Error logging in using AD as LDAP

[karlb]

I have one user that cannot log in to the customer site. When he does, I get this error in the logs:
CustomerUser: radera (CN=Andy Rader,OU=Users,OU=Claims,OU=GMIC,DC=heartland-ins,DC=com) authentication failed: '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772�' (REMOTE_ADDR: 10.10.30.99).

No one else is having this issue, and we've been using this setup for several months with no issues.

[crythias]

I believe it means that he's not being authenticated at the domain. Either he's not in the group you need him to be or he's trying to be authenticated against a different domain than everyone else. There isn't enough information (Config.pm, please?) to tell you otherwise.

[karlb]

Not sure what you hope to find in this as it is working for 75 other customers.

# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2010 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.23 2010/01/13 22:25:00 martin Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> OTRS does have a lot of config settings. For more settings
# (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
# LDAP, PostMaster, Session, Preferences, ...) see
# Kernel/Config/Defaults.pm and copy your wanted lines into "this"
# config file. This file will not be changed on update!
#
# --

package Kernel::Config;

sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #

# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/otrs.CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = '############';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';

# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;

# ---------------------------------------------------- #

# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$
$Self->{'DefaultCharset'} = 'utf-8';

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# LDAP settings #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #

# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'ad1.heartland-ins.com';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=heartland-ins, dc=com';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule1::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Users,dc=heartland-ins,dc=com';
$Self->{'AuthModule1::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule1::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=ldapsync,CN=users,DC=heartland-ins,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = '############';


# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
#$Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# --------------------------------------------------- #
# authentication sync settings #
# (enable agent data sync. after succsessful #
# authentication) #
# --------------------------------------------------- #
# This is an example configuration for an LDAP auth sync. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'ad1.heartland-ins.com';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=heartland-ins, dc=com';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=ldapsync,CN=users,DC=heartland-ins,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = '############';

# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
# $Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
# $Self->{'AuthSyncModule::LDAP::Params'} = {
# port => 389,
# timeout => 120,
# async => 0,
# version => 3,
# };


#Enable LDAP authentication for Customers / Users
$Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host2'} = 'ad1.heartland-ins.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=heartland-ins, dc=com';
$Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';

#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=ldapsync,CN=users,DC=heartland-ins,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = '############';

#CustomerUser
#(customer user database backend and settings)
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'ad1.heartland-ins.com',
BaseDN => 'dc=heartland-ins, dc=com',
SSCOPE => 'sub',
UserDN =>'CN=ldapsync,CN=users,DC=heartland-ins,DC=com',
UserPw => '############',
},
# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
#example: $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=BaseOU, dc=example, dc=com';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRS_cust,CN=Users,DC=heartland-ins,DC=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS_cust,cn=users,dc=heartland-ins,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# Die if backend can't work, e. g. can't connect to server.
# $Self->{'AuthSyncModule::LDAP::Die'} = 1;

# Die if backend can't work, e. g. can't connect to server.
# $Self->{'AuthModule::LDAP::Die'} = 1;


# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.23 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

[crythias]

Code: Select all

$Self->{'AuthModule1::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Users,dc=heartland-ins,dc=com';
$Self->{'AuthModule1::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule1::LDAP::UserAttr'} = 'DN';

should all have the 1 at the end.

I suspected you had multiple AuthModules and the user is attempting to auth against a different one.

[crythias]

Code: Select all

$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRS_cust,CN=Users,DC=heartland-ins,DC=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS_cust,cn=users,dc=heartland-ins,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

There is no reason to duplicate these entries. The second group overwrites the first group.

[karlb]

No joy. Getting these errors:

CustomerUser: radera (CN=Andy Rader,OU=Users,OU=Claims,OU=GMIC,DC=heartland-ins,DC=com) authentication failed: '80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772�' (REMOTE_ADDR: x.x.x.x).

Fri Sep 30 09:34:08 2011 notice OTRS-CGI-10 CustomerUser: No auth record in 'customer_user' for 'radera' (REMOTE_ADDR: x.x.x.x)

[crythias]

Is he not a member of OTRS_cust in active directory?

[karlb]

Yes, he is. There has to be something I'm missing here.

[karlb]

This might be a long shot, but would moving a user from one OU to another cause this? This user was moved in August because of a job change. He does not use the system often, so it could be the date of origin I'm looking for to help root out the problem.

Thanks.

[crythias]

Yes, that's likely the problem. You should check his LDAP OU.

[karlb]

That's troubling. He changed departments, so he has to be in a different OU. Just need to figure out how to fix this and keep in compliance with policies.

[crythias]

Your options are to add an additional ldap for the other OU or make a larger OU GroupDN (closer to all users) then use a filter for the Groups/OUs you want.

[karlb]

Just wanted to say thank you and let you know what finally worked. The section of code where you pointed out duplicate entries now looks like this:

$Self->{'Customer::AuthModule::LDAP::GroupDN1'} = 'CN=OTRS_cust,CN=Users,DC=heartland-ins,DC=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'memberUid';
$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'UID';
#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS_cust,cn=users,dc=heartland-ins,dc=com';
#$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN';

Once I made that little change, commenting out the duplicate lines and adding a '1' to the others, everything started working again.

Thank you for helping me with this problem.