I've looked at the wiki and spent the last week on trying to get this working. Maybe I mis-understand how its supproted to work.
I have 2 AD groups..one for customers, one for Agents.
If I manually create the users in the database and then login it works just fine. If they do not exist in the DB, then I get the Userdata Panic error.
#1 - Should the LDAP by syncing my data?
#2 - I have followed all troubleshooting steps and ensured my users have email address on their account (they are all mail enabled so thats not a problem) and I've verified the LDAP atributes do look ok in AD
The only thing I am doing different is I authentication with UPN vs domain\username since its a hosted environment and UPN is the login name.
i have a whole customer section, but figure its best to concentrate on one section at a time. I also used the code directly out of the wiki.
Logs show that Authentication was successful (so my search account is working) but its the sync section that seems to be not working.
So..what am I missing...with ldap I shouldn't need to run a manual sync process...the post authentcation section should be doing the sync for me
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=local';
$Self->{'AuthModule::LDAP::UID'} = 'userPrincipalName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=services_otrs,CN=Users,DC=domain,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Aj8nmOZ72oJYwaGWilva';
# Cn case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
#Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrs_ldap_allow_A,OU=Hosting_Groups,OU=Hosting,DC=domain,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap.domain.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'userPrincipalName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=services_otrs,CN=Users,DC=domain,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Aj8nmOZ72oJYwaGWilva';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthSyncModule::LDAP::Die'} = 1;
AD Integration and User Sync
Moderator: crythias
-
- Znuny newbie
- Posts: 20
- Joined: 22 Apr 2010, 21:51
- Znuny Version: 2.4.7
- Location: Denver, Colorado
Re: AD Integration and User Sync
Hope fully this will help you out; here is my config for Agent LDAP authentication:
Let us know if it helped... Customer will be another story alltogether - I had the issue that if I made the change in the Config.pm it did not take but if I did it in Default.pm it took and all worked# ---------------------------------------------------- #
# OTRS Active Directory Integration #
# ---------------------------------------------------- #
# Enable LDAP Authentication for Agent #
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'abc.def.net';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=abc,dc=def,dc=net';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=Agents,ou=Groups,dc=abc,dc=def,dc=net';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=LDAPSearchAccount,DC=abc,DC=def,DC=net';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Enable LDAP Authentication Sync for Agent #
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://abc.def.net:389';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=abc,dc=def,dc=net';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=LDAPSearchAccount,DC=abc,DC=def,DC=net';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
__________________________________
Andrés G. Cook
((otrs::itsm)) 2.4.7::2.0.2
Windows 2003 R2, MySQL 5, Apache2, Perl 5
Andrés G. Cook
((otrs::itsm)) 2.4.7::2.0.2
Windows 2003 R2, MySQL 5, Apache2, Perl 5
Re: AD Integration and User Sync
AD/LDAP integration is a complete and total fail for me. My log is full of this error:
First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
I've tried just about every suggestion and config tweak I ran across to no avail.
First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
I've tried just about every suggestion and config tweak I ran across to no avail.
-
- Znuny newbie
- Posts: 20
- Joined: 22 Apr 2010, 21:51
- Znuny Version: 2.4.7
- Location: Denver, Colorado
Re: AD Integration and User Sync
A quick search for that error returns this: http://confluence.atlassian.com/display ... n+attemptsakincer wrote:AD/LDAP integration is a complete and total fail for me. My log is full of this error:
First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
I've tried just about every suggestion and config tweak I ran across to no avail.
Check to see that the user you are using for searching your LDAP is not locked out in AD...
From there I found this link to an explanation of the errors: http://confluence.atlassian.com/display ... DAP+Errors - Your error is 525 = User Not Found
__________________________________
Andrés G. Cook
((otrs::itsm)) 2.4.7::2.0.2
Windows 2003 R2, MySQL 5, Apache2, Perl 5
Andrés G. Cook
((otrs::itsm)) 2.4.7::2.0.2
Windows 2003 R2, MySQL 5, Apache2, Perl 5
Re: AD Integration and User Sync
Went back and used one of my many configs and now I get:
Error: Need CustomerID!!!
Comment:
Traceback: ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Wed May 5 16:15:42 2010
Message: Need CustomerID!!!
Traceback (9890):
Module: Kernel::Output::HTML::Layout::CustomerError (v1.176.2.17) Line: 4158
Module: Kernel::Modules::CustomerTicketOverView::Run (v1.50) Line: 77
Module: Kernel::System::Web::InterfaceCustomer::Run (v1.41.2.1) Line: 852
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_customer_2epl::handler (unknown version) Line: 48
Module: (eval) (v1.42) Line: 204
Module: ModPerl::RegistryCooker::run (v1.42) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.42) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
Error: Need CustomerID!!!
Comment:
Traceback: ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Wed May 5 16:15:42 2010
Message: Need CustomerID!!!
Traceback (9890):
Module: Kernel::Output::HTML::Layout::CustomerError (v1.176.2.17) Line: 4158
Module: Kernel::Modules::CustomerTicketOverView::Run (v1.50) Line: 77
Module: Kernel::System::Web::InterfaceCustomer::Run (v1.41.2.1) Line: 852
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_customer_2epl::handler (unknown version) Line: 48
Module: (eval) (v1.42) Line: 204
Module: ModPerl::RegistryCooker::run (v1.42) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.42) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
Re: AD Integration and User Sync
And just like that I got it working by adding in the email address for the user account and the auth user.
The instructions for making this work are not unambiguous.
The instructions for making this work are not unambiguous.