OTRS 5 LDAP Agent Auth Problem

[kmast]

I am getting this error --

OTRS-CGI-88[23766]: [Error][Kernel::System::User::UserLookup][Line:923]: No UserID found for 'kmast'! SELECT id FROM users WHERE (login) = ?

My bind is working --

Code: Select all

slapd[23601]: conn=1002 fd=10 ACCEPT from IP=127.0.0.1:44387 (IP=0.0.0.0:389)
slapd[23601]: conn=1002 op=0 BIND dn="cn=root,dc=ufl,dc=edu" method=128
slapd[23601]: conn=1002 op=0 BIND dn="cn=root,dc=ufl,dc=edu" mech=SIMPLE ssf=0
slapd[23601]: conn=1002 op=0 RESULT tag=97 err=0 text=
slapd[23601]: conn=1002 op=1 SRCH base="dc=ufl,dc=edu" scope=2 deref=2 filter="(uid=kmast)"
slapd[23601]: conn=1002 op=1 SRCH attr=uid
slapd[23601]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[23601]: conn=1002 op=2 BIND anonymous mech=implicit ssf=0
slapd[23601]: conn=1002 op=2 BIND dn="cn=Kevin Masteller,ou=people,dc=ufl,dc=edu" method=128
slapd[23601]: conn=1002 op=2 RESULT tag=97 err=49 text=
slapd[23601]: conn=1002 op=3 UNBIND
slapd[23601]: conn=1002 fd=10 closed

My config.pm looks like this --

Code: Select all

   # agent data sync against ldap
   $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
   $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://127.0.0.1/';
   $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=ufl,dc=edu';
   $Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
   $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=root,dc=ufl,dc=edu';
   $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'test';
   $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
       # DB -> LDAP
       UserFirstname => 'givenName',
       UserLastname  => 'sn',
       UserEmail     => 'email',
   };

   # AuthSyncModule::LDAP::UserSyncInitialGroups
   # (sync following group with rw permission after initial create of first agent
   # login)
   $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
       'users',
   ];

   # This is an example configuration for an LDAP auth. backend.
   # (Make sure Net::LDAP is installed!)
   $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
   $Self->{'AuthModule::LDAP::Host'} = '127.0.0.1';
   $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=ufl,dc=edu';
   $Self->{'AuthModule::LDAP::UID'} = 'uid';

   # for ldap posixGroups objectclass (just uid)
   $Self->{'AuthModule::LDAP::UserAttr'} = 'uid';

   # The following is valid but would only be necessary if the
   # anonymous user do NOT have permission to read from the LDAP tree
   $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=test,dc=ufl,dc=edu';
   $Self->{'AuthModule::LDAP::SearchUserPw'} = 'test';

I'm not really sure where the issue is, as slapd.log shows the bind is working fine and returning info from the search...

[EXG133]

I'm not sure it's required but try adding this line:

$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

[kmast]

I'm not sure it's required but try adding this line:

$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

This made no difference, I still got the same error....

[jjurkus]

Can you connect to that LDAP with another tool, to make sure that it's working?

[kmast]

Can you connect to that LDAP with another tool, to make sure that it's working?

I can use the ldapsearch and ldappasswd commands as expected, so I don't think the issue is with the ldap setup.

[jjurkus]

Code: Select all

   # agent data sync against ldap
   $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=root,dc=ufl,dc=edu';
   $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'test';

   # The following is valid but would only be necessary if the
   # anonymous user do NOT have permission to read from the LDAP tree
   $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=test,dc=ufl,dc=edu';
   $Self->{'AuthModule::LDAP::SearchUserPw'} = 'test';

Are these correct? The one is using root, the other is using test.

[kmast]

Code: Select all

   # agent data sync against ldap
   $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=root,dc=ufl,dc=edu';
   $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'test';

   # The following is valid but would only be necessary if the
   # anonymous user do NOT have permission to read from the LDAP tree
   $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=test,dc=ufl,dc=edu';
   $Self->{'AuthModule::LDAP::SearchUserPw'} = 'test';

Are these correct? The one is using root, the other is using test.

I fixed this shortly after posting so that both use root, probably should have mentioned that. But barring this the setup shown above is exactly what I am using...

[jjurkus]

Maybe add this:

Code: Select all

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
        sscope => 'sub',
    };

It says 'if needed', but I don't know what the defaults are, maybe it doesn't search the entire three, only the baseDN you have selected.

