Hi Ramana
Here the steps we followed in order to have otrs users automatically logon in
otrs system without
password request (SSO with windows domain)
Our installation:
Server: Fedora 11 with Apache 2.2.14, mysql 5.1.37 on virtual machine, OTRS
2.4.6
1 Create 2 user on A.D., one for http service, one for apache host
2 Generate the keys for authentication launching the following commands on
domain controller:
ktpass -princ HOST/hostn...@yourdomain -mapuser userforapache@ YOURDOMAIN
-crypto DES-CBC-MD5 -DesOnly -pass XXXXXPASSWORDXXXX -ptype KRB5_NT_SRV_HST
-out krb5.keytab
ktpass -princ HTTP/ hostn...@yourdomain -mapuser httpserviceuser@ YOURDOMAIN
-pass XXXXXPASSWORDXXXX -out keytab.HTTP
3 Copy these files on apache machine
4 Configure your krb5.conf as following:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = YOURDOMAIN
default_keytab_file = /etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
YOURDOMAIN = {
kdc = fqdn_name_of_yourDC:88
kdc = fqdn_name_of_yoursecondDC:88
admin_server = fqdn_name_of_yourDC:749
default_domain = yourdomain (lowercase)
}
[domain_realm]
.yourdomain = YOURDOMAIN
yourdomain = YOURDOMAIN
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
5 Install mod_auth_kerb into apache server
6 Modify your conf file add the following directives. Here we added them in
otrs.conf
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Directory "/opt/otrs/bin/cgi-bin/">
AllowOverride None
AuthType Kerberos
AuthName "YOURDOMAIN"
Krb5Keytab /usr/local/apache2.2.14/conf/keytab.HTTP
KrbAuthRealms YOURDOMAIN
KrbMethodNegotiate on
KrbSaveCredentials off
Require valid-user
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
7 Configuring OTRS
In config.pm enable HttpBasicAuth both for customer and agents:
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@YOURDOMAIN';
# Note:
#
# If you use this module, you should use as fallback
# the following config settings if user isn't login through
# apache ($ENV{REMOTE_USER})
$Self->{LoginURL} =
'http://your_webserver_fqdn/otrs-web/not-authorised-for-otrs.html';
$Self->{LogoutURL} =
'http://your_webserver_fqdn/otrs-web/thanks-for-using-otrs.html';
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@YOURDOMAIN';
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '1.1.1.1',
BaseDN => 'dc=yourdomain,dc=xxx',
SSCOPE => 'sub',
UserDN => 'cn=<userwith read
permission>,cn=users,dc=yourdomain,dc=xxx',
UserPw => 'password',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
o IT'S IMPORTANT TO USE
{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} in order to cut off your
domain name from the credential passed by kerberos or sso won't work.
8 Restart apache
Bye
Luca
-----Messaggio originale-----
Da: otrs-boun...@otrs.org [mailto:otrs-boun...@otrs.org] Per conto di ramana
Inviato: martedì 23 febbraio 2010 07:29
A: User questions and discussions about OTRS.
Oggetto: [otrs] how to configure the otrs customer login Single signon
Hi
Is there a way to configure the Single sign on Customer login.
like while clicking the OTRS url : it automatically use the domain
credential and login
I am using orts 2.4.5
Regards,
Ramanachary
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
--------------------------------------------------------
Luca Gatti
ICT System Administrator
lga...@bindagroup.com
tel +39 02 39245.380
fax +39 02 39245.200
Via Montefeltro, 4 - 20156 Milano - Italy
bindagroup.com
--------------------------------------------------------
This e-mail and any file transmitted with it may contain material that is
confidential and for the sole use of the intended recipient. If you are not the
intended recipient of this e-mail, please do not read this e-mail and notify us
immediately by reply e-mail and then delete this message and any file attached
from your system. Any other use is prohibited.
Il presente messaggio di posta elettronica e ogni eventuale documento a
quest'ultimo allegato potrebbe avere carattere riservato ed è ad esclusivo
utilizzo del destinatario indicato in indirizzo. Qualora non foste il
destinatario del presente messaggio per cortesia avvisateci immediatamente
tramite posta elettronica e cancellate il presente messaggio e ogni documento
ad esso allegato dal Vostro sistema. Ogni altro uso è proibito.
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
