OTRS 3.1 with LDAP issues

[Romaing]

Hello,

I'm trying to use the active directory database to connect with OTRS, which doesn't result in anyhting so far...
Not trying anything fancy, just a simple logon against the AD, following the manual: http://doc.otrs.org/3.1/en/html/auth-backends.html

user.log just gives me "No UserID found for 'Person X'!" First bind failed! 80090308: LdapErr: DSID-0C0903A9

And with this config, i can't connect to otrs with the agents and customers that i previously created manually in the webadmin panel, so at least something is happening...

Obviously i replaced the sensitive parts (like i'm not trying to log with 'company" as dc )

#----------LDAP--------#
#----------AGENT---------#

# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'AD.company.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=company,dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=X,OU=X,OU=Y,dc=company,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';

# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=X,OU=X,OU=Y,dc=company,dc=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'X';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

#-----------------CUSTOMER--------------#

# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'AD.company.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=company,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=X,OU=X,OU=Z,dc=company,dc=local';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';

# for ldap posixGroups objectclass (just uid)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=X,OU=X,OU=Z,dc=company,dc=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'X';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

[Romaing]

up, i edited the first post

Really don't know how to solve this...

[kevinlawry]

I can suggest some of the things I needed to do having just gone through this pain

set the lines

Code: Select all

$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=X,OU=X,OU=Y,dc=company,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';

to

Code: Select all

$Self->{'AuthModule::LDAP::GroupDN'} = '';
$Self->{'AuthModule::LDAP::AccessAttr'} = '';

This will seem stupid - but just to be sure

Code: Select all

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=X,OU=X,OU=Y,dc=company,dc=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'X';

must have valid user cn and password for a user on your domain - I know you said, just check for typos, and I make sure the CN and the DC are in upper case, I haven't checked here, but I have found in the past that some LDAP can be case sensitive when talking to Microsoft AD

The error you are getting is I believe an authentication error, so I would concentrate on the search user (check you didn't lock it out when testing, I've been there)


Good luck, let us know how you get on

Regards

Kevin

[Romaing]

I can suggest some of the things I needed to do having just gone through this pain

set the lines

Code: Select all

$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=X,OU=X,OU=Y,dc=company,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';

to

Code: Select all

$Self->{'AuthModule::LDAP::GroupDN'} = '';
$Self->{'AuthModule::LDAP::AccessAttr'} = '';

Good luck, let us know how you get on

Regards
Kevin

THIS

I want to kiss you so bad right now, too bad kevin isn't a girl name

I can log on as an agent now, that's on my personal vmware test install.

Tried the same thing on the office install, and get a "First bind failed! 80090308: LdapErr: DSID-0C0903A9" but my motivation gauge is replenished :]
At least, i finally got a connection... Was on this since yesterday.

[kevinlawry]

Well done

I found it tricky to get right as well - took me a day or so to get the LDAP working. Just googled you error message, and this page looked worth a look - different error messages linked to causes

http://social.technet.microsoft.com/For ... 347052ed8b

Let me know if you get things working

Kevin

ps Left that link in, but once I had time top look more closely it wasn't as good as I thought - sorry - this one is better I think

http://php4u.co.uk/2010/07/active-direc ... one-place/

[Romaing]

Thanks a lot for your help.

By the way, any chance you could explain to me why emptying the 2 lines for "AuthModule::LDAP::SearchUserDN" and "AuthModule::LDAP::AccessAttr" solved my issues ?

I wouldn't want it to become some kind of security issue.

Actually the complete error log is:

First bind failed! 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0#000

google searches did not help so far, seems something must be wrong with Search User DN or Password, but those values have been checked more than once, i can tell you...
Also tried writing CN, DC, etc.. in caps but no change.

[kevinlawry]

As far as I understand it, they are used to restrict the number of results returned by the AD search, the 1st line restricts the results to the group whose CN you have included, and the 2nd restricts it to users with the attribute you named - both would have zero members with the values you tried - the first was the CN of a user, so no members, the 2nd is an attribute not found in AD by default.

So if my understanding is correct, no security risk.

It does look as if you have an authentication problem - I remember a problem I had authenticating from a batch file when my clever password included a & - that is of course a control character in batch files and never got passed. You may have a similar issue where your password contains a reserved character (I don't know what would constitute reserved in this context) I would try replacing the password on your test account with something more code safe, numbers, letters and - signs would be as far as I would push it for testing.

It is worth reminding the world that the account that does the AD query needs no other rights on the network, just a bog standard user with no group memberships, I have one dedicated to the purpose.

