Resulting OTRS config ignores Config.pm

[altronrain]

Hello again guys!
Struggled an interesting problem. 3 month ago configured OTRS for my organization support portal. As for login we used only DB Auth and all worked pretty well. As for now i must make LDAP Auth. I made changes to Config.pm:

Code: Select all

#Agent auth
    #----------
    #Agent auth using LDAP
    $Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
    #LDAP-server-Params
    $Self->{'AuthModule::LDAP::Host'} = 'xxx.xxxxx.xx';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'cn=users,cn=accounts,dc=xxxxx,dc=xxxxxx,dc=xxxxx';
    $Self->{'AuthModule::LDAP::UID'} = 'uid';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs-agents,cn=groups,cn=accounts,dc=xxxxxx,dc=xxxxx,dc=xxxxxx';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
    #Block for non-anonymos structure view
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'uid=support_ldap,cn=users,cn=accounts,dc=xxxxxx,dc=xxxxxx,dc=xxxx';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxxxxxxxxxx';
    #$Self->{'AuthModule::LDAP::SearchUserDN'} = '';
    #$Self->{'AuthModule::LDAP::SearchUserPw'} = '';
    #LDAP-filtering-option (only mail exist)
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
    #Code utf-8 fix
    $Self->{'AuthModule::LDAP::Charset'} = 'utf-8';
    $Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

    #Backwards DB compability
    $Self->{AuthModule1} = 'Kernel::System::Auth::DB';

    #Group-sync
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'xxxxx.xxxxxxxxxx.xxxxx';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'cn=users,cn=accounts,dc=xxxxx,dc=xxxxxxxx,dc=xxxxxxx';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'uid';

    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=support_ldap,cn=users,cn=accounts,dc=xxxxxx,dc=xxxxxx,dc=xxxxxxxxxxx';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx';

    $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
    #
    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
      'cn=otrs-admins,cn=groups,cn=accounts,dc=xxxxxxxxx,dc=xxxxxxxxxx,dc=xxxxxxxxxxxx' => {
      ....... #Different rights sets
      },
      };
    $Self->{DatabaseUserTable}       = 'users';
    $Self->{DatabaseUserTableUserID} = 'id';
    $Self->{DatabaseUserTableUserPW} = 'pw';
    $Self->{DatabaseUserTableUser}   = 'login';   

And nothing happened. I cannot log in using ldap credentials.

Debugging a little:
1) ldap-server is avaliable from otrs system. 389 port opened.
2) ldapsearch from openldap-clients can successfully search ldap using support_ldap credentials
3) journalctl entries:

Code: Select all

Nov 20 15:43:08 XXXX.XXXXX.XXXX OTRS-CGI-45[6689]: [Notice][Kernel::System::Auth::DB::Auth] User: k_komarov doesn't exist or is invalid!!! (REMOTE_ADDR: 10.150.150.121)
Nov 20 15:43:08 XXXXX.XXXXXX.XXXXX OTRS-CGI-45[6689]: [Error][Kernel::System::User::UserLookup][Line:975]: No UserID found for 'k_komarov'!

Apache entries:

Code: Select all

ERROR: OTRS-CGI-45 Perl: 5.16.3 OS: linux Time: Wed Nov 20 12:32:33 2019

 Message: No UserID found for 'k_komarov'!

 RemoteAddress: 10.150.150.121
 RequestURI: /otrs/index.pl

 Traceback (1955):
   Module: Kernel::System::User::UserLookup Line: 975
   Module: Kernel::System::Auth::Auth Line: 245
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 248
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 38
   Module: (eval) (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
   Module: ModPerl::Registry::handler (v1.99) Line: 32

4) Realised that there aren't any requests to LDAP server. Confirmed it running tcpdump to ldap-server and trying to log-in to otrs
So this errors took place cause nothing requested and nothing synced, so there are no such user in DB.
5) Found perl script to check Net::LDAP module work:

Code: Select all

#!/usr/bin/env perl
use strict;
use warnings;

use Net::LDAP;
my $HOST = "XXXXXXXXXx.XXXXXXXX.XXXXXx";
my $USER = "uid=support_ldap,cn=users,cn=accounts,dc=XXXXXXXXx,dc=XXXXXXXXXXX,dc=XXXXXXXXXXXXx";
my $PWD = "XXXXXXXXXXXXXXXXXXXXx";
my $ldap = Net::LDAP->new( $HOST ) or die $@;
my $mesg = $ldap->bind($USER,password=>$PWD);
if ( $mesg and $mesg->code() == 0 ) {
        print "Success\n";
}
else{
        print "Unsuccess\n";
}
$ldap->unbind;

