Re: [otrs] Re: LDAP Authentication using Microsoft Active Directory server

Fri, 21 Sep 2007 11:57:47 -0700 

This is one of mine in case you wanted to compare:

     # AD/LDAP - working on and may explode at any point (I put this here
because our domain admins like to move objects at will).
     $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
     $Self->{'AuthModule::LDAP::Host'} = 'corp.blahblah.com';
     $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=corp,dc=blahblah,dc=com';
     $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
     $Self->{'AuthModule::LDAP::SearchUserDN'} =  'CN=otrs_svcs,OU=Service
Accounts,DC=corp,DC=blahblah,DC=com';
     $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
     $Self->{'Customer::AuthModule'} =
'Kernel::System::CustomerAuth::LDAP';
     $Self->{'Customer::AuthModule::LDAP::Host'} = 'corp.blahblah.com';
     $Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'dc=corp,dc=blahblah,dc=com';
     $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
     $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
'CN=otrs_svcs,OU=Service Accounts,DC=corp,DC=blahblah,DC=com';
     $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';


     $Self->{CustomerUser} = {
     Name => 'blahblah AD',
     Module => 'Kernel::System::CustomerUser::LDAP',
     Params => {
       Host => 'corp.blahblah.com',
       BaseDN => 'ou=blahblah Employees,dc=corp,dc=gtsi,dc=com',
       SSCOPE => 'sub',
       AlwaysFilter => '(&(sAMAccountName=*)(mail=*))',
       UserDN => 'CN=otrs_svcs,OU=Service
Accounts,DC=corp,DC=blahblah,DC=com',
       UserPw => 'password',
     },
CustomerKey => 'sAMAccountName',
     CustomerID => 'mail',
     CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
     CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
     CustomerUserPostMasterSearchFields => ['mail'],
     CustomerUserNameFields => ['givenname', 'sn'],
     Map => [
       # note: Login, Email and CustomerID needed!
       # var, frontend, storage, shown, required, storage-type
       [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
       [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
       [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
       [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
       [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
     ],
   };
# UserSyncLDAPMap
    # (map if agent should create/synced from LDAP to DB after login)
    $Self->{UserSyncLDAPMap} = {
        # DB -> LDAP
        Firstname => 'givenName',
        Lastname => 'sn',
        Email => 'mail',
    };

    # UserSyncLDAPGroups
    # (If "LDAP" was selected for AuthModule, you can specify
    # initial user groups for first login.)
    $Self->{UserSyncLDAPGroups} = [
        'Domain Users',
    ];

    # UserTable
    $Self->{DatabaseUserTable} = 'system_user';
    $Self->{DatabaseUserTableUserID} = 'id';
    $Self->{DatabaseUserTableUserPW} = 'pw';
    $Self->{DatabaseUserTableUser} = 'login';
}


On 9/21/07 2:48 PM, "Robert Aldridge" <[EMAIL PROTECTED]> wrote:

