Re: [otrs] LDAP Groups

[Jason Joines]

Martin Edenhofer wrote:

On Thu, Feb 19, 2004 at 11:15:26AM -0600, Jason Joines wrote:
 

  I got User LDAP authentication working.  Anyone who could 
authenticate to my directory could login.  However, I need to restrict 
it so I created a group in the directory:

dn: cn=otrs,dc=mydomain,dc=org
objectClass: posixGroup
gidNumber: 523
cn: otrs
description: People in Support Services, etc., who can use OTRS
memberUid: jo
memberUid: don
memberUid: sam
  Then I modified the Kernel/Config.pm file and added:

$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,dc=mydomain,dc=org';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
  Then, jo, don, and sam along with everyone else were no longer able 
to log in.  The error in the log is:

User: jo login failed, no LDAP group entry 
foundGroupDN='cn=otrs,dc=mydomain,dc=org', 
Filter='(memberUid=uid=jo,dc=mydomain,dc=org)'! (REMOTE_ADDR: 172.16.9.159).

  What setting should I use to require membership in my group?
   

[Kernle/Config.pm]

   # for ldap posixGroups objectclass (just uid)
   $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
[...]

See Kernel/Config/Defaults.pm.

 

Thanks,

Jason Joines
=============
   

 Martin Edenhofer

--
((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg
       http://www.otrs.de/ :: Manage your communication! 

_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support oder Consulting f�r Ihr OTRS System?
=> http://www.otrs.de/
 

   I did look at that and it's how I got User LDAP Authentication 
working.  I don't think I understand what I'm seeing.  In:
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
how do I specify what group?

   My settings to make sure User LDAP Authentication was working were:

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.mydomain.org';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=org';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
   That allowed LDAP users to authenticate.  However, it allowed all my 
LDAP users to authenticate.  I need to restrict it to a particular 
subset of users based on posixGroup.  So, I added:

$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs,dc=mydomain,dc=org';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
Thanks,

Jason
===========


_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support oder Consulting f�r Ihr OTRS System?
=> http://www.otrs.de/