LDAP login containing the character '\'

Moderator: crythias

Locked
vitalijs
Znuny newbie
Posts: 6
Joined: 22 Nov 2011, 07:04
Znuny Version: 3.0.11
Real Name: Савиных Виталий
Company: Elesy

LDAP login containing the character '\'

Post by vitalijs »

Hi all! And sorry my English :-)
Maybe someone can help me? setting up a backend for AD (LDAP)
My company DOMAIN is divided into subdomains (DOMAIN.COM-> SUBDOMAIN1.DOMAIN.COM, SUBDOMAIN2.DOMAIN.COM)
Standard Authorization to Win applications is reduced to specifying the user and subdomain (as SUBDOMAIN1\mylogin, SUBDOMAIN2\mylogin)
However, in the AD for the user data is stored only username (sAMAccountName) is a login. If you use the default settings backend for OTRS, it acts as a login just sAMAccountName. This option does not meet the requirements because sAMAccountName is unique only within the subdomain.
To solve the problem in the LDAP was added field 'uid'. To all users in this field we place identifer like SubDomainName\sAMAccountName (users have become accustomed to this kind of authorization). The user is authenticated in the system all right, but the backend sync does not work!

Auth Message

Code: Select all

"Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."
Log Message

Code: Select all

 [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: subdomain\test (CN=Test T Test ,OU=TT,OU=CC,DC=domain,DC=com) authentication ok (REMOTE_ADDR: 127.0.0.1).
 [Error][Kernel::System::CustomerUser::SetPreferences][493] No such user 'subdomain\test'!
 

My config.pm sync section

Code: Select all

   
    $Self->{CustomerUser} = {
        Name => 'LDAP Source',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {            
            Host => 'ad.domain.com',            
            BaseDN => 'DC=domain, DC=com',            
            SSCOPE => 'sub',            
            UserDN => 'CN=Ldap,CN=Users,DC=domain,DC=com',
            UserPw => '***',                        
			AlwaysFilter => '(objectclass=user)',            
			SourceCharset => 'utf-8',
			DestCharset   => 'utf-8',	
            Params => {																
                port => 389,
				timeout => 120,
				async => 0,
                version => 3,
            },
        },         
        CustomerKey => 'uid',        
        CustomerID => 'userPrincipalName',
        CustomerUserListFields => ['uid', 'cn', 'userPrincipalName'],
        CustomerUserSearchFields => ['uid', 'cn', 'userPrincipalName'],        
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],        
        Map => [            
            [ 'UserFirstname' , 'Firstname' , 'givenname', 1, 1, 'var' ], 
            [ 'UserLastname'  , 'Lastname'  , 'sn'       , 1, 1, 'var' ],
            [ 'UserLogin'     , 'Login'     , 'uid'      , 1, 1, 'var' ],
            [ 'UserEmail'     , 'Email'     , 'mail'     , 1, 1, 'var' ],
            [ 'UserCustomerID', 'CustomerID', 'uid'      , 0, 1, 'var' ],            
        ],
    };
 
Last edited by vitalijs on 30 Nov 2011, 12:21, edited 3 times in total.
crythias
Moderator
Posts: 10170
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: LDAP without sAMAccountname

Post by crythias »

Your options:
1) Don't include a basedn if you expect users to include it
2) Use multiple back ends for all subdomains (probably the best idea)
3) Try username@subdomain.domain.com as login.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
vitalijs
Znuny newbie
Posts: 6
Joined: 22 Nov 2011, 07:04
Znuny Version: 3.0.11
Real Name: Савиных Виталий
Company: Elesy

Re: LDAP without sAMAccountname

Post by vitalijs »

crythias , thanks for the answer! But...sorry, You misunderstood my problem.
The problem is not the number of subdomains.
Everything works fine until 'uid' unused as an identifier (login).
If we replace in Config.pm 'uid' in 'sAMAccountname' or 'PrincipalName' everything works fine.

It does not work

Code: Select all

CustomerKey => 'uid',       
CustomerID => 'userPrincipalName',
CustomerUserListFields => ['uid', 'cn', 'userPrincipalName'],
CustomerUserSearchFields => ['uid', 'cn', 'userPrincipalName'],       
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],       
        Map => [           
            [ 'UserFirstname' , 'Firstname' , 'givenname', 1, 1, 'var' ],
            [ 'UserLastname'  , 'Lastname'  , 'sn'       , 1, 1, 'var' ],
            [ 'UserLogin'     , 'Login'     , 'uid'      , 1, 1, 'var' ],
            [ 'UserEmail'     , 'Email'     , 'mail'     , 1, 1, 'var' ],
            [ 'UserCustomerID', 'CustomerID', 'uid'      , 0, 1, 'var' ],           
        ],
It works perfectly

Code: Select all

CustomerKey => 'sAMAccountname',       
CustomerID => 'userPrincipalName',
CustomerUserListFields => ['sAMAccountname', 'cn', 'userPrincipalName'],
CustomerUserSearchFields => ['sAMAccountname', 'cn', 'userPrincipalName'],       
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],       
        Map => [           
            [ 'UserFirstname' , 'Firstname' , 'givenname', 1, 1, 'var' ],
            [ 'UserLastname'  , 'Lastname'  , 'sn'       , 1, 1, 'var' ],
            [ 'UserLogin'     , 'Login'     , 'sAMAccountname'      , 1, 1, 'var' ],
            [ 'UserEmail'     , 'Email'     , 'mail'     , 1, 1, 'var' ],
            [ 'UserCustomerID', 'CustomerID', 'sAMAccountname'      , 0, 1, 'var' ],           
        ],
I think I found the problem. The problem is the delimiter '\'. If the delimiter to specify a different character like '@' everything works.
Tell me please, can I do so that would be in the 'Login' to use a '\' - it is very important.
Locked