Customers can login as Agents with Active Directory Backend

[spike1197]

I have Active Directory sync working for agents and customers, unfortunately all customers can log into the agent inteface as well.
I tried modifying the settings to signify a specific AD group but when applied no one is able to login (Agents nor Customers). I presume it is a configuration problem on the $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; portion of the Config.pm

I get this error messsge:

Code: Select all

Jan 29 16:14:43 ei-otrs OTRS-CGI-10[16566]: [Notice][Kernel::System::Auth::LDAP::Auth] User: otrsuser authentication failed, no LDAP group entry foundGroupDN='CN=otrsagents,CN=Users,DC=**,DC=*************,DC=com', Filter='(memberUid=otrsuser)'!

otrsuser is a member of the otrsagents group.

LDAP integration:

Code: Select all

    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = '<Servername>.com';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=**,dc=**********,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=ldapsearch,cn=Users,dc=**,dc=**********,dc=com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = '**********';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrsagents,CN=Users,DC=**,DC=***********,DC=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';

    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = '<servername>.com';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=**,dc=***********,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    # We only need to see users. Not computers and no disabled users. 
    $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))';

    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=ldapsearch,cn=Users,dc=**,dc=***********,dc=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '************';

AD Sync:

Code: Select all

	$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://<server>.com/';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=**,dc=************,dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'sAMAccountName';
    #$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUID';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=ldapsearch,cn=Users,dc=**,dc=***********,dc=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '**********';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

Any help would be appreciated.

[jojo]

try

Code: Select all

    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

[spike1197]

I believe I fixed this by changing the following

Code: Select all

    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';

with

Code: Select all

   $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

I have other questions but they aren't exactly related to this issue. I'll search and post a different topic if I can't find the answer.


whoops. thanks jojo. I guess i should refresh before posting. your solution is exactly the answer.