ldap issues

[rturner]

Im trying to get ldap setup and im having some issues. I have the sysconfig setup correct in the GUI. I keep getting an error of

80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580

in both my otrs logs and my logs on server 2012r2. I have tried everything i can find online to correct the issue but I keep getting that same error.

any help is appreciated, just let me know what info you need.

Thank you for your time.

Ryan

[Eggllo]

Have you made sure your LDAP credentials are correct? It might be helpful if you could post the relevant areas of your config.pm as well.

Also, are you running OTRS on Windows or just the AD?

[rturner]

yea i made sure the login info is correct. Im setting up everything in the web gui under admin and sysconfig. i looked at the config.pm an default.pm files but unable to find changes that i made in the gui, so i figured it was storing them in a different location.


Customer::AuthModule::LDAP::SearchUserDN

cn=otrs_ldap,ou=***********,dc=***,dc=local

[rturner]

here is the error i get on my domain controller. its weird it says anonymous logon.

[rturner]

otrs is running on centos.

[Eggllo]

If there's nothing in config.pm you should copy in some sections from defaults.pm. These sections in particular for an LDAP backend:

Code: Select all

# CustomerUser
# (customer user ldap backend and settings)
#    $Self->{CustomerUser} = {
#        Name => 'LDAP Backend',
#        Module => 'Kernel::System::CustomerUser::LDAP',
#        Params => {
#            # ldap host
#            Host => 'bay.csuhayward.edu',
#            # ldap base dn
#            BaseDN => 'ou=seas,o=csuh',
#            # search scope (one|sub)
#            SSCOPE => 'sub',
#            # The following is valid but would only be necessary if the
#            # anonymous user does NOT have permission to read from the LDAP tree
#            UserDN => '',
#            UserPw => '',
#            # in case you want to add always one filter to each ldap query, use
#            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#            AlwaysFilter => '',
#            # if both your frontend and your LDAP are unicode, use this:
#            SourceCharset => 'utf-8',
#            DestCharset   => 'utf-8',
#            # if your frontend is unicode and the charset of your
#            # ldap server is iso-8859-1, use these options.
#            # SourceCharset => 'iso-8859-1',
#            # DestCharset => 'utf-8',
#            # die if backend can't work, e. g. can't connect to server
#            Die => 0,
#            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
#            Params => {
#                port    => 389,
#                timeout => 120,
#                async   => 0,
#                version => 3,
#            },
#        },
#        # customer unique id
#        CustomerKey => 'uid',
#        # customer #
#        CustomerID => 'mail',
#        CustomerUserListFields => ['cn', 'mail'],
#        CustomerUserSearchFields => ['uid', 'cn', 'mail'],
#        CustomerUserSearchPrefix => '',
#        CustomerUserSearchSuffix => '*',
#        CustomerUserSearchListLimit => 250,
#        CustomerUserPostMasterSearchFields => ['mail'],
#        CustomerUserNameFields => ['givenname', 'sn'],
#        # show now own tickets in customer panel, CompanyTickets
#        CustomerUserExcludePrimaryCustomerID => 0,
#        # add a ldap filter for valid users (expert setting)
#        # CustomerUserValidFilter => '(!(description=gesperrt))',
#        # admin can't change customer preferences
#        AdminSetPreferences => 0,
#        # cache time to live in sec. - cache any ldap queries
#        CacheTTL => 0,
#        Map => [
#            # note: Login, Email and CustomerID needed!
#            # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
#            [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
#            [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
#            [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
#            [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
#            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
#            [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
#            # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
#            [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
#            [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
#            [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
#        ],
#    };

Code: Select all

# This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
#    $Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
#    $Self->{'AuthModule::LDAP::Host'} = 'ldap.example.com';
#    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
#    $Self->{'AuthModule::LDAP::UID'} = 'uid';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
#    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
#    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    # for ldap posixGroups objectclass (just uid)
#    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    # for non ldap posixGroups objectclass (with full user dn)
#    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
#    $Self->{'AuthModule::LDAP::SearchUserDN'} = '';
#    $Self->{'AuthModule::LDAP::SearchUserPw'} = '';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

    # in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
#    $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

    # In case you want to convert all given usernames to lower letters you
    # should activate this option. It might be helpfull if databases are
    # in use that do not distinguish selects for upper and lower case letters
    # (Oracle, postgresql). User might be synched twice, if this option
    # is not in use.
#    $Self->{'AuthModule::LDAP::UserLowerCase'} = 0;

    # In case you need to use OTRS in iso-charset, you can define this
    # by using this option (converts utf-8 data from LDAP to iso).
#    $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
#    $Self->{'AuthModule::LDAP::Params'} = {
#        port    => 389,
#        timeout => 120,
#        async   => 0,
#        version => 3,
#    };

    # Die if backend can't work, e. g. can't connect to server.
#    $Self->{'AuthModule::LDAP::Die'} = 1;

Change all of the necessary settings and property mappings as needed. Check out the documentation for LDAP with OTRS.
https://otrs.github.io/doc/manual/admin ... ckend-ldap

See if doing that will work for you.

**Make sure you don't edit defaults.pm, just copy stuff over from it**

[Eggllo]

As an added note, I don't actually have LDAP selected for my AuthModule in SysConfig, I'm using DB as my authentication, most of my LDAP integration is coming from Kernel/Config.pm.

You might also find this post from crynthias pretty helpful to troubleshoot your integration.
viewtopic.php?f=60&t=16543

[rturner]

so using the GUI is pointless for config? im ok with doing it through terminal, i just didnt want to cause issues by modifying files and having the gui show something different.

I have setup OTRS before with ldap and used the modify config way, but with 5 i fiugred i would follow the rules and use the gui. maybe that was my issue the whole time. ill modify the config and get back to you.

