Bind for Customer user failing

Moderator: crythias

Locked
blastik
Znuny newbie
Posts: 49
Joined: 24 Feb 2012, 09:59
Znuny Version: 5.0.16
Location: Barcelona, Spain
Contact:
Contact blastik

Bind for Customer user failing

Post by blastik »

Hi,

My LDAP sync for Agents and Customers works amazingly well but I'm doing some adjustments in our AD and I need to move the bind user called "otrs authentication" to another OU. Here is my current config:

Code: Select all

    
    # ---------------------------------------------------- #
    # LDAP for Agents                                      #
    # ---------------------------------------------------- #

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'xxxxx';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxxx,DC=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

#TO ENTER AS AGENT SHOULD BE MEMBER OF OTRSagents GROUP
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRSagents,OU=Security Groups,OU=MyBusiness,DC=xxxx,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs authentication,OU=Generic,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=xxxx,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

#SYNC
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'xxxxx';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxx,DC=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs authentication,OU=Generic,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=xxxx,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];

    # ---------------------------------------------------- #
    # LDAP for Customers                                   #
    # ---------------------------------------------------- #

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'xxxxx';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=xxxx,DC=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs authentication,OU=Generic,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=xxxxx,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxx';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};



#SYNC
$Self->{CustomerUser} = {
    Name => 'LDAP Data Source',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => 'xxxxx',
        # ldap base dn
        BaseDN => 'DC=xxxx,DC=local',
        # search scope (one|sub)
        SSCOPE => 'sub',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => 'CN=otrs authentication,OU=Generic,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=xxxx,DC=local',
        UserPw => 'xxxx',
        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '',
            # if both your frontend and your LDAP are unicode, use this:
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',
            # if your frontend is unicode and the charset of your
            # ldap server is iso-8859-1, use these options.
            # SourceCharset => 'iso-8859-1',
            # DestCharset => 'utf-8',
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
    },
    # customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add an ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # administrator can't change customer preferences
    AdminSetPreferences => 0,
#    # cache time to live in sec. - cache any database queries
#    CacheTTL => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'PhysicalDeliveryOfficeName', 1, 1, 'var', '', 0 ],
        [ 'UserCustomerIDs', 'CustomerIDs', 'sAMAccountName', 1, 0, 'var', '', 0 ],
        #[ 'UserOU', 'LDAP OU', 'dn', 1, 0, 'var', '', 0 ],
	[ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
        [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
        [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
    ],
};
And here is the proposed new config with the updated location:

Code: Select all

    # ---------------------------------------------------- #
    # LDAP for Agents                                      #
    # ---------------------------------------------------- #

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'xxxxx';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxxx,DC=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

#TO ENTER AS AGENT SHOULD BE MEMBER OF OTRSagents GROUP
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRSagents,OU=Security,OU=xxxx_Groups and Services,DC=xxxx,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs authentication,OU=Service Accounts,OU=xxxx_Groups and Services,DC=xxxx,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxx';
$Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

#SYNC
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'xxxxx';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxx,DC=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs authentication,OU=Service Accounts,OU=xxxx_Groups and Services,DC=xxxx,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];

    # ---------------------------------------------------- #
    # LDAP for Customers                                   #
    # ---------------------------------------------------- #

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'xxxxx';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs authentication,OU=Service Accounts,OU=xxxx_Groups and Services,DC=xxxx,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};



#SYNC
$Self->{CustomerUser} = {
    Name => 'LDAP Data Source',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => 'xxxxx',
        # ldap base dn
        BaseDN => 'DC=xxxx,DC=local',
        # search scope (one|sub)
        SSCOPE => 'sub',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => 'CN=otrs authentication,OU=Service Accounts,OU=xxxx_Groups and Services,DC=xxxx,DC=local',
        UserPw => 'xxxxx',
        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '(objectclass=person)',
            # if both your frontend and your LDAP are unicode, use this:
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',
            # if your frontend is unicode and the charset of your
            # ldap server is iso-8859-1, use these options.
            # SourceCharset => 'iso-8859-1',
            # DestCharset => 'utf-8',
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
    },
    # customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add an ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # administrator can't change customer preferences
    AdminSetPreferences => 0,
#    # cache time to live in sec. - cache any database queries
#    CacheTTL => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'PhysicalDeliveryOfficeName', 1, 1, 'var', '', 0 ],
        [ 'UserCustomerIDs', 'CustomerIDs', 'sAMAccountName', 1, 0, 'var', '', 0 ],
        #[ 'UserOU', 'LDAP OU', 'dn', 1, 0, 'var', '', 0 ],
	[ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
        [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
        [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
    ],
};
Agents log in fine but not customers!!! :-x :-x :-x Getting error msg:

Code: Select all

First bind failed! 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
I've searching around in this forum and I can ensure that the password is totally fine (not expired and its correct) so please don't point out that as a reason cos I double checked.
"x" symbols means something I wanted to anonymise for the forum so don't take that into acocunt.

OTRS version 3.3.7

Please help me its driving me crazy!

Thanks!
David
OTRS 5
Ubuntu with MySQL
Authenticating users & agents via LDAP
Top
blastik
Znuny newbie
Posts: 49
Joined: 24 Feb 2012, 09:59
Znuny Version: 5.0.16
Location: Barcelona, Spain
Contact:
Contact blastik

Re: Bind for Customer user failing

Post by blastik »

Well... xfiles. I changed the location using the Admin interface instead of directly editing the Config.pm file and it works now??!!!
OTRS 5
Ubuntu with MySQL
Authenticating users & agents via LDAP
Top
Locked

Return to “General”