[kmast]

Maybe add this:

Code: Select all

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
        sscope => 'sub',
    };

It says 'if needed', but I don't know what the defaults are, maybe it doesn't search the entire three, only the baseDN you have selected.

Ok, I added this part with no change to the error message I am getting --

Code: Select all

OTRS-CGI-88[2985]: [Error][Kernel::System::User::UserLookup][Line:923]: No UserID found for 'kmast'! SELECT id FROM users WHERE (login) = ?

It seems me that OTRS is checking with LDAP, but isn't syncing the user with it's own internal user DB maybe? Since I see the bind to ldap and returned data, and am able to set user passwords for LDAP, but OTRS is saying no valid user.....

[jjurkus]

Do you have a line like this in Config.pm perhaps?

Code: Select all

    $Self->{'AuthModule'} = 'Kernel::System::Auth::DB';

Maybe copy/paste your entire Config.pm here.

[kmast]

Entire Config.pm:

Code: Select all

# --
# Copyright (C) 2001-2016 xxx, http://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> Most OTRS configuration should be done via the OTRS web interface
#       and the SysConfig. Only for some configuration, such as database
#       credentials and customer data source changes, you should edit this
#       file. For changes do customer data sources you can copy the definitions
#       from Kernel/Config/Defaults.pm and paste them in this file.
#       Config.pm will not be overwritten when updating OTRS.
# --

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{'DatabaseHost'} = '127.0.0.1';

    # The database name
    $Self->{'Database'} = "otrs";

    # The database user
    $Self->{'DatabaseUser'} = "otrs";

    # The password of database user. You also can use bin/otrs.Console.pl Maint::Database::PasswordCrypt
    # for crypted passwords
    $Self->{'DatabasePw'} = 'test';

    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";

    # The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a TCP/IP connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # The database DSN for Microsoft SQL Server - only supported if OTRS is
    # installed on Windows as well
#    $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

    # The database DSN for Oracle ==> more: "perldoc DBD::oracle"
#    $Self->{DatabaseDSN} = "DBI:Oracle://$Self->{DatabaseHost}:1521/$Self->{Database}";
#
#    $ENV{ORACLE_HOME}     = '/path/to/your/oracle';
#    $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
#    $ENV{NLS_LANG}        = 'AMERICAN_AMERICA.AL32UTF8';

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$


   # agent data sync against ldap
   $Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
   $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
   $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://127.0.0.1/';
   $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=ufl,dc=edu';
   $Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
   $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=root,dc=ufl,dc=edu';
   $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'test';
   $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
       # DB -> LDAP
       UserFirstname => 'givenName',
       UserLastname  => 'sn',
       UserEmail     => 'email',
   };

   # AuthSyncModule::LDAP::UserSyncInitialGroups
   # (sync following group with rw permission after initial create of first agent
   # login)
   $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
       'users',
   ];




   # This is an example configuration for an LDAP auth. backend.
   # (Make sure Net::LDAP is installed!)
   $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
   $Self->{'AuthModule::LDAP::Host'} = '127.0.0.1';
   $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=ufl,dc=edu';
   $Self->{'AuthModule::LDAP::UID'} = 'uid';

   # for ldap posixGroups objectclass (just uid)
   $Self->{'AuthModule::LDAP::UserAttr'} = 'uid';

   # The following is valid but would only be necessary if the
   # anonymous user do NOT have permission to read from the LDAP tree
   $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=root,dc=ufl,dc=edu';
   $Self->{'AuthModule::LDAP::SearchUserPw'} = 'test';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
        sscope => 'sub',
    };



    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #

use base qw(Kernel::Config::Defaults);

# -----------------------------------------------------#

1;

[kmast]

I've tried tweaking my LDAP setup, but it allows me to authenticate using other software and command line, anyone here have any ideas why OTRS doesn't seem to be syncing up?

[coolmf]

Are you sure that:

UserEmail => 'email',

I have this in mine:

UserEmail => 'mail',

Have a look at this: viewtopic.php?f=62&t=31223#p127247

[kmast]

Looks like the problem was not with OTRS, but with how the passwords where being stored in my SQL database. Fixed that issue, and can now auth with command line AND OTRS.

Thanks for taking the time to help out guys....

[nedmaj]

kmast,

Please, how did you fix it?