Hello,
due to the migration of our CA to SHA256 i had to generate new certificates for our domain controllers.
OTRS is configured to use Port 389 so there should be no certificate needed when synchoing Domain Users.
But somehow after changing the certificates on the domaincontrollers the domain user sync of OTRS stopped working.
I am a complete newb to OTRS, if you need any info regarding the config or log files, let me know.
OTRS: 6.0.7
CentOS7
Best regards,
hannes
LDAP Sync broken after DC certificate change
Moderator: crythias
-
nikolauspflege
- Znuny newbie
- Posts: 8
- Joined: 26 Nov 2019, 16:07
- Znuny Version: 6.0.7
- Real Name: Glenz
- Company: Nikolauspflege
-
nikolauspflege
- Znuny newbie
- Posts: 8
- Joined: 26 Nov 2019, 16:07
- Znuny Version: 6.0.7
- Real Name: Glenz
- Company: Nikolauspflege
Re: LDAP Sync broken after DC certificate change
config.pm
Code: Select all
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ads1.np.lan';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=np,dc=lan';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SSCOPE'} = 'sub';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Agents,CN=Users,dc=np,dc=lan';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrssearcher,cn=users,dc=np,dc=lan';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'XXXXXXX';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ads1.np.lan';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=np,dc=lan';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SSCOPE'} = 'sub';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrssearcher,cn=users,dc=np,dc=lan';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'XXXXXXX';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
# 'cn=OTRS-Agents,CN=Users,dc=np,dc=lan' => {
# 'admin' => {
# rw => 1,
# ro => 1,
# },
# },
# 'cn=OTRS-Agents,CN=Users,dc=np,dc=lan' => {
# 'users' => {
# rw => 1,
# ro => 1,
# },
# },
# };
#########################
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ads1.np.lan';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=np,dc=lan';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrssearcher,cn=users,dc=np,dc=lan';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'XXXXXX';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# CustomerUser LDAP backend
$Self->{CustomerUser} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'ads1.np.lan',
BaseDN => 'dc=np,dc=lan',
SSCOPE => 'sub',
UserDN => 'cn=otrssearcher,cn=users,dc=np,dc=lan',
UserPw => 'XXXXXXX',
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)',
AlwaysFilter => '(&(objectclass=user)(kerio-mail-accountenabled=1))',
SourceCharset => 'utf-8',
DestCharset => 'iso-8859-1',
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['displayname','mail'],
CustomerUserSearchFields => ['sn','givenname','sAMAccountName'],
CustomerUserSearchPrefix => '*',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 200,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
AdminSetPreferences => 0,
ReadOnly => 1,
CacheTTL => 60*60,
-
root
- Administrator
- Posts: 4251
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: LDAP Sync broken after DC certificate change
Hi,
I can't see anything related to LDAPS in you configuration. Anything suspicious in the OTRS log?
- Roy
I can't see anything related to LDAPS in you configuration. Anything suspicious in the OTRS log?
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
nikolauspflege
- Znuny newbie
- Posts: 8
- Joined: 26 Nov 2019, 16:07
- Znuny Version: 6.0.7
- Real Name: Glenz
- Company: Nikolauspflege
-
root
- Administrator
- Posts: 4251
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: LDAP Sync broken after DC certificate change
Hi,
Increase MinimumLogLevel (SysConfig) to debug and check the OTRS log
- Roy
Increase MinimumLogLevel (SysConfig) to debug and check the OTRS log
- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
nikolauspflege
- Znuny newbie
- Posts: 8
- Joined: 26 Nov 2019, 16:07
- Znuny Version: 6.0.7
- Real Name: Glenz
- Company: Nikolauspflege
Re: LDAP Sync broken after DC certificate change
my boss just told me that we will get an OTRS Upgrade done by an external, we´ll see if that already fixes the problem.
The OTRS Support couldnt find any informations about the problem either.
Thanks for your help anyways, roy!
The OTRS Support couldnt find any informations about the problem either.
Thanks for your help anyways, roy!
-
nikolauspflege
- Znuny newbie
- Posts: 8
- Joined: 26 Nov 2019, 16:07
- Znuny Version: 6.0.7
- Real Name: Glenz
- Company: Nikolauspflege
Re: LDAP Sync broken after DC certificate change
Thanks Roy for helping me test the synchronisation process.
The Problem was that the User did not login to OTRS to trigger the Sync of his User Account.
The Problem was that the User did not login to OTRS to trigger the Sync of his User Account.