Discussion:
[otrs] LDAP customer authentication with AD not workng, please help?
l***@wbhltd.com
2008-02-21 15:27:02 UTC
Permalink
Hi,

I am new to OTRS and the concept of using LDAP to authenticate with Active Directory. I have been working on this for 2 days straight and i've done loads of research and followed everything I have read to the best of my understanding but I can't seem to get it to work. Your help would be appreciated.

I have followed the official documentation without success, I have followed tutorials, http://trinityhome.org/Home/index.php?wpid=98&front_id=18 with the same result and I have searched and followed several examples from this forum but again without success. The customer login always gives me the error "Login failed! Your username or password was entered incorrectly."

All this suggests to me that I am doing something wrong in the config.pm file but what I do not know. I have tried every combination of user logon I can think of just incase I was putting it in wrong. I've tried [username], [user] [name], ***@domain.com, username.domain.com & domain\username.

I have set up a user account to pull customer info of AD via LDAP as suggested. I called it otrs and it is in the Domain Users group & the Windows Authorisation Access Group as suggested in the tutorial I followed. I also created a group called otrs_allow_c and added a few user accounts in case i needed it.

If I open AD Users and Computers at the top of the tree is our domain which is called woodberry.wbhltd.com. We are using Windows Small Business Server 2003 but I am sure it works in the same way with users as Windows Server 2003 does.

I copied someones config.pm that was posted here and adapted it to our needs. This is the current version (after about 4 others). It is as follows:

## Set up LDAP for Customer authentication to the Frontend for customers.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '192.168.1.10';
# The ou= is your NT Domain name. The dc= (there may be more than one) is your AD domain name.
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=woodberry, dc=wbhltd, dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
# Our AD requures a valid login to do LDAP searches. Use a generic one, not admin, not your own.
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'whatever';

## Set up LDAP for finding Customers when creating tickets in the Agent Frontend.
$Self->{CustomerUser} = {
Name => 'Exchange LDAP',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# Parameters are basically the same as above.
Host => '192.168.1.10',
BaseDN => 'dc=woodberry, dc=wbhltd, dc=com',
SSCOPE => 'sub',
UserDN => 'otrs',
UserPw => 'whatever',
# if your frontend is e. g. iso-8859-1 and the charset of your
# ldap server is utf-8, use this options (if not, ignore it)

### IMPORTANT FOR NON-ENGLISH USERS WITH SPECIAL CHARACTERS ###
# You *have* to specify the SourceCharset below, else OTRS will default to
# iso8859-1 (I think), and special characters will be garbled. This took me
# half a day to figure out.
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
## Set-up the fields you want to import from LDAP. I'm still looking
## for a good source on what fields are available in LDAP.
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

As I said i've tried several versions including the official version here http://doc.otrs.org/1.3/en/html/ldap-integration.html. I tried changing dc=woodberry to ou=woodberry (as some people use ou instead of dc) but that did nothing.

Any help would be greatly appreciated.

Thank you

--
This message was sent on behalf of ***@wbhltd.com at openSubscriber.com
http://www.opensubscriber.com/messages/***@otrs.org/topic.html
Lars Jørgensen
2008-02-21 16:50:10 UTC
Permalink
Post by l***@wbhltd.com
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=woodberry, dc=wbhltd, dc=com';
Try this:

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=woodberry,
dc=woodberry, dc=wbhltd, dc=com';
--
Lars
Leigh Reed
2008-02-21 17:06:30 UTC
Permalink
Hi,

Thank for the quick reply.

For some strange reason that config I posted works to some degree.

If I log in to the agent frontend, click on admin and then click Customer Users and do a search I can find every object listed in our AD (including users, computers and even old accounts that were deleted). I don't know why it took such a long time to populate as I couldn't find a single user a couple of hours ago.

Thinking I had cracked it I tried to log in to the customer frontend but I still get the same error no matter what I use as a login name. This seems very strange to me. If it is communicating with AD and can find the users, how come I can't login to the customer frontend?

