[SOLVED] LDAP (AD) Integration ALMOST working - Roles from Groups

[Linwood]

Running 4.0.5 on Ubuntu 14.01 LTS, against Windows 2008R2 AD, and trying to do Agent authentication (working fine) and initial sync (mostly OK), including roles (not working).

I'm getting this in the log:

Code: Select all

Feb 18 22:49:17 rpvh-servicedesk OTRS-CGI-37[1217]: [Notice][Kernel::System::Auth::LDAP::Auth] User: LFerguson (CN=Linwood Ferguson,OU=SpecialPurpose,DC=THEDOMAIN,DC=local) authentication ok (REMOTE_ADDR: 10.100.200.13).
Feb 18 22:49:17 rpvh-servicedesk OTRS-CGI-37[1217]: [Notice][Kernel::System::User::UserUpdate] User: 'Lferguson' updated successfully (1)!
Feb 18 22:49:17 rpvh-servicedesk OTRS-CGI-37[1217]: [Notice][Kernel::System::User::SetPassword] User: 'Lferguson' changed password successfully!
[b]Feb 18 22:49:17 rpvh-servicedesk OTRS-CGI-37[1217]: [Error][Kernel::System::Auth::Sync::LDAP::Sync][Line:604]: Search failed! (CN=Domain Admins,OU=Users,DC=THEDOMAIN,DC=local) filter='(member=CN=Linwood Ferguson,OU=SpecialPurpose,DC=THEDOMAIN,DC=local)' 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:#012#011'DC=THEDOMAIN,DC=local'[/b]

Using this config:

Code: Select all

    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'rpvh-dc1.THEDOMAIN.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=THEDOMAIN,dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'SAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=Linwood Ferguson,OU=SpecialPurpose,DC=THEDOMAIN,DC=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'THEPASSWORD';
    $Self->{'AuthSyncModule::LDAP::GroupDN'} = 'cn=OTRS Agents,ou=SpecialPurpose,dc=THEDOMAIN,dc=local';
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
    $Self->{UserSyncLDAPGroups} = [
        'users',
    ];
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
         'CN=Domain Admins,OU=Users,DC=THEDOMAIN,DC=local' => {
               'Test' => 1,
         },
    };

The account I am testing with (LFerguson in the example above) is in the Domain Admins group, which is indeed at the default location as shown. I've also set up another account just to be sure (no change in error), which also tested to ensure it did not require a first-time mapping as opposed to a second login (did not matter).

I've experimented with all sorts of variations based on prior postings. There may be just some silly typo above, but I can't see it.

I've read every posting I can find, including the ldap debugging one (but mostly ldap is working for me).

I'm using my own domain admin as the search user/password (for now) to ensure there are no permission issues.

I've tried reproducing this with ldapsearch and I guess in a sense I did -- if I use (member=cn=...) as above in the log it doesn't find the group (specified by -b) but I'm not sure if it is supposed to or not, I've only searched in the past with memberof.

I would much appreciate it if someone could give me a pointer. It's so close to working!!

[Linwood]

No one? Is there more info I can provide?

I'm just lost -- everything seems right, LDAP generally working, it's like I'm just missing something for the group search.

[Linwood]

Sigh.... it's the simple things that get you.

My problem turned out to be a typo. I had Domain Admins listed as

'CN=Domain Admins,OU=Users,DC=THEDOMAIN,DC=local'

But users is a container:

'CN=Domain Admins,CN=Users,DC=THEDOMAIN,DC=local'

I guess the error message makes sense now that I can the cause thought it's pretty obscure before hindsight.