> Finally got it working...
> 
> I changed every entry of:
> 
> 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> 
> to:
> 
> 'tsteel\OTRS'
> 
> and, to pull user data to the local DB, I added:
> 
>     # UserSyncLDAPMap
>     # (map if agent should create/synced from LDAP to DB after login)
>     $Self->{UserSyncLDAPMap} = {
>         # DB -> LDAP
>         Firstname => 'givenName',
>         Lastname => 'sn',
>         Email => 'mail',
>     };
> 
>     # UserSyncLDAPGroups
>     # (If "LDAP" was selected for AuthModule, you can specify initial
>     # user groups for first login.)
>     $Self->{UserSyncLDAPGroups} = [
>         'users',
>     ];
> 
> 
> Perhaps this will help someone else who's trying to set OTRS up with Microsoft
> Active Directory.
> 
> Thanks,
> 
> Robert Aldridge
> 
> 
> 
> On 9/21/07, Robert Aldridge <[EMAIL PROTECTED]> wrote:
>> Hi folks,
>> 
>> First let me say that OTRS appears to be a great product!  Kudos to the
>> developers!
>> 
>> We are in the process of evaluating our options for a helpdesk/trouble-ticket
>> system.  I would really like to give OTRS a good evaluation, but I'm having
>> some problems.  Our chosen solution must be able to authenticate users (both
>> agents and customers) via Microsoft Active Directory.  It appears that this
>> is possible, but I've yet to have any success.  I'll outline the steps I've
>> taken and solicit any input from the community.
>> 
>> OTRS is working fine when authenticating against it's own database.  Here's
>> what I've done to try to authenticate against AD:
>> 
>> I edited Kernel/Config.pm and added:
>> 
>> <begin additions to Config.pm <http://Config.pm> >
>> 
>>     $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
>>     $Self->{'AuthModule::LDAP::Host'} = ' lincoln.tsteel.com
>> <http://lincoln.tsteel.com> ';
>>     $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet
>> Mill,dc=tsteel,dc=com';
>>     $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
>>     $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Admin,ou=Tuscaloosa
>> - Sheet Mill,dc=tsteel,dc=com';
>>     $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
>> 
>>     $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
>>     $Self->{'Customer::AuthModule::LDAP::Host'} = ' lincoln.tsteel.com
>> <http://lincoln.tsteel.com> ';
>>     $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet
>> Mill,dc=tsteel,dc=com';
>>     $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
>>     $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
>> Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
>>     $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} = 'password';
>> 
>>     $Self->{CustomerUser} = {
>>     Module => 'Kernel::System::CustomerUser::LDAP',
>>     Params => {
>>     Host => ' lincoln.tsteel.com <http://lincoln.tsteel.com> ',
>>     BaseDN => 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
>>     SSCOPE => 'sub',
>>     UserDN => 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
>>     UserPW => 'password',
>>     },
>>     CustomerKey => 'sAMAccountName',
>>     CustomerID => 'mail',
>>     CustomerUserListFields => 'sAMAccountName', 'cn', 'mail',
>>     CustomerUserSearchFields => 'sAMAccountName', 'cn', 'mail',
>>     CustomerUserPostMasterSearchFields => 'mail',
>>     CustomerUserNameFields => 'givenname', 'sn',
>>     Map => [
>>     [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ],
>>     [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ],
>>     [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
>>     [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
>>     [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
>>     ],
>>     };
>> 
>> <end additions to Config.pm <http://Config.pm> >
>> 
>> 
>> On my AD box, I ran: ldifde -f users.ldf -d "OU=Tuscaloosa - Sheet
>> Mill,dc=tsteel,dc=com" -r "<objectClass=user>"
>> 
>> Which returned a listing of all users in the Tuscaloosa - Sheet Mill org
>> unit.  Within the users.ldf file (output from the above command), there's an
>> entry for OTRS Admin:
>> 
>> <begin snippet from users.ldf>
>> 
>>     dn: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com
>>     changetype: add
>>     objectClass: top
>>     objectClass: person
>>     objectClass: organizationalPerson
>>     objectClass: user
>>     cn: OTRS
>>     sn: Admin
>>     givenName: OTRS
>>     distinguishedName: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com
>>     instanceType: 4
>>     whenCreated: 20070920125829.0Z
>>     whenChanged: 20070921135825.0Z
>>     displayName: OTRS
>>     uSNCreated: 8512826
>>     uSNChanged: 8549454
>>     name: OTRS
>>     objectGUID:: po7FpWyIxEWWQeiUc9XMwA==
>>     userAccountControl: 66048
>>     badPwdCount: 0
>>     codePage: 0
>>     countryCode: 0
>>     badPasswordTime: 128347689772801250
>>     lastLogoff: 0
>>     lastLogon: 128347693211238750
>>     pwdLastSet: 128347667099207500
>>     primaryGroupID: 513
>>     objectSid:: AQUAAAAAAAUVAAAApR5XA/l+DSsgfDsl4xwAAA==
>>     accountExpires: 9223372036854775807
>>     logonCount: 0
>>     sAMAccountName: OTRS
>>     sAMAccountType: 805306368
>>     userPrincipalName: [EMAIL PROTECTED]
>>     objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tsteel,DC=com
>>     dSCorePropagationData: 20070921135825.0Z
>>     dSCorePropagationData: 20070921135825.0Z
>>     dSCorePropagationData: 20070921135825.0Z
>>     dSCorePropagationData: 20070921131751.0Z
>>     dSCorePropagationData: 16010108151056.0Z
>>     lastLogonTimestamp: 128347680934676250
>> 
>> 
>> <end snippet from users.ldf>
>> 
>> 
>> With this configuration, when I attempt to login as an agent using my
>> username (which I know is valid in AD), it errors out with:
>> 
>> Login failed! Your username or password was entered incorrectly.
>> 
>> And, when I revert the Config.pm <http://Config.pm>  back (so I can log in)
>> and check the system log, I see:
>> 
>> User: raldridge authentication failed, no LDAP entry
>> found!BaseDN='ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
>> Filter='(sAMAccountName=raldridge)', (REMOTE_ADDR: 10.1.1.50
>> <http://10.1.1.50> ).
>> 
>> Any help would be greatly appreciated.
>> 
>> Thanks,
>> 
>> Robert Aldridge
>> 
> 
> 
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> Support or consulting for your OTRS system?
> => http://www.otrs.com/

-Andy Lubel
-- 


_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/

Reply via email to