFilter' . $Param{Count} ) || '';
# Net::LDAPS new params
if ( $Self->{ConfigObject}->Get( 'AuthModule::LDAPS::Params' .
$Param{Count} ) ) {
$Self->{Params} = $Self->{ConfigObject}->Get(
'AuthModule::LDAPS::Params' . $Param{Count} );
}
else {
$Self->{Params} = {};
}
return $Self;
}
sub GetOption {
my ( $Self, %Param ) = @_;
# check needed stuff
if ( !$Param{What} ) {
$Self->{LogObject}->Log( Priority => 'error', Message =>
"Need What!" );
return;
}
# module options
my %Option = ( PreAuth => 0, );
# return option
return $Option{ $Param{What} };
}
sub Auth {
my ( $Self, %Param ) = @_;
# check needed stuff
for (qw(User Pw)) {
if ( !$Param{$_} ) {
$Self->{LogObject}->Log( Priority => 'error', Message =>
"Need $_!" );
return;
}
}
$Param{User} = $Self->_ConvertTo( $Param{User},
$Self->{ConfigObject}->Get('DefaultCharset') );
$Param{Pw} = $Self->_ConvertTo( $Param{Pw},
$Self->{ConfigObject}->Get('DefaultCharset') );
# get params
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
# remove leading and trailing spaces
$Param{User} =~ s/^\s+//;
$Param{User} =~ s/\s+$//;
# Convert username to lower case letters
if ( $Self->{UserLowerCase} ) {
$Param{User} = lc $Param{User};
}
# add user suffix
if ( $Self->{UserSuffix} ) {
$Param{User} .= $Self->{UserSuffix};
# just in case for debug
if ( $Self->{Debug} > 0 ) {
$Self->{LogObject}->Log(
Priority => 'notice',
Message => "User: ($Param{User}) added
$Self->{UserSuffix} to username!",
);
}
}
# just in case for debug!
if ( $Self->{Debug} > 0 ) {
$Self->{LogObject}->Log(
Priority => 'notice',
Message => "User: '$Param{User}' tried to authenticate
with Pw: '$Param{Pw}' "
. "(REMOTE_ADDR: $RemoteAddr)",
);
}
# LDAPS connect and bind (maybe with SearchUserDN and SearchUserPw)
my $LDAPS = Net::LDAPS->new( $Self->{Host}, %{ $Self->{Params} } );
if ( !$LDAPS ) {
if ( $Self->{Die} ) {
die "Can't connect to $Self->{Host}: $@";
}
else {
$Self->{LogObject}->Log(
Priority => 'error',
Message => "Can't connect to $Self->{Host}: $@",
);
return;
}
}
my $Result = '';
if ( $Self->{SearchUserDN} && $Self->{SearchUserPw} ) {
$Result = $LDAPS->bind( dn => $Self->{SearchUserDN}, password
=> $Self->{SearchUserPw} );
}
else {
$Result = $LDAPS->bind();
}
if ( $Result->code ) {
$Self->{LogObject}->Log(
Priority => 'error',
Message => 'First bind failed! ' . $Result->error(),
);
$LDAPS->disconnect;
return;
}
# user quote
my $UserQuote = $Param{User};
$UserQuote =~ s/\\/\\\\/g;
$UserQuote =~ s/\(/\\(/g;
$UserQuote =~ s/\)/\\)/g;
# build filter
my $Filter = "($Self->{UID}=$UserQuote)";
# prepare filter
if ( $Self->{AlwaysFilter} ) {
$Filter = "(&$Filter$Self->{AlwaysFilter})";
}
# perform user search
$Result = $LDAPS->search(
base => $Self->{BaseDN},
filter => $Filter,
);
if ( $Result->code ) {
$Self->{LogObject}->Log(
Priority => 'error',
Message => 'Search failed! ' . $Result->error,
);
$LDAPS->unbind;
$LDAPS->disconnect;
return;
}
# get whole user dn
my $UserDN = '';
for my $Entry ( $Result->all_entries ) {
$UserDN = $Entry->dn();
}
# log if there is no LDAPS user entry
if ( !$UserDN ) {
# failed login note
$Self->{LogObject}->Log(
Priority => 'notice',
Message => "User: $Param{User} authentication failed, no
LDAPS entry found!"
. "BaseDN='$Self->{BaseDN}', Filter='$Filter',
(REMOTE_ADDR: $RemoteAddr).",
);
# take down session
$LDAPS->unbind;
$LDAPS->disconnect;
return;
}
# DN quote
my $UserDNQuote = $UserDN;
$UserDNQuote =~ s/\\/\\\\/g;
$UserDNQuote =~ s/\(/\\(/g;
$UserDNQuote =~ s/\)/\\)/g;