Run it:

Code: Select all

[root@support ~]# perl perl_ldap_check.pl 
Success
[root@support ~]# 

Aha, Net::LDAP works well. It is called by "Kernel::System::Auth::LDAP"
But i couldn't see any entries in journalctl that requested this module. Also i tried to comment $Self->{'AuthModule::LDAP::Host'} = 'xxx.xxxxx.xx'; to cause an error. No error occured.
So, in other words Statement about AuthModule::LDAP from Config.pm just ignored. To finally and 100% confirm I experiment with Default.pm.
And then what happened:
1) Committing $Self->{AuthModule} = 'Kernel::System::Auth::DB'; in Default.pm causes login fail using DB stored credentials, so same statement from Config.pm ignored;
2) Placed LDAP config inside Default.pm (yeah I know that it is BAD, but it was made for nooby_debugging purposes) -> Auth worked:

Code: Select all

[Notice][Kernel::System::Auth::LDAP::Auth] User: k_komarov (uid=k_komarov,cn=users,cn=accounts,dc=XXXX,dc=XXX,dc=XXX) authentication ok (REMOTE_ADDR: 10.150.150.121).
[Kernel::System::User::UserAdd] User: 'k_komarov' ID: '12' created successfully (1)!
[Kernel::System::User::SetPassword] User: 'k_komarov' changed password successfully!
[Kernel::System::Auth::Sync::LDAP::Sync] Initial data for 'k_komarov' (uid=k_komarov,cn=users,cn=accounts,dc=xxx,dc=xxxx,dc=xxx) created in RDBMS.
[Kernel::System::Auth::Sync::LDAP::Sync] User: k_komarov not in GroupDN='cn=otrs-bios,cn=groups,cn=accounts,dc=xxx,dc=xxxx,dc=xxxxxx', Filter='(member=uid=k_komarov,
[Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: k_komarov not in GroupDN='cn=otrs-edge,cn=groups,cn=accounts,dc=xxxxx,dc=xxxxxx,dc=xx', Filter='(member=uid=k_komarov,
[Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: k_komarov not in GroupDN='cn=otrs-pstp,cn=groups,cn=accounts,dc=xxx,dc=xxx,dc=xxx', Filter='(member=uid=k_komarov,
[Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: k_komarov not in GroupDN='cn=otrs-vserver,cn=groups,cn=accounts,dc=xxx,dc=xxxx,dc=xx', Filter='(member=uid=k_komar
[Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'k_komarov' sync ldap group users!
[Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'k_komarov' sync ldap group admin!
[Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'k_komarov' sync ldap group stats!
[Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'k_komarov' sync ldap group Numa ARCE/BIOS!
[Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'k_komarov' sync ldap group Numa EDGE!
[Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'k_komarov' sync ldap group Numa vServer!

So, my Config.pm is completely ignored in resulting OTRS configuration (I couldn't catch this error cause we had only DB Auth earlier). What I misconfigured? (I suppose ZZZAAuto can't really cause the problem or it can?). Where should I look next?

Tried with OTRS 6.0.21 and then with updated to 6.0.24. Host: Centos 7 with 3.10.0-957.21.3.el7.x86_64 kernel (not last patched)

[zerozone74]

Try this configuration:
http://trinityhome.org/Home/index.php?w ... ront_id=18
and
https://serverfault.com/questions/96448 ... otrs-admin

[root]

Try this configuration:
http://trinityhome.org/Home/index.php?w ... ront_id=18
and
https://serverfault.com/questions/96448 ... otrs-admin

Hi,

Sorry to say that, but both links are useless maybe. I guess he's using OpenLDAP.

@altronrain

I suggest skipping the group membership check for the beginning.

- Roy

[altronrain]

Try this configuration:
http://trinityhome.org/Home/index.php?w ... ront_id=18
and
https://serverfault.com/questions/96448 ... otrs-admin

Hi,

Sorry to say that, but both links are useless maybe. I guess he's using OpenLDAP.

@altronrain

I suggest skipping the group membership check for the beginning.

