LDAPS

Moderator: crythias

Post Reply
dsekelybrs
Znuny newbie
Posts: 42
Joined: 30 Mar 2017, 19:37
Znuny Version: 6.0.33
Real Name: David Sekely

LDAPS

Post by dsekelybrs »

I'm trying to figure out what places need to be changed in my config to use ldaps instead of ldap.


I see a couple of spots where the ldap port is defined (389). Do I just change those to ldaps port (636)

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},

znuny 6.0.33
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: LDAPS

Post by root »

Hi,

No need for this. Use the URL style for the hostname: ldaps://server.domain.tld Net::LDAP know the port for LDAP and LDAPS. If the ports differ, like with an Active Directory Global Catalog Server, it looks like ldaps://server.domain.tld:3269

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
dsekelybrs
Znuny newbie
Posts: 42
Joined: 30 Mar 2017, 19:37
Znuny Version: 6.0.33
Real Name: David Sekely

Re: LDAPS

Post by dsekelybrs »

I will try that. Our current config didn't specify http in the hostname option that is why I asked

example
$Self->{'Customer::AuthModule::LDAP::Host'} = 'local.domain.com';
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: LDAPS

Post by root »

dsekelybrs wrote: 10 Mar 2023, 16:57 I will try that. Our current config didn't specify http in the hostname option that is why I asked

example
$Self->{'Customer::AuthModule::LDAP::Host'} = 'local.domain.com';
Hi,

When I say URL I did not say http, URL can be more

Code: Select all

$Self->{'AuthModule::LDAP::Host2'} = ['ldaps://xxx.yyy.znuny.com', 'ldaps://xxx.yyy.znuny.com/'];
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
dsekelybrs
Znuny newbie
Posts: 42
Joined: 30 Mar 2017, 19:37
Znuny Version: 6.0.33
Real Name: David Sekely

Re: LDAPS

Post by dsekelybrs »

That did not seem to work. I replaced all instances of LDAP::Host to ldaps://______
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: LDAPS

Post by root »

dsekelybrs wrote: 11 Mar 2023, 06:38 That did not seem to work. I replaced all instances of LDAP::Host to ldaps://______
Do you still have the port in the Params-Block? Remove it.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
dsekelybrs
Znuny newbie
Posts: 42
Joined: 30 Mar 2017, 19:37
Znuny Version: 6.0.33
Real Name: David Sekely

Re: LDAPS

Post by dsekelybrs »

I commented out the port designations and I was still able to log in with it using ldaps://ad.domain.com.

I tried to verify that it was using ldaps on the ad server but I only saw a connection to port 389 from my otrs server.

Is there a way I can verify that it is using ldaps (636) instead of ldap (389)?
dsekelybrs
Znuny newbie
Posts: 42
Joined: 30 Mar 2017, 19:37
Znuny Version: 6.0.33
Real Name: David Sekely

Re: LDAPS

Post by dsekelybrs »

I was revisiting this issue and I was able to change ldap to ldaps in the config. Once doing that the agents were able to log in without any issues but the customers (ad users) were not able to login. Both agents and customers are using the same ldap server. Customers get the following after they enter their username and password.

customers get the following

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at webmaster@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Apache/2.4.29 (Ubuntu) Server at otrs.domain.com Port 443
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: LDAPS

Post by root »

Hi Dave,

Ok, then what's in the Apache error_log?

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
dsekelybrs
Znuny newbie
Posts: 42
Joined: 30 Mar 2017, 19:37
Znuny Version: 6.0.33
Real Name: David Sekely

Re: LDAPS

Post by dsekelybrs »

RemoteAddress:
RequestURI: /otrs/customer.pl

Traceback (6443):
Module: Kernel::System::CustomerUser::LDAP::new Line: 73
Module: Kernel::System::CustomerUser::new Line: 89
Module: Kernel::System::ObjectManager::_ObjectBuild Line: 306
Module: Kernel::System::ObjectManager::Get Line: 200
Module: Kernel::System::Web::InterfaceCustomer::Run Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_customer_2epl::handler Line: 38
Module: (eval) (v1.99) Line: 207
Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
Module: ModPerl::Registry::handler (v1.99) Line: 32

ERROR: OTRS-CGI-10 Perl: 5.26.1 OS: linux Time: Thu May 25 03:45:18 2023

Message: Need CustomerUser->Params->Host in Kernel/Config.pm
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: LDAPS

Post by root »

Hi David,

Can you post your CustomerUser and CustomerAuth configuration? There is something that does not match.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
dsekelybrs
Znuny newbie
Posts: 42
Joined: 30 Mar 2017, 19:37
Znuny Version: 6.0.33
Real Name: David Sekely

