Sync Cumstomer LDAP

[Sayannara]

hi,

I have been trying to configure OTRS 3.x to synchronize with LDAP for many days on a Windows computer.

In my otrs.log I'm getting this:

Code: Select all

[Error][Kernel::System::CustomerUser::LDAP::CustomerUserDataGet][614] 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation [b]a successful bind must be completed on the connection[/b]., data 0, v1db1 

.

I'm able to login as agent via LDAP

Code: Select all

	#  configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'feto1s011.fednet.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=fednet,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRSAdmin,OU=IT TEST,OU=Groupes,OU=Corp,DC=fednet,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Search,CN=Users,DC=fednet,DC=local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'myPass';

	
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'feto1s011.fednet.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=fednet, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Search,CN=Users,DC=fednet,DC=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'myPass';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

but not sync customers.

Code: Select all

    # CustomerUser
    # (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
        Name => 'LDAP FVE',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            # ldap host
            Host => 'feto1s011.fednet.local',
            # ldap base dn
            #BaseDN => 'ou=sv,o=epfl,c=ch',
			BaseDN => 'dc=fednet, dc=local',
            # search scope (one|sub)
            SSCOPE => 'sub',
            # The following is valid but would only be necessary if the
            # anonymous user does NOT have permission to read from the LDAP tree
            UserDN => '',
            UserPw => '',
            # in case you want to add always one filter to each ldap query, use
            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
            AlwaysFilter => '',
            # if your frontend is e. g. iso-8859-1 and the charset of your
            # ldap server is utf-8, use this options (if not, ignore it)
            SourceCharset => 'utf-8',
            DestCharset => 'iso-8859-1',
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
	},
	# customer unique id
	 CustomerKey => 'sAMAccountName',
	# customer #
	 CustomerID => 'mail',
	 CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
	 CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
	 CustomerUserSearchPrefix => '',
	 CustomerUserSearchSuffix => '*',
	 CustomerUserSearchListLimit => 250,
	 CustomerUserPostMasterSearchFields => ['mail'],
	 CustomerUserNameFields => ['givenname', 'sn'],
	 Map => [
	 # note: Login, Email and CustomerID needed!
	 # var, frontend, storage, shown, required, storage-type
	 #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
	 [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
	 [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
	 [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
	 [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
	 [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
	# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
	#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
	#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
	 ],
	};

Of course I had a look at http://doc.otrs.org/3.1/en/html/custome ... ckend-ldap and viewtopic.php?f=81&t=10744

What's the field for a successful bind on the connection ? Any suggestion about this error ?
PLEASE help me.

Thank you

[crythias]

viewtopic.php?f=60&t=16543

First, AuthSync is for agents, not customers.
Second, successful bind is credentials

Code: Select all

            # The following is valid but would only be necessary if the
            # anonymous user does NOT have permission to read from the LDAP tree
            UserDN => '',
            UserPw => '',

Third, CustomerUser is data, not authentication

[Sayannara]

Thank you a lot Crythias for your reply.

Actually I added the authSync part to show how I do to get agents connected via LDAP. