how to authenticate OTRS users via ldap (Active Directory Windows Server 2003)

21.6k views Asked by At

I have just finish installation of OTRS-3.2.10-02.noarch.rpm and now I am trying to connect it to Windows Server 2003 SP2 based Active Directory (LDAP). Here is the contents of my configuration (from /opt/otrs/Kernel/Config.pm):

    # --
    # Kernel/Config.pm - Config file for OTRS kernel
    # Copyright (C) 2001-2013 OTRS AG, http://otrs.org/
    # --
    # This software comes with ABSOLUTELY NO WARRANTY. For details, see
    # the enclosed file COPYING for license information (AGPL). If you
    # did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
    # --
    #  Note:
    #
    #  -->> Most OTRS configuration should be done via the OTRS web interface
    #       and the SysConfig. Only for some configuration, such as database
    #       credentials and customer data source changes, you should edit this
    #       file. For changes do customer data sources you can copy the definitions
    #       from Kernel/Config/Defaults.pm and paste them in this file.
    #       Config.pm will not be overwritten when updating OTRS.
    # --

    package Kernel::Config;

    use strict;
    use warnings;
    use utf8;

    sub Load {
        my $Self = shift;

        # ---------------------------------------------------- #
        # database settings                                    #
        # ---------------------------------------------------- #

        # The database host
        $Self->{'DatabaseHost'} = 'localhost';

        # The database name
        $Self->{'Database'} = 'otrs';

        # The database user
        $Self->{'DatabaseUser'} = 'otrsadmin';

        # The password of database user. You also can use bin/otrs.CryptPassword.pl
        # for crypted passwords
        $Self->{'DatabasePw'} = '76ynhi0r';

        # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
        $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

        # The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
        # if you want to use a local socket connection
    #    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
        # if you want to use a TCP/IP connection
    #    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
        # if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
    #    $Self->{DatabasePostgresqlBefore82} = 1;

        # The database DSN for Microsoft SQL Server - only supported if OTRS is
        # installed on Windows as well
    #    $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

        # The database DSN for Oracle ==> more: "perldoc DBD::oracle"
    #    $ENV{ORACLE_HOME} = '/u01/app/oracle/product/10.2.0/client_1';
    #    $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
    #    $ENV{NLS_LANG} = "american_america.utf8";

    #    $Self->{DatabaseDSN} = "DBI:Oracle:sid=OTRS;host=$Self->{DatabaseHost};port=1522;";

        # ---------------------------------------------------- #
        # fs root directory
        # ---------------------------------------------------- #
        $Self->{Home} = '/opt/otrs';

        # ---------------------------------------------------- #
        # insert your own config settings "here"               #
        # config settings taken from Kernel/Config/Defaults.pm #
        # ---------------------------------------------------- #
        # $Self->{SessionUseCookie} = 0;
        # $Self->{CheckMXRecord} = 0;

        # ---------------------------------------------------- #

        # ---------------------------------------------------- #
        # data inserted by installer                           #
        # ---------------------------------------------------- #
        $DIBI$
    # This is an example configuration for an LDAP auth. backend.
        # (take care that Net::LDAP is installed!)

        $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
        $Self->{'AuthModule::LDAP::Host1'} = '192.168.10.10';
        $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=com, dc=pk';
        $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

        # The following is valid but would only be necessary if the
        # anonymous user do NOT have permission to read from the LDAP tree

        $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=otrs search,OU=Users,OU=MACPAK,DC=mydomain,DC=com,DC=pk';
        $Self->{'AuthModule::LDAP::SearchUserPw1'} = '76Ynhi0r';

        # In case you need to use OTRS in iso-charset, you can define this
        # by using this option (converts utf-8 data from LDAP to iso).

    #    $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
        # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
        $Self->{'AuthModule::LDAP::Params'} = {
            port    => 389,
            timeout => 120,
            async   => 0,
            version => 3,
        };

        # --------------------------------------------------- #
        # authentication sync settings                        #
        # (enable agent data sync. after succsessful          #
        # authentication)                                     #
        # --------------------------------------------------- #

        # This is an example configuration for an LDAP auth sync. backend.
        # (take care that Net::LDAP is installed!)

        $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
        $Self->{'AuthSyncModule::LDAP::Host1'} = '192.168.10.10';
        $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=com,dc=pk';
        $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';

        # The following is valid but would only be necessary if the
        # anonymous user do NOT have permission to read from the LDAP tree

        $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=otrs search,OU=Users,OU=MACPAK,DC=mydomain,DC=com,DC=pk';
        $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = '76Ynhi0r';
        # AuthSyncModule::LDAP::UserSyncMap

        # (map if agent should create/synced from LDAP to DB after successful login)

        $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
            # DB -> LDAP
            UserFirstname => 'givenName',
            UserLastname  => 'sn',
            UserEmail     => 'mail',
        };

        # In case you need to use OTRS in iso-charset, you can define this
        # by using this option (converts utf-8 data from LDAP to iso).

