We are currently evaluating OTRS and version 2.4.1. We are using MSAD for the
majority of the users and OpenLdap for another set of users. I have configured
the Config.pm file as shown in the
http://faq.otrs.org/otrs/public.pl?Action=PublicFAQ&ItemID=219. A user MSAD can
authenticate but a user in OpenLdap can not.
The log shows both tries for the MSAD user but stops once it fails for the
OpenLdap user with an incorrect password for the MSAD provider, but it does not
check the Openldap. The reverse is true if we swap the providers and OpenLdap
is first and MSAD is second. Then OpenLdap users are authenticated and MSAD
users are not.
How do we get FAQ messages updated,
http://faq.otrs.org/otrs/public.pl?Action=PublicFAQ&ItemID=219 is out of date?
Thanks
Wayne
Below is an example of the error
[Fri Jul 24 09:46:59 2009][Notice][Kernel::System::Auth::DB::Auth] User: "ABC"
authentication with wrong Pw!!! (REMOTE_ADDR: XXX)
[Fri Jul 24 09:46:59 2009][Notice][Kernel::System::Auth::LDAP::Auth] User:
"ABC" authentication failed, no LDAP entry found! "MSAD base info"
(REMOTE_ADDR: XXX).
[Fri Jul 24 09:46:59 2009][Notice][Kernel::System::Auth::DB::Auth] User: "ABC"
authentication with wrong Pw!!! (REMOTE_ADDR: XXX)
Below are the settings in the config.pm with MSAD first
# Authentication backend Auth #
# ---------------------------------------------------- #
#------------------------------------------------------#
#***** aus MSAD
#------------------------------------------------------#
#Enable LDAP authentication for Customers / Users
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'XXXXXX';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'XXXXXX';
#$Self->{'AuthModule::LDAP::UID1'} = 'cn';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'XXXXXX';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'XXXXXX';
#Add the following lines when only users are allowed to login if they
reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in
the User Base DN
$Self->{'AuthModule::LDAP::GroupDN1'} ='XXXXXX';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::LDAP::Die1'} = 1;
#------------------------------------------------------#
#***** OpenLDAP
#------------------------------------------------------#
#Enable LDAP authentication for Customers / Users
$Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host2'} = 'YYYYYYY';
$Self->{'AuthModule::LDAP::BaseDN2'} = 'YYYYYYY';
#$Self->{'AuthModule::LDAP::UID2'} = 'cn';
$Self->{'AuthModule::LDAP::UID2'} = 'cssDisplayNameDefault';
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN2'} = 'YYYYYYY';
$Self->{'AuthModule::LDAP::SearchUserPw2'} = 'YYYYYYY';
#Add the following lines when only users are allowed to login if they
reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in
the User Base DN
$Self->{'AuthModule::LDAP::GroupDN2'} ='YYYYYYY';
$Self->{'AuthModule::LDAP::AccessAttr2'} = 'UniqueMember';
$Self->{'AuthModule::LDAP::UserAttr2'} = 'DN';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params2'} = {
port => 58089,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::LDAP::Die2'} = 1;
# ---------------------------------------------------- #
# Auth Sync Backend #
# ---------------------------------------------------- #
#------------------------------------------------------#
#***** MSAD
#------------------------------------------------------#
## agent data sync against ldap
#$Self->{'AuthSyncModule'}
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'XXXX';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'XXXXX';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'XXXXX';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'XXXX';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
## DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
## AuthSyncModule::LDAP::UserSyncInitialGroups
## (sync following group with rw permission after initial create of first
agent
## login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
'users','admin','stats'
];
$Self->{'AuthSyncModule::LDAP::Die1'} = 1;
#------------------------------------------------------#
#***** OpenLDAP
#------------------------------------------------------#
## agent data sync against ldap
#$Self->{'AuthSyncModule'}
$Self->{'AuthSyncModule2'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host2'} = 'YYYYYYY';
$Self->{'AuthSyncModule::LDAP::BaseDN2'} = ' YYYYYYY';
$Self->{'AuthSyncModule::LDAP::UID2'} = 'cssDisplayNameDefault';
$Self->{'AuthSyncModule::LDAP::SearchUserDN2'} = ' YYYYYYY';
$Self->{'AuthSyncModule::LDAP::SearchUserPw2'} = ' YYYYYYY';
$Self->{'AuthSyncModule::LDAP::Params2'} = {
port => 58089,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthSyncModule::LDAP::UserSyncMap2'} = {
## DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
## AuthSyncModule::LDAP::UserSyncInitialGroups
## (sync following group with rw permission after initial create of first
agent
## login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups2'} = [
'users','admin','stats'
];
$Self->{'AuthSyncModule::LDAP::Die2'} = 1;
____________________________________________________________________________________
Access Yahoo!7 Mail on your mobile. Anytime. Anywhere.
Show me how: http://au.mobile.yahoo.com/mail---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
