LDAP Customer auth fails, but agent auth/sync works

[nickbernhardt]

I'm about at wits end.

I've got LDAP auth and sync working for Agents. This is against a 2008R2 Domain (functional level is 2008 R2).

Further, I have LDAP based customer sync/import working, so I know that my LDAP configuration is correct and that (in other words, if I look at I have all my domain users showing up in the customer management list).

So, keeping that in mind, I am coming up totally dry on Customer auth.

I've pulled the config straight from the manual: http://doc.otrs.org/3.0/en/html/auth-ba ... h-backends

Here's my config.pm, at least the relevant portion:

Code: Select all

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #         Start of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #
    # DatabaseHost
    # (The database host.)
    $Self->{'DatabaseHost'} = 'localhost';
    # Database
    # (The database name.)
    $Self->{'Database'} = 'otrs';
    # DatabaseUser
    # (The database user.)
    $Self->{'DatabaseUser'} = 'otrs';
    # DatabasePw
    # (The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords.)
    $Self->{'DatabasePw'} = 'hot';
    # DatabaseDSN
    # (The database DSN for MySQL ==> more: "man DBD::mysql")
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

    # (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a tcpip connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$
    $Self->{'DefaultCharset'} = 'utf-8';


############################ start agent auth against LDAP
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.x.x';
$Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Accounts,dc=mydomain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=user-OTRSAdmin,OU=OTRS,OU=Security,OU=Groups,dc=mydomain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
 # $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
 # $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OT RS,OU=Service,OU=Accounts,dc=mydomain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '*********';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
   # $Self->{'AuthModule::LDAP::UserSuffix'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};
##################### end agent auth against LDAP

##################### agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.x.x';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=mydomain,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OT RS,OU=Service,OU=Accounts,dc=mydomain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '*********';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
};


# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];

####################### end agent data sync against ldap

######################## Customer user authentication against an LDAP backend

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '172.16.x.x';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Accounts,dc=mydomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=user-OTRS,OU=OTRS,OU=Security,OU=Groups,dc=mydomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OT RS,OU=Service,OU=Accounts,dc=mydomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '*********';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};
######################## End Customer user authentication against an LDAP backend


######################## Customer user information from an LDAP backend
# (customer ldap backend and settings)
$Self->{CustomerUser} = {
    Name => 'LDAP Data Source',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => '172.16.x.x',
        # ldap base dn
        BaseDN => 'OU=Standard,OU=Accounts,dc=mydomain,dc=com',
        # search scope (one|sub)
        SSCOPE => 'sub',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => 'CN=OT RS,OU=Service,OU=Accounts,dc=mydomain,dc=com',
        UserPw => '*********',
        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '',
            # if both your frontend and your LDAP are unicode, use this:
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',
            # if your frontend is unicode and the charset of your
            # ldap server is iso-8859-1, use these options.
            # SourceCharset => 'iso-8859-1',
            # DestCharset => 'utf-8',
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
    },
    # customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add an ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # administrator can't change customer preferences
    AdminSetPreferences => 0,
#    # cache time to live in sec. - cache any database queries
#    CacheTTL => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'sAMAccountName',            0, 1, 'var', '', 0 ],
#        [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
        [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
        [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
        [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
    ],
};

######################## End Customer user information from an LDAP backend

What am I missing?!

My logs are really weird, because I'm seeing it fail to authenticate against LDAP for agent authentication, but it doesn't even look like it's trying to use LDAP for customer auth.

For example, if I try to login with my user: nick.bernhardt

Code: Select all

Tue Oct 25 16:06:13 2011 	error 	OTRS-CGI-10 	No UserID found for 'nick.bernhardt'!
Tue Oct 25 16:06:13 2011 	notice 	OTRS-CGI-10 	User: nick.bernhardt authentication failed, no LDAP group entry foundGroupDN='CN=user-OTRSAdmin,OU=OTRS,OU=Security,OU=Groups,DC=mydomain,DC=com', Filter='(member=CN=Nick Bernhardt,OU=Information Technology,OU=Administration,OU=Standard,OU=Accounts,DC=mydomain,DC=com)'! (REMOTE_ADDR: 172.17.x.x).

It's like it isn't even trying to find the user in LDAP. What's even stranger is that if I look at the customer list, nick.bernhardt is in that list, so it's clearly not looking against the LDAP-imported customer list, and instead trying to query the local database for the user.

Is the documentation correct, or has the customer authmodule changed to something else, and it just wasn't reflected in the docs?

[crythias]

Code: Select all

Tue Oct 25 16:06:13 2011    error    OTRS-CGI-10    No UserID found for 'nick.bernhardt'!
Tue Oct 25 16:06:13 2011    notice    OTRS-CGI-10    User: nick.bernhardt authentication failed, no LDAP group entry foundGroupDN='CN=user-OTRSAdmin,OU=OTRS,OU=Security,OU=Groups,DC=mydomain,DC=com', Filter='(member=CN=Nick Bernhardt,OU=Information Technology,OU=Administration,OU=Standard,OU=Accounts,DC=mydomain,DC=com)'! (REMOTE_ADDR: 172.17.x.x).

seems it's trying to authenticate from

Code: Select all

$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=user-OTRSAdmin,OU=OTRS,OU=Security,OU=Groups,dc=mydomain,dc=com';

No LDAP group entry means either the group doesn't exist or the user isn't a member of the group.

[nickbernhardt]

Thing is, it should fail against the CN=user-OTRSAdmin group, because the nick.bernhardt account is not a member of that group. It is, however, a member of the user-OTRS group, which is what the Customer::AuthModule::LDAP is configured to use:

Code: Select all

$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=user-OTRS,OU=OTRS,OU=Security,OU=Groups,dc=mydomain,dc=com';

Which I've verified the nick.bernhardt user is a member of, and the group DN is copied straight out of the attribute tab in AD (plus I can manually query LDAP against that DN and come back with the nick.bernhardt being a member).

If it was failing to auth against the customer group in AD, I would expect an error to read something like this:

Code: Select all

Tue Oct 25 16:06:13 2011    notice    OTRS-CGI-10    User: nick.bernhardt authentication failed, no LDAP group entry foundGroupDN='CN=user-OTRS,OU=OTRS,OU=Security,OU=Groups,DC=mydomain,DC=com', Filter='(member=CN=Nick Bernhardt,OU=Information Technology,OU=Administration,OU=Standard,OU=Accounts,DC=mydomain,DC=com)'! (REMOTE_ADDR: 172.17.x.x).

So, this is what brings me back to my hypothesis that the Customer::AuthModule::LDAP isn't even being invoked or OTRS isn't even attempting to use LDAP for customer authentication.

Further, if I look at the security log on my DC, I'd expect to see two logons by the otrs user, one for each attempted LDAP query, but instead I see only one. Even when I change the user that the customer Auth module is using to login to LDAP to another user which I know works, it still doesn't even hit the AD server or create an audit success/failure. Always just the one logon to query LDAP.

[crythias]

customer.pl authenticates customers. index.pl authenticates users/agents. I typed that before then deleted it because I thought I read that this person was a user (agent).