- Roy

Thanks for your reply.
Yeah, we use FreeIPA as LDAP-kind server.
I'll try your suggestion tomorrow. But it seems to me that problem not in LDAP configuration, as I stated at the beginnig (and topic). Why do I think so?

1) LDAP config works perfectly when I placed this (same) code inside Default.pm
2) Even DB Auth not worked when i commented it inside Default.pm (so stated inside Config.pm $Self->(AuthModule1) = 'Kernel::System::Auth::DB' NOT worked).

That's why my guess was about ignorance of Config.pm content at all. Yeah, that sounds weird.
Administrator Manual says that OTRS System Configuration builds just like layers:
1) First of all used Default.pm
2) Then web-gui setting took place (or as I think otrs.Console.pl alternative also): ZZZAAuto and ZZZACL with Default.pm replacement if it has same configuration nodes
3) The last one is Config.pm (also with replacement)
I could be wrong about the sequence of the last two, but it's not a deal (I hope so).

And what I get. Default.pm LDAP placement works, Config.pm LDAP placement ignored. Where to dig, and where to learn about system-configuration order process idk :c

Ofc for now I could place LDAP section to Defaults.pm. But it is strongly not recommended and I'll get problems every update. Should I start rpreparing fresh backup VM installation and then backuping production version asap -> Also a question. Cause overall "functioning" seems wrong.

Or, I hope maybe somebody had similar problems and knows the solution.

Forgot to mention: Rights checked. Config.pm has 660 otrs:apache ownership. bin/otrs.SetPermissions.pl also was used.

[root]

Hi,

I configured several systems with Active Directory, OpenLDAP, FreeIPA, eDirectory, etc and never had problems. My recommendation is to stay way from modifying Defaults.pm, use is just a a source to copy part into your Config.pm.
Remove all LDAP related stuff and start with authentication. No AuthSync, No Group related stuff. Also remove the DatabaseUserTable setting from Config.pm, never had a situation where to change these settings.

That means for agent authentication (index.pl) start with:

Code: Select all

# Use suffix 1 to keep AuthModule DB from Defaults.m
$Self->{AuthModule1}                       = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'}         = 'xxx.xxxxx.xx';
$Self->{'AuthModule::LDAP::BaseDN1'}       = 'cn=users,cn=accounts,dc=xxxxx,dc=xxxxxx,dc=xxxxx';
$Self->{'AuthModule::LDAP::UID1'}          = 'uid';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'uid=support_ldap,cn=users,cn=accounts,dc=xxxxxx,dc=xxxxxx,dc=xxxx';
$Self->{'AuthModule::LDAP::SearchUserPw'}  = 'xxxxxxxxxxxxxxxx';

Keep in mind that you have to add the agent's first manually in OTRS. After the authentication we can go ahead with AuthSync

- Roy

[altronrain]

Hi, Roy
Trying to follow your theory about misconfigured LDAP (I really hoped that it is a problem).
First of all I removed LDAP section from Default.pm. There is only DB Auth call from here now, as it should be:

Code: Select all

    # --------------------------------------------------- #
    # authentication settings                             #
    # (enable what you need, auth against otrs db,        #
    # against LDAP directory, against HTTP basic auth     #
    # or against Radius server)                           #
    # --------------------------------------------------- #
    # This is the auth. module against the otrs db
    $Self->{AuthModule} = 'Kernel::System::Auth::DB';

    # if this key exists and is empty, there won't be a sync.

Okay. I removed my Config.pm files and used template Config.pm.dst. Then added here your example (and removed all comments). My full Config.pm:

Code: Select all

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;
    $Self->{DatabaseHost} = '127.0.0.1';
    $Self->{Database} = 'otrs';
    $Self->{DatabaseUser} = 'otrs';
    $Self->{DatabasePw} = 'xxxxxxxxxxxxxxx';
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
    $Self->{Home} = '/opt/otrs';


    # Use suffix 1 to keep AuthModule DB from Defaults.m
    $Self->{AuthModule1}                       = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'}         = 'xxxxx.xxxxxxxxx.xxxxx';
    $Self->{'AuthModule::LDAP::BaseDN1'}       = 'cn=users,cn=accounts,dc=xxx,dc=xxxxxxxx,dc=xxxx';
    $Self->{'AuthModule::LDAP::UID1'}          = 'uid';
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'uid=support_ldap,cn=users,cn=accounts,dc=xxxxxx,dc=xxxxxxx,dc=xxxxxxxx';
    $Self->{'AuthModule::LDAP::SearchUserPw'}  = 'xxxxxxxxxxxxxxxxxxxxxxx';


    return 1;
}


use Kernel::Config::Defaults; # import Translatable()
use parent qw(Kernel::Config::Defaults);

