Transparent authentication for OTRS using mod_auth_ntlm_winbind using the example of Cent OS 6
Some time ago, OTRS customer support system was introduced in our company. OTRS easily integrates with Active Directory, there are a lot of step-by-step instructions, including on Habré .
The practice of using the support system has shown that entering the password, as well as the login of the domain account, is a very difficult task for the user, not acceptable for managers at all.
OTRS has the ability to transparent authorization, it remains to teach Apache to accept / give such data. This is where the rake began, in one part of the manuals, ntlm_mod is described, which has not been updated for the year since 2007, in another part of the manuals the installation practice for windows is described. I wanted clean Open Source, so Cent OS as one of the platforms recommended in the OTRS and mod_auth_ntlm_winbind manual is present in the standard repository.
The server is up and running, you only need to change the authentication method for users (customers), leaving the authorization method for agents unchanged.
Winbind uses Kerberos for authentication. For Kerberos to work correctly, you need to synchronize the clock with the domain.
To do this, install NTP:
Configure NTP:
Synchronize time:
Set up automatic start:
And run NTP:
')
Time is synchronized. Install the necessary packages:
The next step is to configure the installed packages and enter the server into the domain. To do this in the console, we write:
After that, we should receive a message stating that our server is now a domain machine.
Add a rule for SE Linux:
Run winbind
Set up automatic start:
Verify that winbind works correctly:
Verify that Kerberos is working correctly by getting a ticket:
The resulting ticket can be viewed with the command:
For mod_auth_ntlm_winbind to work, you need to change the
In the
Thus, we ask to transfer the authorization data only when accessing
The last thing to do is to change the
Check whether the OTRS server has registered correctly on the DNS server by running the
Setup complete!
Open in browser
If we don’t see the result, then an error was made during the configuration, we carefully look at the settings in the
The practice of using the support system has shown that entering the password, as well as the login of the domain account, is a very difficult task for the user, not acceptable for managers at all.
OTRS has the ability to transparent authorization, it remains to teach Apache to accept / give such data. This is where the rake began, in one part of the manuals, ntlm_mod is described, which has not been updated for the year since 2007, in another part of the manuals the installation practice for windows is described. I wanted clean Open Source, so Cent OS as one of the platforms recommended in the OTRS and mod_auth_ntlm_winbind manual is present in the standard repository.
The server is up and running, you only need to change the authentication method for users (customers), leaving the authorization method for agents unchanged.
Winbind uses Kerberos for authentication. For Kerberos to work correctly, you need to synchronize the clock with the domain.
To do this, install NTP:
yum –y install ntp Configure NTP:
sed –i “s /^server /#server /g” /ect/ntp.conf echo “serever _” /etc/ntp.conf Synchronize time:
ntpdate _ Set up automatic start:
chkconfig ntpd on And run NTP:
service ntpd start ')
Time is synchronized. Install the necessary packages:
yum -y install mod_auth_ntlm_winbind httpd-devel autoconfig krb5-workstation samba samba-common samba-winbind The next step is to configure the installed packages and enter the server into the domain. To do this in the console, we write:
ADSERVER=FQDN ( dc.company.local) DOMAIN= (company.local) WORKGROUP= company authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=$ADSERVER --krb5realm=$DOMAIN --smbservers=$ADSERVER --smbworkgroup=$WORKGROUP --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline --winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize –updateall After that, we should receive a message stating that our server is now a domain machine.
Add a rule for SE Linux:
setsebool -P allow_httpd_mod_auth_ntlm_winbind on Run winbind
service winbind start Set up automatic start:
chkconfig winbind on Verify that winbind works correctly:
wbinfo –u wbinfo –g Verify that Kerberos is working correctly by getting a ticket:
kinit administrator ( ), . The resulting ticket can be viewed with the command:
klist For mod_auth_ntlm_winbind to work, you need to change the
KeepAlive=off parameter to KeepAlive=on in the /etc/httpd/conf/httpd.conf file.In the
/etc/httpd/conf.d directory, create the ntlm_winbind.conf file with the following content: LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so <Location ~ "(otrs/customer.pl)"> AuthName "NTLM Authentication" AuthType NTLM Require valid-user NTLMAuth on NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp" NTLMBasicAuthoritative on </Location> Thus, we ask to transfer the authorization data only when accessing
customer.plThe last thing to do is to change the
Config.pm to Config.pm out the part responsible for the LDAP authorization and add the NTLM authorization. # LDAP #$Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::LDAP'; #$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc.company.local'; #$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=COMPANY, dc=local'; #$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; #$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'read_ad_user'; #$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'pass_for_read_ad_user'; # NTLM $Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth'; Check whether the OTRS server has registered correctly on the DNS server by running the
nslookup otrs-server commandSetup complete!
Open in browser
otrs-server-name/otrs/customer.pl otrs-server-name/otrs/customer.pl and see the result.If we don’t see the result, then an error was made during the configuration, we carefully look at the settings in the
/etc/krb5.conf /etc/samba/smb.conf
files /etc/krb5.conf /etc/samba/smb.conf
Source: https://habr.com/ru/post/182586/
All Articles