# check if user need to be in a group!
if ( $Self->{AccessAttr} && $Self->{GroupDN} ) {
# just in case for debug
if ( $Self->{Debug} > 0 ) {
$Self->{LogObject}->Log(
Priority => 'notice',
Message => 'check for groupdn!',
);
}
# search if we're allowed to
my $Filter2 = '';
if ( $Self->{UserAttr} eq 'DN' ) {
$Filter2 = "($Self->{AccessAttr}=$UserDNQuote)";
}
else {
$Filter2 = "($Self->{AccessAttr}=$UserQuote)";
}
my $Result2 = $LDAPS->search(
base => $Self->{GroupDN},
filter => $Filter2,
);
if ( $Result2->code ) {
$Self->{LogObject}->Log(
Priority => 'error',
Message => "Search failed! base='$Self->{GroupDN}',
filter='$Filter2', "
. $Result->error,
);
# take down session
$LDAPS->unbind;
$LDAPS->disconnect;
return;
}
# extract it
my $GroupDN = '';
for my $Entry ( $Result2->all_entries ) {
$GroupDN = $Entry->dn();
}
# log if there is no LDAPS entry
if ( !$GroupDN ) {
# failed login note
$Self->{LogObject}->Log(
Priority => 'notice',
Message => "User: $Param{User} authentication
failed, no LDAPS group entry found"
. "GroupDN='$Self->{GroupDN}', Filter='$Filter2'!
(REMOTE_ADDR: $RemoteAddr).",
);
# take down session
$LDAPS->unbind;
$LDAPS->disconnect;
return;
}
}
# bind with user data -> real user auth.
$Result = $LDAPS->bind( dn => $UserDN, password => $Param{Pw} );
if ( $Result->code ) {
# failed login note
$Self->{LogObject}->Log(
Priority => 'notice',
Message => "User: $Param{User} ($UserDN) authentication
failed: '"
. $Result->error()
. "' (REMOTE_ADDR: $RemoteAddr).",
);
# take down session
$LDAPS->unbind;
$LDAPS->disconnect;
return;
}
# maybe check if pw is expired
# if () {
# $Self->{LogObject}->Log(
# Priority => 'info',
# Message => "Password is expired!",
# );
# return;
# }
# login note
$Self->{LogObject}->Log(
Priority => 'notice',
Message => "User: $Param{User} ($UserDN) authentication ok
(REMOTE_ADDR: $RemoteAddr).",
);
# take down session
$LDAPS->unbind;
$LDAPS->disconnect;
return $Param{User};
}
sub _ConvertTo {
my ( $Self, $Text, $Charset ) = @_;
return if !defined $Text;
if ( !$Charset || !$Self->{DestCharset} ) {
$Self->{EncodeObject}->EncodeInput( \$Text );
return $Text;
}
# convert from input charset ($Charset) to directory charset
($Self->{DestCharset})
return $Self->{EncodeObject}->Convert(
Text => $Text,
From => $Charset,
To => $Self->{DestCharset},
);
}
sub _ConvertFrom {
my ( $Self, $Text, $Charset ) = @_;
return if !defined $Text;
if ( !$Charset || !$Self->{DestCharset} ) {
$Self->{EncodeObject}->EncodeInput( \$Text );
return $Text;
}
# convert from directory charset ($Self->{DestCharset}) to input
charset ($Charset)
return $Self->{EncodeObject}->Convert(
Text => $Text,
From => $Self->{DestCharset},
To => $Charset,
);
}
1;
Dann soll man ind der Config.pm die Anbindung an LDAP so vornehmen:
Beispiel 11.7. Agentenauthentifizierung gegen ein LDAP Backend
# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAPS is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAPS';
$Self->{'AuthModule::LDAPS::Host'} = 'xxx.xxx.xxx.xxx';
$Self->{'AuthModule::LDAPS::BaseDN'} = 'o=xx xx,c=DE';
$Self->{'AuthModule::LDAPS::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAPS::GroupDN'} =
'cn=otrsagenten,ou=groups,o=Universitaet,c=DE';
$Self->{'AuthModule::LDAPS::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAPS::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAPS::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAPS::SearchUserDN'} =
'cn=searchuser,ou=xxx,o=Universitaet,c=DE';
$Self->{'AuthModule::LDAPS::SearchUserPw'} = 'xxx';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
$Self->{'AuthModule::LDAPS::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAPS::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAPS)
$Self->{'AuthModule::LDAPS::Params'} = {
port => 63651,
timeout => 120,
async => 0,
version => 3,
};
Leider funkioniert das so nicht:
Can't locate Net/LDAPS.pm in @INC (@INC contains: ../../
/opt/otrs/bin/cgi-bin/../../Kernel/cpan-lib
/opt/otrs/bin/cgi-bin/../..
/usr/lib/perl5/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/5.10.0
/usr/lib/perl5/site_perl/5.10.0/x86_64-linux-thread-multi
/usr/lib/perl5/site_perl/5.10.0
/usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl .
/opt/otrs/bin/cgi-bin/../..
/opt/otrs/bin/cgi-bin/../../Kernel/cpan-lib) at
../..//Kernel/System/Auth/LDAPS.pm line 16.
BEGIN failed--compilation aborted at
../..//Kernel/System/Auth/LDAPS.pm line 16.
Irgendwie kann er mit LDAPS noch nicht anfangen. Es gibt ja auch kein
perl-ldaps
Welche Module müssen installiert sein? Hat jemand eine Schritt für
Schritt-Anleitung um eine LDAPS-Anbindung einzurichten.
Hoffe auf Tipps und Tricks!!
DANKE schon mal.
---------------------------------------------------------------------
OTRS mailing list: otrs-de - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs-de
To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs-de
