Matthew, What was the issue? To me it looked like you may have been using the wrong URL for the customer/user.
Thanks GEH -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew Joyce Sent: Tuesday, June 12, 2007 3:05 AM To: User questions and discussions about OTRS.org Subject: Re: [otrs] ORTS, LDAP and AD groups ah, got it. Thanks for your help!! On 6/12/07, Matthew Joyce <[EMAIL PROTECTED]> wrote: > Sorry much *appreciated*. > However, I have not been able to login as a customer yet. > I used you kindly provided config, and really the only parts I changed > are those which pertain to my setup. > > ldaphost,ldapuser,ldapuserpw, basedn, agent group dn, and user group dn. > > I can login as an Agent, but not as a customer. > Here's the log output.... > > I login... > Kernel::System::Auth::LDAP::Auth] User: mjoyce (CN=Matt > Joyce,OU=IT,OU=Operations,OU > =xxxx,DC=xxxx,DC=xxxx) authentication ok (REMOTE_ADDR: xxx.xxx.xxx.xxx). > > I logout.... > [Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed > SessionID 10ac457be93b8d79 > 1d1529f8552d0b0c13. > > I try as customer... > [Notice][Kernel::System::Auth::LDAP::Auth] User: mjoyce.test > authentication failed, no LDAP group entry foundGroup > DN='cn=OTRS-Agents,ou=Groups,dc=xxxx,dc=xxxx', > Filter='(member=CN=mjoyce.test,OU=IT,OU=Operations,OU=xxxx,DC=xxx > ,DC=xxxx)'! (REMOTE_ADDR: xxx.xxx.xxx.xxx). > > To me this seem right my customer account mjoyce.test is not a member > of the agent group. > But why doesn't it test (and report in the log file) against the customer group. > > Have I completely misunderstood something, customers are able to login > to login via the web right ? > > thanks > > > > On 6/12/07, Matthew Joyce <[EMAIL PROTECTED]> wrote: > > Much unappreciated Greg, I'm going to work through this today. > > I have the Agent group working, but not the customer group. > > > > With your setup, are Agents in both groups? > > > > Thanks > > > > > > On 6/8/07, Greg Horne <[EMAIL PROTECTED]> wrote: > > > > > > > > > Sorry to hear its going slow. Had fun also with getting it to work using > > > AD. You did not include all of your config for LDAP, so I'll just cover a > > > few general things. > > > > > > Setup a user account that can browse AD's LDAP. (username - OTRS_Account > > > password - whatever) you may want to make it never expire. > > > > > > Setup two groups, one for Customers and one for Agents. > > > > > > Make AD users members of the Customers group. > > > > > > Add AD users to the Agents group that you want to use the system as an > > > agent. > > > > > > Create a user in OTRS and add to the admin group using the same username > > > that you intend to login to AD with. > > > > > > Modify your Config.pm file adding the following to allow agents and > > > customers/users to login using LDAP. Modify for your structure. Taken from > > > my setup, add and modify as needed. Just an example: > > > ############## Start of Config.pm ################ > > > <snip> > > > > > > #we want to use LDAP for Auth > > > $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; > > > $Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.com'; > > > $Self->{'AuthModule::LDAP::BaseDN'} = > > > 'dc=domainname,dc=win,dc=domain,dc=com'; > > > $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; > > > #The username and password of the user you setup to access LDAP > > > information in AD > > > $Self->{'AuthModule::LDAP::SearchUserDN'} = > > > 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; > > > $Self->{'AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs'; > > > > > > #We want our Customer/users to Auth using LDAP > > > $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; > > > > > > $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.domain.com'; > > > $Self->{'Customer::AuthModule::LDAP::BaseDN'} = > > > 'OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; > > > $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; > > > $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = > > > 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; > > > $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = > > > 'whateverYourPasswordIs'; > > > > > > $Self->{CustomerUser} = { > > > Module => 'Kernel::System::CustomerUser::LDAP', > > > Params => { > > > Host => 'ldap.domain.com', > > > BaseDN => 'OU=Users,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com', > > > SSCOPE => 'sub', > > > UserDN => > > > 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com', > > > UserPw => 'whateverYourPasswordIs', > > > }, > > > CustomerKey => 