LDAP Auth and AuthSync problems

[0xvenom]

Hello Everyone!

I have a little problem here regarding syncing users from LDAP to the DB. and i searched the whole internet and tried so many possibilities and still didn't manage to make it work, your help is much appreciated.

Our scenario is as follows:
we want to use Znuny for security incident handling, and in incident response we have multiple teams;
1. the core team (security team)
2. support team from networking department
3. support team from infrastructure operations department
4. etc...

i want to authenticate each of these teams separately, and i did that with no problem with the below config for each team:

Code: Select all

    $Self->{AuthModule3} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host3'} = 'X.X.X.X';
    $Self->{'AuthModule::LDAP::BaseDN3'} = 'OU=<TEAM USERS DIRECTORY>,OU=Users,OU=XXXXX,DC=XXXXX,DC=XXXXX';
    $Self->{'AuthModule::LDAP::UID3'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::GroupDN3'} = 'CN=<TEAM GROUP>,CN=Users,DC=XXXXX,DC=XXXXX';
    $Self->{'AuthModule::LDAP::AccessAttr3'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr3'} = 'DN';
    $Self->{'AuthModule::LDAP::SearchUserDN3'} = 'AD_USER_FOR_AUTH';
    $Self->{'AuthModule::LDAP::SearchUserPw3'} = '<PASSWORD>';
    $Self->{'AuthModule::LDAP::AlwaysFilter3'} = '(ObjectClass=user)';
    $Self->{'AuthModule::LDAP::UserLowerCase3'} = 0;
    $Self->{'AuthModule::LDAP::Params3'} = {
        port    => 389,
        timeout => 10, # original value is 120
        async   => 0,
        version => 3,
    };
    $Self->{'AuthModule::LDAP::Die3'} = 1;
    $Self->{'AuthModule::UseSyncBackend3'} = 'AuthSyncBackend';

All users are able to authenticate but we get this message after login, "Authentication succeeded, but no user data record is found in the database. Please contact the administrator."

here is the sync settings:

Code: Select all

    $Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'XXXX';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'XXXX';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'XXXX';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'XXXX';
    $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'EmailAddress',
    };
    $Self->{'AuthSyncModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };
    $Self->{'AuthSyncModule::LDAP::Die'} = 1;
    # Attributes needed for group syncs
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
    $Self->{'AuthSyncModule::LDAP::NestedGroupSearch'} = 1;
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
        'CN=SECURITYTEAM,OU=Groups,OU=XXXX,DC=XXXX,DC=XXXX' => {
            'admin' => {
                rw => 1,
            },
            'SOC' => {
                rw => 1,
            },
        },
        'CN=NETWORKTEAM,OU=Groups,OU=XXXX,DC=XXXX,DC=XXXX' => {
            'CNI' => {
                rw => 1,
            },
        },
        'CN=INFRATEAM,OU=Groups,OU=XXXX,DC=XXXX,DC=XXXX' => {
            'Infra-OPS' => {
                rw => 1,
            },
        }
    };
    # Attributes needed for role syncs
    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
        'CN=SECURITYTEAM,OU=XXXX,OU=XXXX,DC=XXXX,DC=XXXX' => {
            'SOC L2' => 1,
        },
        'CN=NETWORKTEAM,OU=Groups,OU=XXXX,DC=XXXX,DC=XXXX' => {
            'CNI' => 1,
        },
        'CN=INFRATEAM,OU=Groups,OU=XXXX,DC=XXXX,DC=XXXX' => {
            'Infra-OPS' => 1,
        }
    };

please advise what is wrong here.

[skullz]

Try to append '3' as well

Code: Select all

$Self->{AuthSyncModule3}
Xxxxxx3
Xxxxxx3

[0xvenom]

Hello, Thanks for your response.

I got the following error after i applied your suggestion:

Code: Select all

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at example@example.com to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

[0xvenom]

Try to append '3' as well

Code: Select all

$Self->{AuthSyncModule3}
Xxxxxx3
Xxxxxx3

I think i know where my problem is, but i dont know how to solve it..

i need to assign users and groups based on LDAP group membership.
I do that using this:

Code: Select all

    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition1'} = {
        'MemberOf' => {
            'CN=SECURITY_GROUP,OU=Groups,OU=XXXX,DC=XXXX,DC=XXXX' => {
                'admin' => {
                    rw => 1,
                },
                'SOC' => {
                    rw => 1,
                },
            },
            'CN=NETWORK_GROUP,OU=Groups,OU=XXXX,DC=XXXX,DC=XXXX' => {
                'Net-Ops' => {
                    rw => 1,
                },
            },
            'CN=INFRAOPS_GROUP,OU=Groups,OU=XXXX,DC=XXXX,DC=XXXX' => {
                'Infra-OPS' => {
                    rw => 1,
                },
            }
        }
    };

the LDAP object for a user cointains a list of values for the MemberOf attribute.
hence it does not work, and this is the error i get in system logs:

Code: Select all

Search failed! (MemberOf) filter='(member=CN=USERNAME,OU=Users,OU=Network & Information Security Unit,OU=XXXX,OU=Users,OU=XXXX,DC=XXXX,DC=XXXX)' 0000208F: NameErr: DSID-03100231, problem 2006 (BAD_NAME), data 8350, best match of: