Re: [otrs] Kerberos and LDAP Authentication
Hi Steven, I was afraid this would be the answer: OR kerberos OR OTRS auth... well, we can't have it all, can we? Kind regards, Juan Clavero -Mensaje original- De: Steven Carr [mailto:sjc...@gmail.com] Enviado el: miércoles, 14 de noviembre de 2012 16:58 Para: User questions and discussions about OTRS. Asunto: Re: [otrs] Kerberos and LDAP Authentication It's not really an OTRS issue as Apache is the one handling the actual authentication. The problem is you can't have a fallback when using Apache Kerberos authentication (many people have tried [and failed] google "apache kerberos ldap fallback"). If you fail Kerberos authentication then Apache will deny you access to any resources. Steve On 14 November 2012 12:33, Juan Manuel Clavero Almirón wrote: > Hi Roy, > yes, I do sync against the samaccountname. I capture it from the kerb > login using HTTPBasicAuth::ReplaceRegExp > > But that's not the problem: the problem is for the users that cannot do > kerberos authentification. I need them to be able to do LDAP auth using OTRS > login page, as they did before. Instead, they just get a 'forbidden' error > and doesn't get any login page. > > > Kind regards, > Juan Clavero - OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Re: [otrs] Kerberos and LDAP Authentication
It's not really an OTRS issue as Apache is the one handling the actual authentication. The problem is you can't have a fallback when using Apache Kerberos authentication (many people have tried [and failed] google "apache kerberos ldap fallback"). If you fail Kerberos authentication then Apache will deny you access to any resources. Steve On 14 November 2012 12:33, Juan Manuel Clavero Almirón wrote: > Hi Roy, > yes, I do sync against the samaccountname. I capture it from the kerb login > using HTTPBasicAuth::ReplaceRegExp > > But that's not the problem: the problem is for the users that cannot do > kerberos authentification. I need them to be able to do LDAP auth using OTRS > login page, as they did before. Instead, they just get a 'forbidden' error > and doesn't get any login page. > > > Kind regards, > Juan Clavero - OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Re: [otrs] Kerberos and LDAP Authentication
Hi Roy, yes, I do sync against the samaccountname. I capture it from the kerb login using HTTPBasicAuth::ReplaceRegExp But that's not the problem: the problem is for the users that cannot do kerberos authentification. I need them to be able to do LDAP auth using OTRS login page, as they did before. Instead, they just get a 'forbidden' error and doesn't get any login page. Kind regards, Juan Clavero -Mensaje original- De: Roy Kaldung [mailto:r...@kaldung.com] Enviado el: martes, 13 de noviembre de 2012 18:47 Para: User questions and discussions about OTRS. Asunto: Re: [otrs] Kerberos and LDAP Authentication On Nov 12, 2012, at 8:06 AM, Juan Manuel Clavero Almirón wrote: > Hi Roy, > before changing the config, auth and sync were LDAP. I changed auth to > Kerberos, but sync was still LDAP. > Check your sync parameter. With mod_auth_kerb you'll get the samaccountname with or without - depends on your configuration - the domain in uppercase. Do you sync against the samaccountname? -Roy -- Roy Kaldung e-mail: r...@kaldung.com - OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Re: [otrs] Kerberos and LDAP Authentication
On Nov 12, 2012, at 8:06 AM, Juan Manuel Clavero Almirón wrote: > Hi Roy, > before changing the config, auth and sync were LDAP. I changed auth to > Kerberos, but sync was still LDAP. > Check your sync parameter. With mod_auth_kerb you'll get the samaccountname with or without - depends on your configuration - the domain in uppercase. Do you sync against the samaccountname? -Roy -- Roy Kaldung e-mail: r...@kaldung.com - OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Re: [otrs] Kerberos and LDAP Authentication
Hi Roy,
before changing the config, auth and sync were LDAP. I changed auth to
Kerberos, but sync was still LDAP.
Un saludo,
Juan Clavero Almirón
Gestiò d’Identitats, Firma i Custòdia
Oficina de Tecnologies, Informació i Comunicacions (OTIC)
Servei de Salut de les Illes Balears
C/ de les Escoles, s/n - 07181 Bendinat - Mallorca
Telf. +34 971.42.65.30
-Mensaje original-
De: Roy Kaldung [mailto:r...@kaldung.com]
Enviado el: viernes, 09 de noviembre de 2012 17:42
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] Kerberos and LDAP Authentication
On Nov 9, 2012, at 11:46 AM, Juan Manuel Clavero Almirón
wrote:
> Hi all,
> our company network offers Domain (Kerberos) and LDAP authentification. Since
> the beginning of the OTRS project, we've been using LDAP Auth, but people in
> Domain would like to enable Kerberos Auth in OTRS.
>
> I've succesfully enabled Kerberos in Apache and AuthModule =
> 'Kernel::System::Auth::HTTPBasicAuth', but now people not in domain are not
> able to login.
>
> I've tried with 2 AuthModules ($Self->{AuthModule1} =
> 'Kernel::System::Auth::HTTPBasicAuth' and $Self->{AuthModule2}
> = 'Kernel::System::Auth::LDAP'), but OTRS never gets to the LDAP Auth
>
> Has anyone tried such a configuration? Anyone has a hint?
Do you have any errors in your log?
Did you configured the Auth::Sync::Module or are the agents already created?
-Roy
--
Roy Kaldung
e-mail: r...@kaldung.com
-
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Re: [otrs] Kerberos and LDAP Authentication
On Nov 9, 2012, at 11:46 AM, Juan Manuel Clavero Almirón
wrote:
> Hi all,
> our company network offers Domain (Kerberos) and LDAP authentification. Since
> the beginning of the OTRS project, we've been using LDAP Auth, but people in
> Domain would like to enable Kerberos Auth in OTRS.
>
> I've succesfully enabled Kerberos in Apache and AuthModule =
> 'Kernel::System::Auth::HTTPBasicAuth', but now people not in domain are not
> able to login.
>
> I've tried with 2 AuthModules ($Self->{AuthModule1} =
> 'Kernel::System::Auth::HTTPBasicAuth' and $Self->{AuthModule2}
> = 'Kernel::System::Auth::LDAP'), but OTRS never gets to the LDAP Auth
>
> Has anyone tried such a configuration? Anyone has a hint?
Do you have any errors in your log?
Did you configured the Auth::Sync::Module or are the agents already created?
-Roy
--
Roy Kaldung
e-mail: r...@kaldung.com
-
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
[otrs] Kerberos and LDAP Authentication
Hi all,
our company network offers Domain (Kerberos) and LDAP authentification. Since
the beginning of the OTRS project, we've been using LDAP Auth, but people in
Domain would like to enable Kerberos Auth in OTRS.
I've succesfully enabled Kerberos in Apache and AuthModule =
'Kernel::System::Auth::HTTPBasicAuth', but now people not in domain are not
able to login.
I've tried with 2 AuthModules ($Self->{AuthModule1} =
'Kernel::System::Auth::HTTPBasicAuth' and $Self->{AuthModule2}
= 'Kernel::System::Auth::LDAP'), but OTRS never gets to the LDAP Auth
Has anyone tried such a configuration? Anyone has a hint?
Kind regards,
Juan Clavero
-
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