'sAMAccountName', > > > CustomerID => 'userPrincipalName', > > > CustomerUserListFields => ['displayName', 'userPrincipalName'], > > > CustomerUserSearchFields => ['displayName', 'userPrincipalName'], > > > CustomerUserPostMasterSearchFields => userPrincipalName, > > > CustomerUserNameFields => ['givenName', 'sn'], > > > #the following must map to valid fields in your AD > > > (givenname,sn,sAMAccountName,...) > > > Map => [ > > > [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], > > > [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], > > > [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], > > > [ 'UserEmail', 'Email', 'userPrincipalName', 1, 1, 'var' ], > > > [ 'UserCustomerID', 'CustomerID', 'userPrincipalName', 0, 1, 'var' ], > > > ], > > > }; > > > > > > > > > #OK now lets have our agents use LDAP > > > $Self->{'AuthModule::LDAP::GroupDN'} = > > > 'CN=helpdesk_agents,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com'; > > > $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; > > > $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; > > > > > > > > > > > > $Self->{'Customer::AuthModule::LDAP::GroupDN'} = > > > 'CN=helpdesk_customers,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=co > > > m'; > > > $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member'; > > > $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; > > > > > > # UserSyncLDAPMap > > > # (map if agent should create/synced from LDAP to DB after login must > > > match your AD) > > > $Self->{UserSyncLDAPMap} = { > > > # DB -> LDAP > > > Firstname => 'givenName', > > > Lastname => 'sn', > > > Email => 'userPrincipalName', > > > }; > > > > > > # UserSyncLDAPGroups > > > # (If "LDAP" was selected for AuthModule, you can specify > > > # initial user groups for first login.) > > > $Self->{UserSyncLDAPGroups} = [ > > > 'users', > > > ]; > > > > > > <snip> > > > ##################### End of Config.pm #################### > > > > > > Restart OTRS and try logining in using the username you setup as the admin, > > > but use your AD password. Should work. They login as a customer using the > > > username and password that you put in the customer group in AD. > > > > > > Have Fun > > > > > > GEH > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > > > Matthew Joyce > > > Sent: Thursday, June 07, 2007 9:40 PM > > > To: otrs > > > Subject: [otrs] ORTS, LDAP and AD groups > > > > > > > > > Hi all, > > > > > > I'm having glacial progress with getting otrs (Debian) to authenticate > > > with Active Directory. > > > I've have trawled the archives and I'm still not even sure the setup > > > I'm after can be done. > > > > > > I have a standard structure of OUs > > > Customer and Agent account are distributed throughout the OUs > > > I'd like to put Agents in a group to distinguish then from Customers > > > The login IDs should be their samAccountName > > > > > > Group membership can be derived from the group attribute 'member' > > > which contains users DNs. > > > > > > here's the config... > > > $Self->{'AuthModule::LDAP::UID'} = 'samAccountName'; > > > $Self->{'AuthModule::LDAP::GroupDN'} = > > > 'cn=OTRS-Agents,ou=Groups,dc=domain,dc=local'; > > > $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; > > > $Self->{'AuthModule::LDAP::UserAttr'} = 'distinguishedname'; > > > > > > Looking at the log, it seems membership is being tested using the > > > Login ID and failing. > > > > > > Jun 8 11:37:28 vm-helpdesk OTRS-CGI-10[13668]: > > > [Notice][Kernel::System::Auth::LDAP::Auth] User: mjoyce authentication > > > failed, no LDAP group > > > entry foundGroupDN='cn=OTRS-Agents,ou=Groups,dc=domain,dc=local', > > > Filter='(member=mjoyce)'! (REMOTE_ADDR: x.x.x.x). > > > > > > Have I misunderstood how this authentication process works ? > > > Can anyone advise me ? > > > > > > Thanks > > > > > > Matt > > > _______________________________________________ > > > OTRS mailing list: otrs - Webpage: http://otrs.org/ > > > Archive: http://lists.otrs.org/pipermail/otrs > > > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs > > > Support or consulting for your OTRS system? > > > => http://www.otrs.com/ > > > > > > _______________________________________________ > > > OTRS mailing list: otrs - Webpage: http://otrs.org/ > > > Archive: http://lists.otrs.org/pipermail/otrs > > > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs > > > Support or consulting for your OTRS system? > > > => http://www.otrs.com/ > > > > > > _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/ _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/
