RE: [otrs] Customer LDAP to AD Authentication - close, but not working

[Arnold, Andrew]

thanks Sune 
 
Nearly there I think - it does let me in now I have made that change.
Still not showing any of the calls I created via admin login tho. 
 
Appreciate the help. Fairly new to otrs but starting to get my head
round it I think.
 
Thanks again
 
A

________________________________

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Sune T. Tougaard
Sent: 24 November 2006 15:57
To: otrs@otrs.org
Subject: RE: [otrs] Customer LDAP to AD Authentication - close, but not
working



Hi, 

First post, please be gentle... ;-) 
  
Don't know that much about it, but a few ideas: 

The "hd\xpinstall" UID i think is wrong. The UID, i believe, is used to
decide which LDAP Property that is used as UID. 
In the case of a Windows AD domain, it's usually "sAMAccountName" or
"userPrincipalName". 

That might give you the "Bad filter" message. 
Does the filter/search string show up in the log? 

Also, i think the "CustomerID => 'o'" usually reads "CustomerID =>
'mail'", to use the e-mail from LDAP as customerID in the OTRS DB.

The issue that Tim had back then... 
The error message seem to indicate that he was logging on using
"userPrincipalName" (<username>@<dom>.<dom>) instead of "sAMAccountName"
(<username>), which might have worked if the "UID" and "CustomerKey" was
set to "userPrincipalName" instead of "sAMAccountName".

Hope that helps you along... 

-- 
/Sune 


________________________________ 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Arnold, Andrew 
Sent: Thursday, November 23, 2006 2:13 PM 
To: otrs@otrs.org 
Subject: [otrs] Customer LDAP to AD Authentication - close, but not
working 


Please see mail below from Tim Miller: I too have a similar problem,
("Login 
failed! Your username or password was entered incorrectly". on the
customer.pl web page) but I get the following entry in log file:

[Thu Nov 23 13:06:23
2006][Error][Kernel::System::CustomerAuth::LDAP::Auth][141] Search
failed! Bad filter 
  
Any ideas people please: 
  
Thanks a lot: 
  
Andrew 
  
(please see LDAP entries in my Config.pm) 
  
# AA Customer Authentication # 
  
    $Self->{'Customer::AuthModule'} =
'Kernel::System::CustomerAuth::LDAP'; 
    $Self->{'Customer::AuthModule::LDAP::Host'} = '128.30.1.50';     
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'dc=hq,dc=office,dc=hd,dc=com'; 
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'hd\xpinstall';  
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
'cn=xpinstall,ou=Support,ou=IT,OU=HD,dc=hq,dc=office,dc=hd,dc=com';

    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '******starred
out*'; 
  
# Getting Customer Info # 
  
     $Self->{CustomerUser} = { 
    Module => 'Kernel::System::CustomerUser::LDAP', 
    Params => { 
      Host => '128.30.1.50', 
      BaseDN => 'dc=hq,dc=office,dc=hd,dc=com', 
      SSCOPE => 'sub', 
      UserDN =>
'cn=xpinstall,ou=Support,ou=IT,OU=HD,dc=hq,dc=office,dc=hd,dc=com', 
      UserPw => '******starred out*', 
    }, 
    CustomerKey => 'sAMAccountName', 
    CustomerID => 'o', 
    CustomerUserListFields => ['cn'], 
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], 
    CustomerUserPostMasterSearchFields => ['mail'], 
    CustomerUserNameFields => ['givenname', 'sn'], 
    Map => [ 
      # note: Login, Email and CustomerID needed! 
      # var, frontend, storage, shown, required, storage-type 
#       [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], 
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], 
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], 
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], 
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], 
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], 
       [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], 
#       [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], 
       [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], 
    ], 
  }; 

(Mail from Tim Miller 
  
I am having trouble getting the customers to be able to authenticate and

log in to the customer.pl web page.  I am trying to use LDAP to 
authenticate.  From the agent side, my LDAP searches are working fine. 
If I search for a customer by name to create a new ticket, I get a 
complete list of possible names back from the LDAP search. 

However, when the customers attempt to log in, all I get is  "Login 
failed! Your username or password was entered incorrectly".  I know the 
username and password is correct, but I keep getting this error.  In the

System log, I get the following message, "CustomerUser: 
jdoe at dbtamerica.local <http://lists.otrs.org/cgi-bin/listinfo/otrs>
authentification failed, no LDAP entry 
found!BaseDN='dc=dbtamerica,dc=local', 
Filter='(&(sAMAccountName=jdoe at dbtamerica.local
<http://lists.otrs.org/cgi-bin/listinfo/otrs> )(!objectclass=computer))

', (REMOTE_ADDR: 10.222.128.53)." 

I have a J Doe account in my AD that I use for testing, the account 
exists and I am using the correct password. 

Do I have to use the PosixGroups lines in the Config.pm file?  I am 
currently not using these at all, but my understanding is that it should

work without them.  Do I have to create a group in AD, or specify that 
the "domain users" group is allowed access? 

Any advice is greatly appreciated, this is our last major hurdle to get 
over, so far we love the package, but we really want the AD 
authentication to work. 

With Best Regards, 

Tim ) 
  
Andrew Arnold 
IT Support Analyst 
hammondsdirect 
DDI 01274 764677 
Mob 07946 459179 
mailto:[EMAIL PROTECTED] 
  
This message is confidential and may be legally privileged or otherwise
protected from disclosure.  If you are not the intended recipient,
please telephone or email the sender and delete this message and any
attachment from your system; you must not copy or disclose the contents
of this message or any attachment to any other person.

Copyright in documents created by or on behalf of this firm remains
vested in the firm, and we assert our moral rights, unless the terms of
our relevant client's engagement provide otherwise.

HammondsDirect is regulated in the United Kingdom by the Law Society.
The partners in the firm are either solicitors or registered foreign
lawyers and a list of their names and professional qualifications can be
inspected at Pennine House, Well Street, Bradford, BD1 5NU.

This e-mail has been scanned for all viruses on behalf of HammondsDirect
by Integralis e:scan. 



This message is confidential and may be legally privileged or otherwise 
protected from disclosure.  If you are not the intended recipient, please 
telephone or email the sender and delete this message and any attachment from 
your system; you must not copy or disclose the contents of this message or any 
attachment to any other person.

Copyright in documents created by or on behalf of this firm remains vested in 
the firm, and we assert our moral rights, unless the terms of our relevant 
client's engagement provide otherwise.

HammondsDirect is regulated in the United Kingdom by the Law Society. The 
partners in the firm are either solicitors or registered foreign lawyers and a 
list of their names and professional qualifications can be inspected at Pennine 
House, Well Street, Bradford, BD1 5NU.

This e-mail has been scanned for all viruses on behalf of HammondsDirect by 
Integralis e:scan.


_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support orr consulting for your OTRS system?
=> http://www.otrs.com/