Re: [otrs] Active Directory authentication working, just one problem...
Alexis Castillo said this with great authority: > When I try to log in a user that is not in the OTRS group for the first > time, I get a "Can't activate user.". Even more, if the user does not > have the information that OTRS is using to fill the DB, it won't let the > user log in for the first time. After logging in the first time and > having the user created in the DB, I experience the same behavior you're > mentioning, the user can log in regardless of being in the group or not. Hmm. I don't think I understand you... are you saying anyone can log into the admin area, they just have to log in twice, once to activate the account and create it in the DB and the second to actually log in? That's the behavior I see. CD Ever lied? You're a liar. Ever stolen? You're a thief. Ever hated? The bible equates hate with murder. Ever lusted? Jesus equated lust with adultery. You've broken God's law. He'll judge all evil and you're without hope -- unless you have a savior. Repent and believe. ___ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support oder Consulting für Ihr OTRS System? => http://www.otrs.de/
Re: [otrs] Active Directory authentication working, just one problem...
When I try to log in a user that is not in the OTRS group for the first time, I get a "Can't activate user.". Even more, if the user does not have the information that OTRS is using to fill the DB, it won't let the user log in for the first time. After logging in the first time and having the user created in the DB, I experience the same behavior you're mentioning, the user can log in regardless of being in the group or not. Chris de Vidal wrote: Alexis Castillo said this with great authority: Here's my configuration for LDAP against AD. I hope it helps. OK that doesn't look much different than mine. Could you please confirm that a user that is NOT in this group cannot log in? That's the behavior I see; anyone can log in. CD Ever lied? You're a liar. Ever stolen? You're a thief. Ever hated? The bible equates hate with murder. Ever lusted? Jesus equated lust with adultery. You've broken God's law. He'll judge all evil and you're without hope -- unless you have a savior. Repent and believe. ___ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support oder Consulting für Ihr OTRS System? => http://www.otrs.de/ -- Alexis Castillo Systems Administrator Quicksilver Express Courier http://www.qec.com/ ___ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support oder Consulting für Ihr OTRS System? => http://www.otrs.de/
Re: [otrs] Active Directory authentication working, just one problem...
Alexis Castillo said this with great authority: > Here's my configuration for LDAP against AD. I hope it helps. OK that doesn't look much different than mine. Could you please confirm that a user that is NOT in this group cannot log in? That's the behavior I see; anyone can log in. CD Ever lied? You're a liar. Ever stolen? You're a thief. Ever hated? The bible equates hate with murder. Ever lusted? Jesus equated lust with adultery. You've broken God's law. He'll judge all evil and you're without hope -- unless you have a savior. Repent and believe. ___ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support oder Consulting für Ihr OTRS System? => http://www.otrs.de/
Re: [otrs] Active Directory authentication working, just one problem...
Here's my configuration for LDAP against AD. I hope it helps.
Alex.
#
# Configuration for LDAP user authentication
#
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'example.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} =
'cn=LDAP_USER,cn=Users,dc=example,dc
=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
#
# Control Who gets in via LDAP
#
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS, ou=Intranet,
ou=Access Cont
rol, ou=city, dc=example, dc=com';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login)
$Self->{UserSyncLDAPMap} = {
# DB -> LDAP
Firstname => 'givenName',
Lastname => 'sn',
Email => 'mail',
};
Chris de Vidal wrote:
Alexis Castillo said this with great authority:
It's working for me, but I only have it for internal users.
Comment out the
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
in Config.pm
You should only have the
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
Only users in your
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=, ou=,
dc=example, dc=com';
should be able to log in.
Bummer, still not working.
I just have these two lines:
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=, ou={'AuthModule::LDAP::UserAttr'} = 'DN';
I thought it was working. I set it to a group I'm in and was able to log
in. So I logged out and set it to another group and I could still log in.
Care to copy and paste all of the Active Directory sections of your
Config.pm file so I can see if I'm missing anything or misunderstanding
you?
CD
Ever lied? You're a liar. Ever stolen? You're a thief. Ever hated? The
bible equates hate with murder. Ever lusted? Jesus equated lust with
adultery. You've broken God's law.
