Sorry much *appreciated*.
However, I have not been able to login as a customer yet.
I used you kindly provided config, and really the only parts I changed
are those which pertain to my setup.
ldaphost,ldapuser,ldapuserpw, basedn, agent group dn, and user group dn.
I can login as an Agent, but not as a customer.
Here's the log output....
I login...
Kernel::System::Auth::LDAP::Auth] User: mjoyce (CN=Matt
Joyce,OU=IT,OU=Operations,OU
=xxxx,DC=xxxx,DC=xxxx) authentication ok (REMOTE_ADDR: xxx.xxx.xxx.xxx).
I logout....
[Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed
SessionID 10ac457be93b8d79
1d1529f8552d0b0c13.
I try as customer...
[Notice][Kernel::System::Auth::LDAP::Auth] User: mjoyce.test
authentication failed, no LDAP group entry foundGroup
DN='cn=OTRS-Agents,ou=Groups,dc=xxxx,dc=xxxx',
Filter='(member=CN=mjoyce.test,OU=IT,OU=Operations,OU=xxxx,DC=xxx
,DC=xxxx)'! (REMOTE_ADDR: xxx.xxx.xxx.xxx).
To me this seem right my customer account mjoyce.test is not a member
of the agent group.
But why doesn't it test (and report in the log file) against the customer group.
Have I completely misunderstood something, customers are able to login
to login via the web right ?
thanks
On 6/12/07, Matthew Joyce <[EMAIL PROTECTED]> wrote:
Much unappreciated Greg, I'm going to work through this today.
I have the Agent group working, but not the customer group.
With your setup, are Agents in both groups?
Thanks
On 6/8/07, Greg Horne <[EMAIL PROTECTED]> wrote:
>
>
> Sorry to hear its going slow. Had fun also with getting it to work using
> AD. You did not include all of your config for LDAP, so I'll just cover a
> few general things.
>
> Setup a user account that can browse AD's LDAP. (username - OTRS_Account
> password - whatever) you may want to make it never expire.
>
> Setup two groups, one for Customers and one for Agents.
>
> Make AD users members of the Customers group.
>
> Add AD users to the Agents group that you want to use the system as an
> agent.
>
> Create a user in OTRS and add to the admin group using the same username
> that you intend to login to AD with.
>
> Modify your Config.pm file adding the following to allow agents and
> customers/users to login using LDAP. Modify for your structure. Taken from
> my setup, add and modify as needed. Just an example:
> ############## Start of Config.pm ################
> <snip>
>
> #we want to use LDAP for Auth
> $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
> $Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.com';
> $Self->{'AuthModule::LDAP::BaseDN'} =
> 'dc=domainname,dc=win,dc=domain,dc=com';
> $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
> #The username and password of the user you setup to access LDAP
> information in AD
> $Self->{'AuthModule::LDAP::SearchUserDN'} =
> 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
> $Self->{'AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs';
>
> #We want our Customer/users to Auth using LDAP
> $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
>
> $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.domain.com';
> $Self->{'Customer::AuthModule::LDAP::BaseDN'} =
> 'OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
> $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
> 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
> $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} =
> 'whateverYourPasswordIs';
>
> $Self->{CustomerUser} = {
> Module => 'Kernel::System::CustomerUser::LDAP',
> Params => {
> Host => 'ldap.domain.com',
> BaseDN => 'OU=Users,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com',
> SSCOPE => 'sub',
> UserDN =>
> 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com',
> UserPw => 'whateverYourPasswordIs',
> },
> CustomerKey => 'sAMAccountName',
> CustomerID => 'userPrincipalName',
> CustomerUserListFields => ['displayName', 'userPrincipalName'],
> CustomerUserSearchFields => ['displayName', 'userPrincipalName'],
> CustomerUserPostMasterSearchFields => userPrincipalName,
> CustomerUserNameFields => ['givenName', 'sn'],
> #the following must map to valid fields in your AD
> (givenname,sn,sAMAccountName,...)
> Map => [
> [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
> [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
> [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> [ 'UserEmail', 'Email', 'userPrincipalName', 1, 1, 'var' ],
> [ 'UserCustomerID', 'CustomerID', 'userPrincipalName', 0, 1, 'var' ],
> ],
> };
>
>
> #OK now lets have our agents use LDAP
> $Self->{'AuthModule::LDAP::GroupDN'} =
> 'CN=helpdesk_agents,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com';
> $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
> $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
>
>
>
> $Self->{'Customer::AuthModule::LDAP::GroupDN'} =
> 'CN=helpdesk_customers,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=co
> m';
> $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
> $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
>
> # UserSyncLDAPMap
> # (map if agent should create/synced from LDAP to DB after login must
> match your AD)
> $Self->{UserSyncLDAPMap} = {
> # DB -> LDAP
> Firstname => 'givenName',
> Lastname => 'sn',
> Email => 'userPrincipalName',
> };
>
> # UserSyncLDAPGroups
> # (If "LDAP" was selected for AuthModule, you can specify
> # initial user groups for first login.)
> $Self->{UserSyncLDAPGroups} = [
> 'users',
> ];
>
> <snip>
> ##################### End of Config.pm ####################
>
> Restart OTRS and try logining in using the username you setup as the admin,
> but use your AD password. Should work. They login as a customer using the
> username and password that you put in the customer group in AD.
>
> Have Fun
>
> GEH
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Matthew Joyce
> Sent: Thursday, June 07, 2007 9:40 PM
> To: otrs
> Subject: [otrs] ORTS, LDAP and AD groups
>
>
> Hi all,
>
> I'm having glacial progress with getting otrs (Debian) to authenticate
> with Active Directory.
> I've have trawled the archives and I'm still not even sure the setup
> I'm after can be done.
>
> I have a standard structure of OUs
> Customer and Agent account are distributed throughout the OUs
> I'd like to put Agents in a group to distinguish then from Customers
> The login IDs should be their samAccountName
>
> Group membership can be derived from the group attribute 'member'
> which contains users DNs.
>
> here's the config...
> $Self->{'AuthModule::LDAP::UID'} = 'samAccountName';
> $Self->{'AuthModule::LDAP::GroupDN'} =
> 'cn=OTRS-Agents,ou=Groups,dc=domain,dc=local';
> $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
> $Self->{'AuthModule::LDAP::UserAttr'} = 'distinguishedname';
>
> Looking at the log, it seems membership is being tested using the
> Login ID and failing.
>
> Jun 8 11:37:28 vm-helpdesk OTRS-CGI-10[13668]:
> [Notice][Kernel::System::Auth::LDAP::Auth] User: mjoyce authentication
> failed, no LDAP group
> entry foundGroupDN='cn=OTRS-Agents,ou=Groups,dc=domain,dc=local',
> Filter='(member=mjoyce)'! (REMOTE_ADDR: x.x.x.x).
>
> Have I misunderstood how this authentication process works ?
> Can anyone advise me ?
>
> Thanks
>
> Matt
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> Support or consulting for your OTRS system?
> => http://www.otrs.com/
>
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> Support or consulting for your OTRS system?
> => http://www.otrs.com/
>
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
