Sorry much *appreciated*. However, I have not been able to login as a customer yet. I used you kindly provided config, and really the only parts I changed are those which pertain to my setup.
ldaphost,ldapuser,ldapuserpw, basedn, agent group dn, and user group dn. I can login as an Agent, but not as a customer. Here's the log output.... I login... Kernel::System::Auth::LDAP::Auth] User: mjoyce (CN=Matt Joyce,OU=IT,OU=Operations,OU =xxxx,DC=xxxx,DC=xxxx) authentication ok (REMOTE_ADDR: xxx.xxx.xxx.xxx). I logout.... [Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 10ac457be93b8d79 1d1529f8552d0b0c13. I try as customer... [Notice][Kernel::System::Auth::LDAP::Auth] User: mjoyce.test authentication failed, no LDAP group entry foundGroup DN='cn=OTRS-Agents,ou=Groups,dc=xxxx,dc=xxxx', Filter='(member=CN=mjoyce.test,OU=IT,OU=Operations,OU=xxxx,DC=xxx ,DC=xxxx)'! (REMOTE_ADDR: xxx.xxx.xxx.xxx). To me this seem right my customer account mjoyce.test is not a member of the agent group. But why doesn't it test (and report in the log file) against the customer group. Have I completely misunderstood something, customers are able to login to login via the web right ? thanks On 6/12/07, Matthew Joyce <[EMAIL PROTECTED]> wrote:
Much unappreciated Greg, I'm going to work through this today. I have the Agent group working, but not the customer group. With your setup, are Agents in both groups? Thanks On 6/8/07, Greg Horne <[EMAIL PROTECTED]> wrote: > > > Sorry to hear its going slow. Had fun also with getting it to work using > AD. You did not include all of your config for LDAP, so I'll just cover a > few general things. > > Setup a user account that can browse AD's LDAP. (username - OTRS_Account > password - whatever) you may want to make it never expire. > > Setup two groups, one for Customers and one for Agents. > > Make AD users members of the Customers group. > > Add AD users to the Agents group that you want to use the system as an > agent. > > Create a user in OTRS and add to the admin group using the same username > that you intend to login to AD with. > > Modify your Config.pm file adding the following to allow agents and > customers/users to login using LDAP. Modify for your structure. Taken from > my setup, add and modify as needed. Just an example: > ############## Start of Config.pm ################ > <snip> > > #we want to use LDAP for Auth > $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; > $Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.com'; > $Self->{'AuthModule::LDAP::BaseDN'} = > 'dc=domainname,dc=win,dc=domain,dc=com'; > $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; > #The username and password of the user you setup to access LDAP > information in AD > $Self->{'AuthModule::LDAP::SearchUserDN'} = > 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; > $Self->{'AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs'; > > #We want our Customer/users to Auth using LDAP > $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; > > $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.domain.com'; > $Self->{'Customer::AuthModule::LDAP::BaseDN'} = > 'OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; > $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; > $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = > 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; > $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = > 'whateverYourPasswordIs'; > > $Self->{CustomerUser} = { > Module => 'Kernel::System::CustomerUser::LDAP', > Params => { > Host => 'ldap.domain.com', > BaseDN => 'OU=Users,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com', > SSCOPE => 'sub', > UserDN => > 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com', > UserPw => 'whateverYourPasswordIs', > }, > CustomerKey => 'sAMAccountName', > CustomerID => 'userPrincipalName', > CustomerUserListFields => ['displayName', 'userPrincipalName'], > CustomerUserSearchFields => ['displayName', 'userPrincipalName'], > CustomerUserPostMasterSearchFields => userPrincipalName, > CustomerUserNameFields => ['givenName', 'sn'], > #the following must map to valid fields in your AD > (givenname,sn,sAMAccountName,...) > Map => [ > [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], > [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], > [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], > [ 'UserEmail', 'Email', 'userPrincipalName', 1, 1, 'var' ], > [ 'UserCustomerID', 'CustomerID', 'userPrincipalName', 0, 1, 'var' ], > ], > }; > > > #OK now lets have our agents use LDAP > $Self->{'AuthModule::LDAP::GroupDN'} = > 'CN=helpdesk_agents,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com'; > $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; > $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; > > > > $Self->{'Customer::AuthModule::LDAP::GroupDN'} = > 'CN=helpdesk_customers,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=co > m'; > $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member'; > $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; > > # UserSyncLDAPMap > # (map if agent should create/synced from LDAP to DB after login must > match your AD) > $Self->{UserSyncLDAPMap} = { > # DB -> LDAP > Firstname => 'givenName', > Lastname => 'sn', > Email => 'userPrincipalName', > }; > > # UserSyncLDAPGroups > # (If "LDAP" was selected for AuthModule, you can specify > # initial user groups for first login.) > $Self->{UserSyncLDAPGroups} = [ > 'users', > ]; > > <snip> > ##################### End of Config.pm #################### > > Restart OTRS and try logining in using the username you setup as the admin, > but use your AD password. Should work. They login as a customer using the > username and password that you put in the customer group in AD. > > Have Fun > > GEH > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Matthew Joyce > Sent: Thursday, June 07, 2007 9:40 PM > To: otrs > Subject: [otrs] ORTS, LDAP and AD groups > > > Hi all, > > I'm having glacial progress with getting otrs (Debian) to authenticate > with Active Directory. > I've have trawled the archives and I'm still not even sure the setup > I'm after can be done. > > I have a standard structure of OUs > Customer and Agent account are distributed throughout the OUs > I'd like to put Agents in a group to distinguish then from Customers > The login IDs should be their samAccountName > > Group membership can be derived from the group attribute 'member' > which contains users DNs. > > here's the config... > $Self->{'AuthModule::LDAP::UID'} = 'samAccountName'; > $Self->{'AuthModule::LDAP::GroupDN'} = > 'cn=OTRS-Agents,ou=Groups,dc=domain,dc=local'; > $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; > $Self->{'AuthModule::LDAP::UserAttr'} = 'distinguishedname'; > > Looking at the log, it seems membership is being tested using the > Login ID and failing. > > Jun 8 11:37:28 vm-helpdesk OTRS-CGI-10[13668]: > [Notice][Kernel::System::Auth::LDAP::Auth] User: mjoyce authentication > failed, no LDAP group > entry foundGroupDN='cn=OTRS-Agents,ou=Groups,dc=domain,dc=local', > Filter='(member=mjoyce)'! (REMOTE_ADDR: x.x.x.x). > > Have I misunderstood how this authentication process works ? > Can anyone advise me ? > > Thanks > > Matt > _______________________________________________ > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs > Support or consulting for your OTRS system? > => http://www.otrs.com/ > > _______________________________________________ > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs > Support or consulting for your OTRS system? > => http://www.otrs.com/ >
_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/