    #    $Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1';
        # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    #    $Self->{'AuthSyncModule::LDAP::Params'} = {

    #        port    => 389,
    #        timeout => 120,
    #        async   => 0,
    #        version => 3,
    #    };

    #Enable LDAP authentication for Customers / Users

      $Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
      $Self->{'Customer::AuthModule::LDAP::Host2'} = '192.168.10.10';
      $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=mydomain,dc=com,dc=pk';
      $Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';

    #The following is valid but would only be necessary if the
    #anonymous user do NOT have permission to read from the LDAP tree

      $Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=otrs search,OU=Users,OU=MACPAK,DC=mydomain,DC=com,DC=pk';
      $Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = '76Ynhi0r';

    #CustomerUser
    #(customer user database backend and settings)

        $Self->{CustomerUser} = {
          Module => 'Kernel::System::CustomerUser::LDAP',
          Params => {
          Host => '192.168.10.10',
          BaseDN => 'dc=mydomain,dc=com,dc=pk,
          SSCOPE => 'sub',
          UserDN =>'CN=otrs search,OU=Users,OU=MACPAK,DC=mydomain,DC=com,DC=pk',
          UserPw => '76Ynhi0r',
        },

    # customer unique id

        CustomerKey => 'sAMAccountName',
        # customer #
        CustomerID => 'mail',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],

        Map => [
          # note: Login, Email and CustomerID needed!
          # var, frontend, storage, shown, required, storage-type
          #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
          [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
          [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
          [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
          [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
          [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
          [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
          #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
          #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
        ],
      };

    #Add the following lines when only users are allowed to login if they reside in the spicified security group
    #Remove these lines if you want to provide login to all users specified in the User Base DN
    #example: $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=BaseOU, dc=example, dc=com';

      $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=otrs search,OU=Users,OU=MACPAK,DC=mydomain,DC=com,DC=pk';
      $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
      $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID'

        # Die if backend can't work, e. g. can't connect to server.
    #    $Self->{'AuthSyncModule::LDAP::Die'} = 1;
        # Die if backend can't work, e. g. can't connect to server.

    #    $Self->{'AuthModule::LDAP::Die'} = 1;

        # ---------------------------------------------------- #
        # ---------------------------------------------------- #
        #                                                      #
        # end of your own config options!!!                    #
        #                                                      #
        # ---------------------------------------------------- #
        # ---------------------------------------------------- #
    }

    # ---------------------------------------------------- #
    # needed system stuff (don't edit this)                #
    # ---------------------------------------------------- #
    use strict;
    use warnings;

    use vars qw(@ISA);

    use Kernel::Config::Defaults;
    push (@ISA, 'Kernel::Config::Defaults');

    # -----------------------------------------------------#;

    1;

    After this, I am no more able to connect my orts with http://192.168.10.15/otrs/index.pl and when use

cat /var/log/httpd/error_log | tail

its output is ;

[root@macpk-manage ~]# cat /var/log/httpd/error_log | tail
[Fri Aug 30 21:55:36 2013] Config.pm:   (Missing operator before $;?)
[Fri Aug 30 21:55:36 2013] Config.pm: Scalar found where operator expected at /opt/otrs//Kernel/Config.pm line 89, near "$;
[Fri Aug 30 21:55:36 2013] Config.pm:
[Fri Aug 30 21:55:36 2013] Config.pm: # This is an example configuration for an LDAP auth. backend.
[Fri Aug 30 21:55:36 2013] Config.pm: # (take care that Net::LDAP is installed!)
[Fri Aug 30 21:55:36 2013] Config.pm:
[Fri Aug 30 21:55:36 2013] Config.pm:     $Self"
[Fri Aug 30 21:55:36 2013] Config.pm:   (Missing operator before $Self?)
[Fri Aug 30 21:55:36 2013] [error] Illegal declaration of subroutine Kernel::Config:: at /opt/otrs//Kernel/Config.pm line 176.\nCompilation failed in require at /opt/otrs/scripts/apache2-perl-startup.pl line 68.\nBEGIN failed--compilation aborted at /opt/otrs/scripts/apache2-perl-startup.pl line 68.\nCompilation failed in require at (eval 2) line 1.\n
[Fri Aug 30 21:55:36 2013] [error] Can't load Perl file: /opt/otrs/scripts/apache2-perl-startup.pl for server macpk-manage.macrosoftinc.com.pk:80, exiting...

I also tried to restart httpd service but it fails and when even I restart CentOS 6.4, it shows httpd Failed to run, Aanyhelp will be highly appreciated and thanks in advance;

3

There are 3 answers

1
MichielB On

There's a missing quote after BaseDN, see this:

-          BaseDN => 'dc=mydomain,dc=com,dc=pk,
+          BaseDN => 'dc=mydomain,dc=com,dc=pk',

https://gist.github.com/mbeijen/72a15954b601eaaae797/revisions

If you want to make sure you balanced your quotes and such correctly, you can type on the command line perl -cw Kernel/Config.pm

0
RBuser2769569 On

You need to comment out the following line:

$DIBI$

and also add this:

$Self->{'DefaultCharset'} = 'utf-8';
0
Gopal Krishnan On

I think you need to check this two line with your domin.local

 UserDN =>'CN=otrs search,OU=Users,OU=MACPAK,DC=mydomain,DC=com,DC=pk',
 UserPw => '76Ynhi0r',