Thank you

Leigh

-----Original Message-----
From: otrs-***@otrs.org [mailto:otrs-***@otrs.org] On Behalf Of Lars Jørgensen
Sent: 21 February 2008 16:50
To: User questions and discussions about OTRS.org
Subject: Re: [otrs] LDAP customer authentication with AD not workng,please help?
Post by l***@wbhltd.com
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=woodberry,
dc=wbhltd, dc=com';
Try this:

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=woodberry, dc=woodberry, dc=wbhltd, dc=com';


--
Lars
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
Lars Jørgensen
2008-02-21 22:05:31 UTC
Permalink
Post by Leigh Reed
were deleted). I don't know why it took such a long time to populate
as I couldn't find a single user a couple of hours ago.
It doesn't populate the OTRS database, it searches live in the AD.
Post by Leigh Reed
Thinking I had cracked it I tried to log in to the customer frontend
but I still get the same error no matter what I use as a login name.
This seems very strange to me. If it is communicating with AD and
can find the users, how come I can't login to the customer frontend?
I looked at your previous post and noticed you have 'SSCOPE' set to
'sub' in the CustomerUser section. What is that? Maybe you should
reference it in the AuthModule section:

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=sub, dc=woodberry,
dc=wbhltd, dc=com';
--
Lars
Daniele
2008-02-26 11:33:54 UTC
Permalink
I added some TicketFreeKey to my local OTRS installation.

I would like to fill/populate them
with infos coming from X-OTRS-header of email ticket.
Is it possible?


Thank you in advance.
Daniele
Steven Carr
2008-02-27 08:38:50 UTC
Permalink
Post by Daniele
I added some TicketFreeKey to my local OTRS installation.
I would like to fill/populate them
with infos coming from X-OTRS-header of email ticket.
Is it possible?
Have you looked at the section in the documentation for Filtering
Incoming Messages:
http://doc.otrs.org/2.2/en/html/x1053.html

Steve
Daniele
2008-02-27 12:26:38 UTC
Permalink
Yes I read it.
I don't understand what does it mean if I choose:
Match:
Header 1: Value:

and then
Set:
Header 1: Value:


What is the TicketKey? What does it applies to?
What does it mean, that I found in the manual:

X-OTRS-TicketKey(1|2|...|16): [additional info key]
---------------------------------------------------
Save additional info "key" to the incoming ticket.


X-OTRS-TicketValue(1|2|...|16): [additional info value]
-------------------------------------------------------
Save additional info "value" to the incoming ticket.

Where the key is stored? Who can I see it in OTRS?
Why do OTRS has to find "what_OTRS_finds"
and then write a key equal to "What_I_want_to_set"
Why it was not planed to write in the key, directly, "what_OTRS_finds"

I am getting crazy!!!!!

Can you help me, please?
Thank you in adavance Steven.

Daniele
Post by Steven Carr
Post by Daniele
I added some TicketFreeKey to my local OTRS installation.
I would like to fill/populate them
with infos coming from X-OTRS-header of email ticket.
Is it possible?
Have you looked at the section in the documentation for Filtering
http://doc.otrs.org/2.2/en/html/x1053.html
Steve
------------------------------------------------------------------------
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
Steven Carr
2008-02-27 18:21:13 UTC
Permalink
It really depends on what you are wanting to store in these fields?

As far as I know they are visible by the agents by clicking on the "Free
Text" link in the Ticket Zoom View - I'm not sure if the customer has
access to these.

If you have a web form for submitting requests into OTRS then you can
create the X-OTRS headers and add them into the email.

Or you can you the postmaster filters to basically filter an email and
when you find the email you want specify a certain attribute e.g. any
emails from ***@domain.com set the X-OTRS-Priority to "4 high" - we
use this for certain email domains.

Without any more information on what you actually want to achieve I'm
not sure what else to suggest.

Steve
Post by Daniele
Yes I read it.
and then
What is the TicketKey? What does it applies to?
X-OTRS-TicketKey(1|2|...|16): [additional info key]
---------------------------------------------------
Save additional info "key" to the incoming ticket.
X-OTRS-TicketValue(1|2|...|16): [additional info value]
-------------------------------------------------------
Save additional info "value" to the incoming ticket.
Where the key is stored? Who can I see it in OTRS?
Why do OTRS has to find "what_OTRS_finds"
and then write a key equal to "What_I_want_to_set"
Why it was not planed to write in the key, directly, "what_OTRS_finds"
I am getting crazy!!!!!
Can you help me, please?
Thank you in adavance Steven.
Daniele
Post by Steven Carr
Post by Daniele
I added some TicketFreeKey to my local OTRS installation.
I would like to fill/populate them
with infos coming from X-OTRS-header of email ticket.
Is it possible?
Have you looked at the section in the documentation for Filtering
http://doc.otrs.org/2.2/en/html/x1053.html
Steve
------------------------------------------------------------------------
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
--
Steven Carr
Engineer - Khipu Networks Ltd.
***@khipu-networks.com - www.khipu-networks.com
Secure - Compliant - Infrastructure

