Ldap fail with Domain Users group

depo · Post by **depo** » 21 May 2015, 14:47

Hello,

We have OTRS 3.1.7 in domain environment, and i would like to add all domain user as customers.
If i create new group (otrs_ldap), add user in that group, everything works fine
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=otrs_ldap,OU=Groups,DC=company,DC=com';

Bu instead i want if user is in Domain, he would authenticate as customer by default, instead of adding user in aditional group, so CN=Domain Users should work?
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Domain Users,OU=Users,DC=company,DC=com';

But it doesn't. There is nothing /var/log/messages (there was errors before ). Maybe there is some catch about Domain Users ?

full config

Code: Select all

# Enable LDAP Authentication Sync for Agent #
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://10.2.4.4:389';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=company,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=Admin,CN=Users,DC=company,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'superpass';

# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# Enable Customer Authentication
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'lokys.company.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=company,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Domain Users,OU=Users,DC=company,DC=com';
#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=otrs_ldap,OU=Groups,DC=company,DC=com';

$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=Admin,CN=Users,DC=company,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'superpass';
#$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

$Self->{CustomerUser} = {
        Name => 'LMH Users',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => 'lokys.company.com',
            BaseDN => 'dc=company,dc=com',
            SSCOPE => 'sub',
            UserDN => 'CN=Admin,CN=Users,DC=company,DC=com',
            UserPw => 'superpass',
            AlwaysFilter => '',
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
        },
        CustomerKey => 'sAMAccountName',
        CustomerID => 'mail',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        CustomerUserExcludePrimaryCustomerID => 0,
        AdminSetPreferences => 0,
        Map => [
           [ 'UserSalutation', 'Title',      'title',           1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
            [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
            [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
            [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],

        ],
    };

Post by **crythias** » 21 May 2015, 15:32

depo wrote:We have OTRS 3.1.7 in domain environment, and i would like to add all domain user as customers.

So why do you want to use a group?

depo · Post by **depo** » 22 May 2015, 07:08

Well, so everyone can see their ticket status. And After creating user in AD environment, it will be automatically added to Domain Users group and will be able to authenticate by default to OTRS.

Isn't this the idea of using ldap with otrs, so it takes user info automatically ?

Post by **crythias** » 22 May 2015, 14:07

Let me rephrase... what's the point of using groups if your group is all domain users, which is *generally* every user anyway? As in, don't use the Group entry and see what happens. You should probably filter for users that aren't disabled and have mail though.

depo · Post by **depo** » 25 May 2015, 15:37

So you are saying, i can disable
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Domain Users,OU=Users,DC=company,DC=com';
?
just leaving
$Self->{CustomerUser} = {
Name => 'LMH Users',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {....

and users will be able to authenticate?

Post by **crythias** » 26 May 2015, 16:45

What did your own testing tell you?

depo · Post by **depo** » 27 May 2015, 10:57

well, it says

Oops! An Error occurred.
Error Message: Access denied for user 'otrs'@'localhost' (using password: NO)
Please contact your administrator.
You can Send a bugreport or go back to the previous page.

Backend ERROR: OTRS-CGI-10 Perl: 5.14.2 OS: linux Time: Wed May 27 11:52:18 2015 Message: Access denied for user 'otrs'@'localhost' (using password: NO) Traceback (3441): Module: Kernel::System::DB::new (v1.144.2.1) Line: 227 Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 143 Module: ModPerl::ROOT::ModPerl::Registry::usr_share_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46 Module: (eval) (v1.90) Line: 204 Module: ModPerl::RegistryCooker::run (v1.90) Line: 204 Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170 Module: ModPerl::Registry::handler (v1.99) Line: 31

None of the agents could login
This actually happened for me before, after changing from manually created group to domain users group, and vice versa.
I had to reset password from shell for root@localhost and had to change password for all agents manually.

Also, before this error, all otrs messages were in /var/log/message, since then nothing shows up there

Znuny Open Source Ticketsystem

Ldap fail with Domain Users group

Ldap fail with Domain Users group

Re: Ldap fail with Domain Users group

Re: Ldap fail with Domain Users group

Re: Ldap fail with Domain Users group

Re: Ldap fail with Domain Users group

Re: Ldap fail with Domain Users group

Re: Ldap fail with Domain Users group