LDAPS

[dsekelybrs]

I'm trying to figure out what places need to be changed in my config to use ldaps instead of ldap.


I see a couple of spots where the ldap port is defined (389). Do I just change those to ldaps port (636)

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},

znuny 6.0.33

[root]

Hi,

No need for this. Use the URL style for the hostname: ldaps://server.domain.tld Net::LDAP know the port for LDAP and LDAPS. If the ports differ, like with an Active Directory Global Catalog Server, it looks like ldaps://server.domain.tld:3269

- Roy

[dsekelybrs]

I will try that. Our current config didn't specify http in the hostname option that is why I asked

example
$Self->{'Customer::AuthModule::LDAP::Host'} = 'local.domain.com';

[root]

I will try that. Our current config didn't specify http in the hostname option that is why I asked

example
$Self->{'Customer::AuthModule::LDAP::Host'} = 'local.domain.com';

Hi,

When I say URL I did not say http, URL can be more

Code: Select all

$Self->{'AuthModule::LDAP::Host2'} = ['ldaps://xxx.yyy.znuny.com', 'ldaps://xxx.yyy.znuny.com/'];

- Roy

[dsekelybrs]

That did not seem to work. I replaced all instances of LDAP::Host to ldaps://______

[root]

That did not seem to work. I replaced all instances of LDAP::Host to ldaps://______

Do you still have the port in the Params-Block? Remove it.

- Roy

[dsekelybrs]

I commented out the port designations and I was still able to log in with it using ldaps://ad.domain.com.

I tried to verify that it was using ldaps on the ad server but I only saw a connection to port 389 from my otrs server.

Is there a way I can verify that it is using ldaps (636) instead of ldap (389)?

[dsekelybrs]

I was revisiting this issue and I was able to change ldap to ldaps in the config. Once doing that the agents were able to log in without any issues but the customers (ad users) were not able to login. Both agents and customers are using the same ldap server. Customers get the following after they enter their username and password.

customers get the following

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at webmaster@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Apache/2.4.29 (Ubuntu) Server at otrs.domain.com Port 443

[root]

Hi Dave,

Ok, then what's in the Apache error_log?

- Roy

[dsekelybrs]

RemoteAddress:
RequestURI: /otrs/customer.pl

Traceback (6443):
Module: Kernel::System::CustomerUser::LDAP::new Line: 73
Module: Kernel::System::CustomerUser::new Line: 89
Module: Kernel::System::ObjectManager::_ObjectBuild Line: 306
Module: Kernel::System::ObjectManager::Get Line: 200
Module: Kernel::System::Web::InterfaceCustomer::Run Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_customer_2epl::handler Line: 38
Module: (eval) (v1.99) Line: 207
Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
Module: ModPerl::Registry::handler (v1.99) Line: 32

ERROR: OTRS-CGI-10 Perl: 5.26.1 OS: linux Time: Thu May 25 03:45:18 2023

Message: Need CustomerUser->Params->Host in Kernel/Config.pm

[root]

Hi David,

Can you post your CustomerUser and CustomerAuth configuration? There is something that does not match.

- Roy

[dsekelybrs]

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldaps://ad.domain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=All Users,dc=ad,dc=domain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'service-otrs@AD.domain.COM';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '{password}';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'ou=Companies,dc=mydomain,dc=local';
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS Customers,cn=Users,dc=mydomain,dc=local';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# $Self->{'Customer::AuthModule::LDAP::SSL'} => 1;
$Self->{CustomerUser} = {
Name => 'Active Directory',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'ldaps://ad.domain.com',
# ldap base dn
BaseDN => 'ou=All Users,dc=ad,dc=domain,dc=com',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'service-otrs@AD.domain.COM',
UserPw => '{password}',
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
AlwaysFilter => '(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
#AlwaysFilter => '(&(objectclass=user)(!(objectclass=computer)))',
# if both your frontend and your LDAP are unicode, use this:
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
# if your frontend is unicode and the charset of your
# ldap server is iso-8859-1, use these options.
# SourceCharset => 'iso-8859-1',
# DestCharset => 'utf-8',
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
#port => 389,
port => 636,
timeout => 120,
async => 0,
version => 3,
},
},
# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['displayName', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'displayName', 'mail', 'sn'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add an ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=locked))',
CustomerUserValidFilter => '(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
#CustomerUserValidFilter => '(&(objectclass=user)(!(objectclass=computer)))',

# administrator can't change customer preferences
AdminSetPreferences => 0,
# # cache time to live in sec. - cache any database queries
CacheTTL => 14400,
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 1 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 1 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', 'https://portal.domain.com/view/[% Data.UserLogin %]', 1 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 1 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 1 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 1 ],
[ 'UserCompany', 'Company', 'company', 1, 0, 'var', '', 1 ],
[ 'UserDepartment', 'Department', 'department', 1, 0, 'var', '', 1 ],
[ 'UserJobTitle', 'Job Title', 'title', 1, 0, 'var', '', 1 ],
[ 'UserPhone', 'Phone', 'homePhone', 1, 0, 'var', '', 1 ],
[ 'UserMobile', 'Mobile Phone', 'mobile', 1, 0, 'var', '', 1 ],
[ 'UserFax', 'Extension', 'ipPhone', 1, 0, 'var', '', 1 ],
[ 'UserSite', 'Site Code', 'physicalDeliveryOfficeName', 1, 0, 'var', '', 1 ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 1 ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 1 ],
],
};

[dsekelybrs]

Hi David,

Can you post your CustomerUser and CustomerAuth configuration? There is something that does not match.

- Roy

Is what I posted what you are looking for?

[root]

Hi,

Yes, absolutely. But I can't see any problems with it. I'll send you a PM.

- Roy