He'll judge all evil and you're without hope -- unless you have a savior.
Repent and believe.
___
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support oder Consulting für Ihr OTRS System?
=> http://www.otrs.de/
--
Alexis Castillo
Systems Administrator
Quicksilver Express Courier
http://www.qec.com/
___
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support oder Consulting für Ihr OTRS System?
=> http://www.otrs.de/
Re: [otrs] Active Directory authentication working, just one problem...
Alexis Castillo said this with great authority:
> It's working for me, but I only have it for internal users.
>
> Comment out the
>
> $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
>
> in Config.pm
>
> You should only have the
> $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
>
> Only users in your
> $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=, ou=,
> dc=example, dc=com';
> should be able to log in.
Bummer, still not working.
I just have these two lines:
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=, ou={'AuthModule::LDAP::UserAttr'} = 'DN';
I thought it was working. I set it to a group I'm in and was able to log
in. So I logged out and set it to another group and I could still log in.
Care to copy and paste all of the Active Directory sections of your
Config.pm file so I can see if I'm missing anything or misunderstanding
you?
CD
Ever lied? You're a liar. Ever stolen? You're a thief. Ever hated? The
bible equates hate with murder. Ever lusted? Jesus equated lust with
adultery. You've broken God's law.
He'll judge all evil and you're without hope -- unless you have a savior.
Repent and believe.
___
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support oder Consulting für Ihr OTRS System?
=> http://www.otrs.de/
[otrs] Active Directory authentication working, just one problem...
Chris,
It's working for me, but I only have it for internal users.
Comment out the
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
in Config.pm
You should only have the
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
Only users in your
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=, ou=, dc=example, dc=com';
should be able to log in.
--
Alexis Castillo
Systems Administrator
Quicksilver Express Courier
http://www.qec.com/
___
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support oder Consulting für Ihr OTRS System?
=> http://www.otrs.de/
Re: FW: [otrs] Active Directory authentication working, just one problem...
Cainkar, Paul said this with great authority: > I've found the same thing. You just don't share the url and you prevent > them from having access to anything. Ahh security by obscurity. Anyone know how to really prevent it? The documentation seems to indicate this is possible but I can't get it to work. CD Ever lied? You're a liar. Ever stolen? You're a thief. Ever hated? The bible equates hate with murder. Ever lusted? Jesus equated lust with adultery. You've broken God's law. He'll judge all evil and you're without hope -- unless you have a savior. Repent and believe. ___ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support oder Consulting für Ihr OTRS System? => http://www.otrs.de/
[otrs] Active Directory authentication working, just one problem...
Great program!
OTRS 1.3.2
CentOS 3.3
Perl 5.8.0-88.7
Apache 2.0.46-40.ent.centos.1
Kernel 2.4.21-20.EL.c0
Windows 2000 Active Directory
Nutshell: Active Directory authentication is working but I cannot exclude
users from logging into the Agent area.
Details: I followed this documentation:
http://otrs.mirror.netmonic.com/misc/doc/cvs/en/html/ldap-integration.html
I added these lines to Config.pm:
=
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example, dc=com';
### I changed the name of the domain to example.com ###
### to protect the innocent ###
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=,OU=,DC=example,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '';
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=example, dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=,OU=,DC=example,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';
$Self->{CustomerUser} = {
Name => 'Active Directory',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '',
BaseDN => 'dc=example, dc=com',
SSCOPE => 'sub',
UserDN => 'CN=,OU=,DC=example,DC=com',
UserPw => '',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
==
Any user can log into the Agent area. As far as I can tell, they don't
have rights to do anything, but even so I don't want them going there.
So I added these lines:
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=, ou=,
dc=example, dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
#$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
No good. I cannot log in even though my account is in that group. I
tried commenting the UID line and commenting the DN line, no good.
Ideas? The documentation says to create a posixGroup but there's no such
beast in Active Directory. I used a standard Global group.
CD
___
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support oder Consulting für Ihr OTRS System?
=> http://www.otrs.de/
