LDAP Sync search failed error

[aph]

I'm using LDAP to authenticate agents to OTRS and I sync OTRS roles with Active Directory groups.
I see following error in OTRS logs

Code: Select all

Search failed! (CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=intra) filter='CN=xxxx xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=intra' Success

User: xxxxx not in GroupDN='CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=intra', Filter='(userPrincipalName=xxxx.xxxx@xxxx.com)'! (REMOTE_ADDR: xx.xxx.xx.xx).

These errors seem to make up most of the error logs. They also don't seem to be of consequence as users are able to log in successfully. What does this error then signify? How can I prevent these errors from occuring?

[crythias]

The second error is because you're filtering group membership with non-group attributes.

What it probably should be:

Code: Select all

    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=intra';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
        # for non ldap posixGroups objectclass (with full user dn)
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

What you probably have:

Code: Select all

    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=intra';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'userPrincipalName';
        # for non ldap posixGroups objectclass (with full user dn)
    $Self->{'AuthModule::LDAP::UserAttr'} = 'userPrincipalName';

[crythias]

The first error is because it's not a filter.

Code: Select all

Search failed! (CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=intra) filter='CN=xxxx xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=intra' Success

I believe this is likely literally shown in your Config as:

Code: Select all

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    # or if you want to filter with a locigal OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = 'CN=xxxx xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=intra';

At the minimum, it should have parentheses () around the entry, as well as an attribute that it's testing against.

[aph]

As far as the first error is considered, I don't have any $Self->{'AuthModule::LDAP::AlwaysFilter'} entries in my configuration.
In case of the second error I have in my configuration

Code: Select all

$Self->{'AuthModule::ConnectAD::GroupDN1'} = 'CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=intra';
    $Self->{'AuthModule::ConnectAD::AccessAttr1'} = 'member';
    ......
    $Self->{'AuthModule::ConnectAD::GroupDN2'} = 'CN=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=intra';
    $Self->{'AuthModule::ConnectAD::AccessAttr12} = 'member';

Note: I'm using a non-core module connect AD. But even using the LDAP module gives me same errors.

[crythias]

I can't support that.

[aph]

Even when I use the core LDAP module, I get the same errors.

[crythias]

Even when I use the core LDAP module, I get the same errors.

then you're not making changes on the entry that applies to the error. Make sure you're not also making entries in SysConfig.