Registered Office: Fairfax House, 15 Fulwood Place, London WC1V 6AY
Registered in England. Company Number 5218573

Specialist Reseller of the year - CRN Channel Awards 2007
Marina Henn
2008-02-22 07:29:19 UTC
Permalink
SSCOPE=sub means, that the searchscope is extended to subdirectories.
Otherwise it would only search in the given directory.
But sub is not an ou ;-)


Mit freundlichen Grüßen
Marina Henn
____________________
Netzlink Informationstechnik GmbH
Heinrich-Büssing-Ring 42
D-38102 Braunschweig
Telefon: 0531-7073430
Telefax: 0531-7073459
eMail: ***@netzlink.com
www.netzlink.com
Geschäftsführung:
Harald Lies, Tamara Ostermann, Sven-Ove Wähling
Amtsgericht Braunschweig
HR B 4896, USt-IdNr. DE 202670390
besuchen Sie unsere Veranstaltungen:
Impulse 2008 26.02. Berlin | 28.02. Leipzig
CeBIT 2008 05.03. Hannover




Lars Jørgensen <***@gyldendal.dk>
Gesendet von: otrs-***@otrs.org
21.02.2008 23:05
Bitte antworten an
"User questions and discussions about OTRS.org" <***@otrs.org>


An
"User questions and discussions about OTRS.org" <***@otrs.org>
Kopie

Thema
Re: [otrs] LDAP customer authentication with AD not workng, please
help?
Post by Leigh Reed
were deleted). I don't know why it took such a long time to populate
as I couldn't find a single user a couple of hours ago.
It doesn't populate the OTRS database, it searches live in the AD.
Post by Leigh Reed
Thinking I had cracked it I tried to log in to the customer frontend
but I still get the same error no matter what I use as a login name.
This seems very strange to me. If it is communicating with AD and
can find the users, how come I can't login to the customer frontend?
I looked at your previous post and noticed you have 'SSCOPE' set to
'sub' in the CustomerUser section. What is that? Maybe you should
reference it in the AuthModule section:

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=sub, dc=woodberry,
dc=wbhltd, dc=com';
--
Lars
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
Leigh Reed
2008-02-22 11:38:11 UTC
Permalink
Hi,

Thanks for all your help. I now have it working.

I copied the bit about filtering out computers and invalid accounts and pasted into the config.pm file and I left the rest alone as this was working correctly. So my complete LDAP config looks like this:

## Set up LDAP for Customer authentication to the Frontend for customers.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '192.168.1.10';
# The ou= is your NT Domain name. The dc= (there may be more than one) is your AD domain name.
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=woodberry, dc=wbhltd, dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
# Our AD requures a valid login to do LDAP searches. Use a generic one, not admin, not your own.
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'whatever';

# We only need to see users. Not computers and no disabled users.
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))';

## Set up LDAP for finding Customers when creating tickets in the Agent Frontend.
$Self->{CustomerUser} = {
Name => 'Exchange LDAP',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# Parameters are basically the same as above.
Host => '192.168.1.10',
BaseDN => 'dc=woodberry, dc=wbhltd, dc=com',
SSCOPE => 'sub',
UserDN => 'otrs',
UserPw => 'whatever',
# if your frontend is e. g. iso-8859-1 and the charset of your
# ldap server is utf-8, use this options (if not, ignore it)

### IMPORTANT FOR NON-ENGLISH USERS WITH SPECIAL CHARACTERS ###
# You *have* to specify the SourceCharset below, else OTRS will default to
# iso8859-1 (I think), and special characters will be garbled. This took me
# half a day to figure out.
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
# We only need to see users. Not computers and no disabled users.
AlwaysFilter => '(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
## Set-up the fields you want to import from LDAP.
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

However I still couldn't log in to the customer frontend. So I took your suggestion of looking in the otrs.log file (I didn't know there was one so I never looked before) and this is what it said:

"Fri Feb 22 10:38:08 2008][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: Leigh ***@wbhltd.com@wbhltd.com authentification failed, no LDAP entry found!BaseDN='dc=woodberry, dc=wbhltd, dc=com', Filter='(&(sAMAccountName=Leigh ***@wbhltd.com@wbhltd.com)(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2))))', (REMOTE_ADDR: 127.0.0.1)."