Have a go, see what happens

Kevin

[ferrosti]

In Microsoft Active Directories one should limit reading capabilites of AD information to certain users. This is what the SearchUserDN and PWD is for. In case everybody is allowed to read your AD information (which I hope is disabled) you won´t need this user.
A 'First bind failed' is the error message that comes up when the SearchUser is not allowed to either login or read the path you point it to. Also make sure you have entered the SearchUserDN, not only the user!
Use another tool to read AD information using this user, to try whether it works at all. I am sure it does not with the same parms.

The base DN limits all searches, as well as the login user to this path, since it is applied to all LDAP based parameters.

The LDAP search itself is not limited unless you have defined some filter, which I suggest to do so. At least filter for 'users' as in $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''(objectclass=user)'';

[Romaing]

For the 'First bind failed error' i'm gonna drop the issue right now because i'm a trainee in the company, and the IT guys will take a look if there is some rule in the firewall preventing the connection.
Thanks for the explanation.

I also haven't managed to log on with a customer, i used to have errors, but after emptying the same lines as Kevin pointed out for agent logon i get this now:

[Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: Maximus (CN=Max,OU=companyXY,OU=Z,DC=company,DC=local) authentication ok (REMOTE_ADDR: 192.168.1.1).
[Error][Kernel::System::CustomerUser::SetPreferences][Line:504]: No such user 'Maximus'!

This customer exists though, i have no problem logging in with him on a windows 7 connected to the domain (that's all on my personal vmware install).

my config.pm for clients is like this right now:

########-------------CLIENTS----------------#######

# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ad.company.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=company,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = '';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = '';
# for ldap posixGroups objectclass (just uid)
#Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS SEARCH,CN=Users,DC=company,DC=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

########-----------------------------------########

One last thing, what is the point of the web page Framework -> Frontend::Customer::Auth ?
Am i supposed to copy paste the settings from config.pm to there also ? I really don't understand the logic with this thing...

For example, a google search gave me this: viewtopic.php?f=62&t=10210

"You need to copy the code from Defaults.pm to Config.pm. (Never change Defaults.pm) There is no way to do this in the frontend"

What does he mean by "no way to do this in the frontend" ?

Lots of question i know, but i just can't figure out these things :/

Best regards,
Romain

[ferrosti]

You are not able to setup authentication and authorization settings in SysConfig, that´s all about it. Therefor one should copy the 'code' from defaults.pm to config.pm, that is needed for your needs. You need to adjust it in config.pm then.

Authentication OK, but 'No such user' means that the user is authenticated, but not known to OTRS. This is due the matter that customers who login need to be entered into OTRSs database. In the defaults.pm you should look at the authentication part where it comes to AuthSync, which will automatically import unknown users.

[Romaing]

Well i managed to make it work, after finding this thread: viewtopic.php?f=61&t=8377

the client part of the config.pm looks like this:
It's only once i've added the last part (starting with "$Self->{CustomerUser} = {") that OTRS recognized the LDAP backend.

I got a otrs user at the root of Users folder in the AD and the "BaseDN => 'OU=X,OU=Y,DC=company,DC=local'," is the OU where the users are located.

########-------------CLIENTS----------------#######

# Configuration for a LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ad.company.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=company,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
#------------

#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = '';
#$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = '';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs,CN=Users,DC=company,DC=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'secret';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
#-------------
#-------------


$Self->{CustomerUser} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'ad.company.local',
BaseDN => 'OU=X,OU=Y,DC=company,DC=local',
SSCOPE => 'sub',
UserDN => 'CN=otrs,CN=Users,DC=company,DC=local',
UserPw => 'secret',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

[Romaing]

Argh !

I finally managed to make it work against the company LDAP, so all the staff from the country just appeared on the client list, except that it shows everything, the computers, servers, groups, etc...

How do you manage to filter users without using groups ?
I thought that was the point of this line: $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)'; (which doesn't do anything for me)

[edit]: just tried this :
http://www.experts-exchange.com/Softwar ... 75022.html

added the line $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'; into my config.pm but didn't do nothing.

======================================

[friday morning edit]

Finally managed a what seems to be working filter:

In the Config.pm add this filter:

Code: Select all

$Self->{CustomerUser} = {
        Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            (other stuff)
			AlwaysFilter => '(&(objectclass=user)(!(objectClass=Computer)))',

Now OTRS only lists the users, and leave out the groups and computers. And that's without having any otrs users group in the AD.
Using only the (objectclass=user) filter still displayed the computers.

[edit 2]
Actually without the disables accounts, it's even better :]

Code: Select all

AlwaysFilter => '(&(objectclass=user)(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',