Bind must be completed on the connection

[pbkessler]

Hello everyone,

after migrating OTRS 5 Update 10 to another Server and joint to our Active Directory
Server we have got after successfully login with valid AD Credentials the message:

Search failed! (DC=eew,DC=de) filter='(sAMAccountName=pb)' 000004DC: LdapErr:
DSID-0C090748, comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, v2580

Unfortunately we have got the exact same configuration using a different stack in use.
Maybe someone got a solution to this issue yet. Help would be recommended.

cat /opt/otrs/Kernel/Config.pm
...

Code: Select all

   # ---------------------------------------------------- #
    # auth agents via AD                                   #
    # ---------------------------------------------------- #
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'coresrv1.eew.de';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=eew,DC=de';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapbind@eew.de';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'secret';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
    #$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=tcktadm,CN=groups,DC=eew,DC=de';
    #$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';

    # ---------------------------------------------------- #
    # sync agents data from AD                             #
    # ---------------------------------------------------- #
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'coresrv1.eew.de';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=eew,DC=de';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapbind@eew.de';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'secret';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # Attributes needed for group syncs
    # (attribute name for group value key)
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';

    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
        # ldap group
        'CN=tcktadm,OU=Groups,DC=eew,DC=de' => {
            # otrs group
            'admin' => {
                rw => 1,
            },
            'stats' => {
                rw => 1,
            },
        },
    'CN=helpdeskeew,OU=Groups,DC=eew,DC=de' => {
    'helpdeskeew' => {
        rw => 1,
        },
    },
    'CN=helpdeskbgk,OU=Groups,DC=eew,DC=de' => {
        'helpdeskmcd' => {
                rw => 1,
                },
        },
    };
}

....


Regards

[crythias]

This is old but probably relevant: viewtopic.php?t=16543

You probably don't need to reuse

Code: Select all

    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapbind@eew.de';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'secret';

[pbkessler]

Hi crythias,
thank you for your recommendation. It seems you are right and I am able to remove the reuse of SearchUserDN/SearchUserPw. Unfortunately the message still appears in the system protocol. But I must confess that the login seems to work without any problems.

[cgl]

Hello,
I see this message in my logs as well. I can login and everything works, but I'm not sure where the fail message comes from.
Does anyone who uses AD authentication know how to resolve the error message?
Regards,
Charles