1;

Seems legit. Rights check:

Code: Select all

[root@support Kernel]# ls -lah Config.pm
-rw-rw---- 1 otrs apache 1.1K Nov 21 09:25 Config.pm

httpd service restart at the end.
I already had LDAP-legit agent (k_komarov). Created during previous post (as i pasted journalctl entries). Plus this user already have some group rights.
So, in this situation I expect positive authentification with 'Kernel::System::Auth::LDAP' module call.
In fact i get:

Code: Select all

[Notice][Kernel::System::Auth::DB::Auth] User: k_komarov authentication with wrong Pw!!! (Method: sha256, REMOTE_ADDR: 10.150.150.121)

So again only DB Auth check that response about incorrect pw. Why? I think cause there are no requests to ldap-side.
"Confirmation" using tcpdump (look at timestamps) and journalctl:

Code: Select all

[root@support Kernel]# tcpdump -i enp0s3 host xxxx.xxxxxxxx.xxxx and port 389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@support Kernel]# tcpdump -i enp0s3 host xxxx.xxxx.xxxxx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
10:03:17.609439 IP my_host.41814 > ldap_serv: 39771+ A? xxxxx.xxxxxxx.xxxxxxx. (36)
10:03:17.609535 IP my_host.41814 > ldap_serv: 2235+ AAAA? xxxxx.xxxxxx.xxxxxxx. (36)
10:03:17.610817 IP ldap_serv > my_host.41814: 2235* 0/1/0 (83)
10:03:17.610832 IP ldap_serv > my_host.41814: 39771* 1/2/1 A ldap_serv_ip (104)
10:03:17.615160 IP my_host.43704 > ldap_serv: 52641+ PTR? ldap_serv_ip.in-addr.arpa. (41)
10:03:17.616168 IP ldap_serv > my_host.43704: 52641* 1/2/2 PTR xxxxx.xxxxxx.xxxxx. (141)
10:03:17.616288 IP my_host.47352 > ldap_serv: 5245+ PTR? my_ip.in-addr.arpa. (45)
10:03:17.617277 IP ldap_serv > my_host.47352: 5245 NXDomain* 0/1/0 (110)

Nov 21 10:03:03 my_host OTRS-CGI-45[19211]: [Notice][Kernel::System::Auth::DB::Auth] User: k_komarov authentication with wrong Pw!!! (Method: sha256, REMOTE_ADDR: my_pc_ip)
Nov 21 10:03:11 my_host OTRS-CGI-45[19212]: [Notice][Kernel::System::Auth::DB::Auth] User: k_komarov authentication with wrong Pw!!! (Method: sha256, REMOTE_ADDR: my_pc_ip)
Nov 21 10:03:12 my_host kernel: device enp0s3 left promiscuous mode
Nov 21 10:03:17 my_host kernel: device enp0s3 entered promiscuous mode
Nov 21 10:03:44 my_host OTRS-CGI-45[19241]: [Notice][Kernel::System::Auth::DB::Auth] User: k_komarov authentication with wrong Pw!!! (Method: sha256, REMOTE_ADDR: my_pc_ip)
Nov 21 10:03:50 my_host OTRS-CGI-45[19214]: [Notice][Kernel::System::Auth::DB::Auth] User: k_komarov authentication with wrong Pw!!! (Method: sha256, REMOTE_ADDR: my_pc_ip)

So, we can see that during last two tries (as minimum) there are no requests to ldap-server side. So, code, that I placed inside Config.pm not "working".

Another opportunity to check it and to be totally aside of LDAP:
Lets take some random and easy-to-check setting. For example:

Code: Select all

$Self->{'ProductName'} =  'Company_Name';

that took place at ZZZAAuto.pm (cause u could change it via web-gui). I placed it inside Config.pm and changed name from showed up to 'Some_Test_Name' (yep, I sure that Config.pm added last to resulting config. Tested it on a another OTRS for other purposes.)

After httpd restart I still can see 'Company_Name' in browser tab heading. For now this ensured me that my case is Config.pm ignorance. I'm out of thoughts how to FIX it? nor approve (anymore). It is sad that I'm unskilled at using such tools as strace, fuser and OTRS as I could guess doen't like to provide any tech-info about processes even with debug log level.