Re: LDAPS

Post by dsekelybrs »

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldaps://ad.domain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=All Users,dc=ad,dc=domain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'service-otrs@AD.domain.COM';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '{password}';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'ou=Companies,dc=mydomain,dc=local';
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS Customers,cn=Users,dc=mydomain,dc=local';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# $Self->{'Customer::AuthModule::LDAP::SSL'} => 1;
$Self->{CustomerUser} = {
Name => 'Active Directory',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'ldaps://ad.domain.com',
# ldap base dn
BaseDN => 'ou=All Users,dc=ad,dc=domain,dc=com',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'service-otrs@AD.domain.COM',
UserPw => '{password}',
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
AlwaysFilter => '(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
#AlwaysFilter => '(&(objectclass=user)(!(objectclass=computer)))',
# if both your frontend and your LDAP are unicode, use this:
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
# if your frontend is unicode and the charset of your
# ldap server is iso-8859-1, use these options.
# SourceCharset => 'iso-8859-1',
# DestCharset => 'utf-8',
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
#port => 389,
port => 636,
timeout => 120,
async => 0,
version => 3,
},
},
# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['displayName', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'displayName', 'mail', 'sn'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add an ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=locked))',
CustomerUserValidFilter => '(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
#CustomerUserValidFilter => '(&(objectclass=user)(!(objectclass=computer)))',

# administrator can't change customer preferences
AdminSetPreferences => 0,
# # cache time to live in sec. - cache any database queries
CacheTTL => 14400,
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 1 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 1 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', 'https://portal.domain.com/view/[% Data.UserLogin %]', 1 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 1 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 1 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 1 ],
[ 'UserCompany', 'Company', 'company', 1, 0, 'var', '', 1 ],
[ 'UserDepartment', 'Department', 'department', 1, 0, 'var', '', 1 ],
[ 'UserJobTitle', 'Job Title', 'title', 1, 0, 'var', '', 1 ],
[ 'UserPhone', 'Phone', 'homePhone', 1, 0, 'var', '', 1 ],
[ 'UserMobile', 'Mobile Phone', 'mobile', 1, 0, 'var', '', 1 ],
[ 'UserFax', 'Extension', 'ipPhone', 1, 0, 'var', '', 1 ],
[ 'UserSite', 'Site Code', 'physicalDeliveryOfficeName', 1, 0, 'var', '', 1 ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 1 ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 1 ],
],
};
dsekelybrs
Znuny newbie
Posts: 42
Joined: 30 Mar 2017, 19:37
Znuny Version: 6.0.33
Real Name: David Sekely

Re: LDAPS

Post by dsekelybrs »

root wrote: 26 May 2023, 07:51 Hi David,

Can you post your CustomerUser and CustomerAuth configuration? There is something that does not match.

- Roy
Is what I posted what you are looking for?
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: LDAPS

Post by root »

Hi,

Yes, absolutely. But I can't see any problems with it. 🤷‍♂️ I'll send you a PM.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
dsekelybrs
Znuny newbie
Posts: 42
Joined: 30 Mar 2017, 19:37
Znuny Version: 6.0.33
Real Name: David Sekely

Re: LDAPS

Post by dsekelybrs »

FYI I finally found the issue with the Config.pm

this line was the issue
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

Should be
$Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::LDAP';
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: LDAPS

Post by root »

dsekelybrs wrote: 16 Jun 2023, 19:57 FYI I finally found the issue with the Config.pm

this line was the issue
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

Should be
$Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::LDAP';
Sorry, but this is weird. It is always like this:

- Agents: $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
- Customer User: $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

Are both LDAP modules there? Check the file system below /opt/otrs for Kernel/System/Auth/LDAP.pm and Kernel/System/CustomerUser/LDAP.pm

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
dsekelybrs
Znuny newbie
Posts: 42
Joined: 30 Mar 2017, 19:37
Znuny Version: 6.0.33
Real Name: David Sekely

Re: LDAPS

Post by dsekelybrs »

root wrote: 16 Jun 2023, 20:33
dsekelybrs wrote: 16 Jun 2023, 19:57 FYI I finally found the issue with the Config.pm

this line was the issue
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

Should be
$Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::LDAP';
Sorry, but this is weird. It is always like this:

- Agents: $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
- Customer User: $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

Are both LDAP modules there? Check the file system below /opt/otrs for Kernel/System/Auth/LDAP.pm and Kernel/System/CustomerUser/LDAP.pm

- Roy

/opt/otrs/Kernel/System# find . -name LDAP.pm
./CustomerUser/LDAP.pm
./Auth/Sync/LDAP.pm
./Auth/LDAP.pm
./CustomerAuth/LDAP.pm
Post Reply