[Eggllo]

From what I can tell the settings in SysConfig are just for the AuthModule and not the backend itself. Things like the attribute mapping and customer search parameters are all needed in the Config.pm. You could probably forgo that second section of the defaults.pm by using SysConfig, I'm not exactly sure. I just went with editing Kernel/Config.pm and I haven't had any problems since getting it set up.

[rturner]

got it updated and still getting the error: First bind failed! 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580

I appreciate all of the help. thank you for your time


# --
# Copyright (C) 2001-2016 xxx, http://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> Most OTRS configuration should be done via the OTRS web interface
# and the SysConfig. Only for some configuration, such as database
# credentials and customer data source changes, you should edit this
# file. For changes do customer data sources you can copy the definitions
# from Kernel/Config/Defaults.pm and paste them in this file.
# Config.pm will not be overwritten when updating OTRS.
# --

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
my $Self = shift;

# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #

# The database host
$Self->{'DatabaseHost'} = '127.0.0.1';

# The database name
$Self->{'Database'} = "otrs";

# The database user
$Self->{'DatabaseUser'} = "otrs";

# The password of database user. You also can use bin/otrs.Console.pl Maint::Database::PasswordCrypt
# for crypted passwords
$Self->{'DatabasePw'} = 'PDfp650uOJ1wwl5J';

# The database DSN for MySQL ==> more: "perldoc DBD::mysql"
$Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";

# The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a TCP/IP connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

# The database DSN for Microsoft SQL Server - only supported if OTRS is
# installed on Windows as well
# $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

# The database DSN for Oracle ==> more: "perldoc DBD::oracle"
# $Self->{DatabaseDSN} = "DBI:Oracle://$Self->{DatabaseHost}:1521/$Self->{Database}";
#
# $ENV{ORACLE_HOME} = '/path/to/your/oracle';
# $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
# $ENV{NLS_LANG} = 'AMERICAN_AMERICA.AL32UTF8';




# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';

# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;

### START LDAP SYNC CUSTOMERS

# CustomerUser
# (customer ldap backend and settings)
$Self->{CustomerUser} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'dc02.cfb.local',
# ldap base dn
BaseDN => 'ou=OU_Domain_Users,dc=cfb,dc=local',
# search scope (one|sub)
SSCOPE => 'one',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'otrs',
UserPw => '********',
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
AlwaysFilter => '',
# if the charset of your ldap server is iso-8859-1, use this:
# SourceCharset => 'iso-8859-1',

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 1000,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add an ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=locked))',
# administrator can't change customer preferences
AdminSetPreferences => 0,
# # cache time to live in sec. - cache any database queries
# CacheTTL => 0,
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly

[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'sAMAccountName', 0, 1, 'var', '', 0 ],
# [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
# [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
# [ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
],
};

### END LDAP SYNC CUSTOMERS

# ---------------------------------------------------- #

# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$



# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# end of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}



# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #

use base qw(Kernel::Config::Defaults);

# -----------------------------------------------------#
1;

[Eggllo]

got it updated and still getting the error: First bind failed! 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580

52e is saying that your search user credentials are invalid. From http://wiki.servicenow.com/index.php?ti ... #gsc.tab=0

49 / 52e AD_INVALID CREDENTIALS Indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. This is the AD equivalent of LDAP error code 49.

Sorry to repeat the same response but are you sure your credentials are correct? Maybe check to make sure your DN is correct and your search user has the proper access, but it sure seems like some sort of credentials issue.

[rturner]

that is what i found also when looking it up also. I have active directory pulled up on my 3rd monitor and have used notepad to make sure the passwords are the same both in AD and in the config.pm file. I have even changed the password to make sure that wasnt the issue. could be something like symbols in the password are not ok or password is too long? we require 12 character passwords with a symbol in them for security reasons.

i also opened up adsi on the domain controller to make sure the baseDN was right. and it was.

[Eggllo]

I do have the separate section in my config for authentication, so you could also try adding these parameters (filled out of course) and see if it makes any difference:

Code: Select all

$Self->{Customer::AuthModule1'}= 'Kernel::System::CustomerAuth::LDAP';
$Self->{Customer::AuthModule::LDAP::Host1'} = ''
$Self->{Customer::AuthModule::LDAP::BaseDN1'} = ''
$Self->{Customer::AuthModule::LDAP::UID1'} = ''
$Self->{Customer::AuthModule::LDAP::SearchUserDN1'} = ''
$Self->{Customer::AuthModule::LDAP::SearchUserPw11'} = ''

It is possible that special characters could be the issue, there was an old german post where this was suggested.
viewtopic.php?t=14190

I don't actually read german but google translate gives this

Contains Your Password special characters ? Sometimes a different codings prank . Try it once a password and the ASCII only 7 -bit characters.

Might be worth a try

[rturner]

ill try that code. i did change the password to something with no symbols in it. just letters and numbers. still didnt work. ill report back after I add in that other code

Thank you

[rturner]

I hate to sound like a newb, but my brain is friend currently. no matter how i put that chunk of code in the config it gives me a 500 error. even when i comment out the other auth stuff. where at in the config does that chunk go?

sorry for the newb question

Thanks again

Ryan

[rturner]

IT WORKS!!!!!

ok. so i used my config.pm file and went into the gui and changed it back to DB then to ldap and started filling the boxes as i got errors. magically it wants to work now. it doesnt make sense but it works. lol Thank you for all your help.

[Eggllo]

Good to hear

It is kind of strange, maybe there's just something we're missing, as I actually leave mine on DB and it still works fine with LDAP and I don't get errors. Might be because I added a 1 at the end of the new authmodule to differentiate from the normal DB module, not too sure. Good to hear it's working for you though!