[root]

Hi,

Just to check and prove your theory of an ignored Config.pm, what happen's when you rename that file to Config.pm.unused?

And another question, what's your OTRS home directory?

- Roy

[altronrain]

Hello,
Thanks for your support
What behavior I should expect after renaming? (Internal server error of apache?)
Moved Config.pm to Config.pm.unused and restarted httpd:
As a result I still have access to web-gui, (using DB credentials user, not LDAP one's ofc).

Code: Select all

Nov 22 11:40:14 my_otrs OTRS-CGI-45[2077]: [Notice][Kernel::System::Auth::DB::Auth] User: k_komarov authentication with wrong Pw!!! (Method: sha256, REMOTE_ADDR: 10.150.150.121)
Nov 22 11:40:26 my_otrs OTRS-CGI-45[2074]: [Notice][Kernel::System::Auth::DB::Auth] User: komarov@xxxxx authentication ok (Method: sha256, REMOTE_ADDR: 10.150.150.121).

otrs directory is standart for Centos distro: /opt/otrs
So, Conf files took place at /opt/otrs/Kernel/

[root]

Hi,

Without a Config.pm OTRS should not be usable. Having access will implies the DatabaseUser and DatabasePw from Defaults.pm are used.
Is this still the original file? If you've used the RPM, what's the output of rpm -V otrs

- Roy

[altronrain]

Whoa!

Code: Select all

[root@test_supp Kernel]# rpm -V otrs
S.5....T.  c /etc/httpd/conf.d/zzz_otrs.conf
missing   c /opt/otrs/Kernel/Config.pm
S.5....T.    /opt/otrs/Kernel/Config/Defaults.pm

ah, I just renamed my file to Config.pm.unused, sorry
And that is the output (Config.pm that ignored):

Code: Select all

[root@test_supp Kernel]# rpm -V otrs
S.5....T.  c /etc/httpd/conf.d/zzz_otrs.conf
SM5..U.T.  c /opt/otrs/Kernel/Config.pm
S.5....T.    /opt/otrs/Kernel/Config/Defaults.pm

[root]

Hi,

Yes, Config.pm is missed but before continue you should fix Defaults.pm. It's modified and shouldn't be.
There's no need either to modify Defaults.pm or zzz_ors.conf when running on a CentOS.

- Roy

[altronrain]

Ugh..
What kind of fixing is needed?
For example I replaced my Defaults.pm (put it aside as Defaults.pm.unused) with similar one from another system (that wasn't modified).
And now rpm -V otrs outut changed a bit:

Code: Select all

[root@test_supp Kernel]# rpm -V otrs
S.5....T.  c /etc/httpd/conf.d/zzz_otrs.conf
SM5..U.T.  c /opt/otrs/Kernel/Config.pm
.......T.    /opt/otrs/Kernel/Config/Defaults.pm

Ok, for example I did yum reinstall otrs (with Config.pm backup). So I have "default" Defaults.pm. Then replaced Config.pm with my version.
rpm -V otrs:

Code: Select all

[root@test_supp otrs]# rpm -V otrs
S.5....T.  c /etc/httpd/conf.d/zzz_otrs.conf
S.5....T.  c /opt/otrs/Kernel/Config.pm

Still no luck with Config.pm

[root]

Hi,

To confirm that your Config.pm is used the easiest way is to add a sybntax error and reload the index.pl I expect an internal server error.
If this happens please remove all password and sensitive data from your Config.pm and post it.

- Roy

[altronrain]

Hello again,
Okay.
Config.pm modified (to cause interfal server error):

Code: Select all

sub Loud {!@#$>

instead of

Code: Select all

sub Load {

(i think this is enough).
After apache restart I still can use web-gui and log-in.

[root]

Hi,

That's weird. I don't have no more ideas without touching the system.

- Roy

[altronrain]

What do you mean by "touching the system"? Maybe it is needed in such case. Something totally works wrong.

[altronrain]

Forgot about this trouble for a while.
And, I solved it yesterday! What a silly mistake I made:
I placed Config.pm under Custom/Kernel/ section . I forgot about that placement -> that's why LDAP auth not worked cause Kernel/Config.pm was replaced by Custom/Kernel/Config.pm