Notice the part where it says "CustomerUser: Leigh ***@wbhltd.com@wbhltd.com <mailto:***@wbhltd.com@wbhltd.com> ". It hit me that I had changed the Customer::AuthModule::LDAP::UserSuffix: to @wbhltd.com in the Frontend::Customer::Auth option in SysConfig > Framework when I first started messing about with the LDAP configuration a few days ago. So instead of sending the login "Leigh ***@wbhltd.com" which is correct it was adding another @wbhltd.com to end making it incorrect.

I literally jumped out of my chair when it worked lol, it's been bugging me for days.

Thanks again for everyone's help.

Leigh

________________________________

From: otrs-***@otrs.org [mailto:otrs-***@otrs.org] On Behalf Of Sune T. Tougaard
Sent: 22 February 2008 08:06
To: User questions and discussions about OTRS.org
Subject: RE: [otrs] LDAP customer authentication with AD not workng, please help?



Hi Leigh,

The customer data and customer login, i think, is actually two different parts of config.pm.

Here's parts of my working config. Replace the obvious enclosed in <>.

# Customer Authentication backend.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
# Have seen a few issues when using specific hostnames or IP addresses. Using domain works.
$Self->{'Customer::AuthModule::LDAP::Host'} = '<subdom>.<dom>.<tld>';
# Where do you want to start searching?
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=<subdom>,DC=<dom>,DC=<tld>';
# What LDAP attribute would you like to use as User ID in OTRS?
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# LDAP search credentials. Dunno if a full DN is required or if just the username is enough. Have only tried this.
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=<username>,OU=<yet another OU>,OU=<users OU>,DC=<subdom>,DC=<dom>,DC=<tld>';

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '<password>';
# We only need to see users. Not computers and no disabled users.
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))';

**

# Customer DATA backend.
$Self->{CustomerUser} = {
Name => '<displayname>',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '<subdom>.<dom>.<tld>',
BaseDN => 'DC=<sub>,DC=<dom>,DC=<tld>',
# Search Scope. (one|sub). One-Level or entire Sub-Tree
SSCOPE => 'sub',
# LDAP search credentials. Dunno if a full DN is required or if just the username is enough. Have only tried this.

UserDN => 'CN=<username>,OU=<yet another OU>,OU=<users OU>,DC=<subdom>,DC=<dom>,DC=<tld>',
UserPw => '<password>',
# This is needed to avoid issues with ae, oe, aa. Dunno what happens or if it's entirely correct.
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
# We only need to see users. Not computers and no disabled users.
AlwaysFilter => '(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
},
<i think this matches your config>
};

Event though the web-interface says "Login failed! Your username or password was entered incorrectly.", you may be able to find additional info about the error in the OTRS log file.
--
/Sune

-----Original Message-----
From: otrs-***@otrs.org [mailto:otrs-***@otrs.org] On Behalf Of Leigh Reed
Sent: 21. februar 2008 18:07
To: User questions and discussions about OTRS.org
Subject: RE: [otrs] LDAP customer authentication with AD not workng, please help?

Hi,

Thank for the quick reply.

For some strange reason that config I posted works to some degree.

If I log in to the agent frontend, click on admin and then click Customer Users and do a search I can find every object listed in our AD (including users, computers and even old accounts that were deleted). I don't know why it took such a long time to populate as I couldn't find a single user a couple of hours ago.

Thinking I had cracked it I tried to log in to the customer frontend but I still get the same error no matter what I use as a login name. This seems very strange to me. If it is communicating with AD and can find the users, how come I can't login to the customer frontend?

Thank you

Leigh

-----Original Message-----
From: otrs-***@otrs.org [mailto:otrs-***@otrs.org] On Behalf Of Lars Jørgensen
Sent: 21 February 2008 16:50
To: User questions and discussions about OTRS.org
Subject: Re: [otrs] LDAP customer authentication with AD not workng,please help?
Post by l***@wbhltd.com
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=woodberry,
dc=wbhltd, dc=com';
Try this:

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=woodberry, dc=woodberry, dc=wbhltd, dc=com';
--
Lars
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
Loading...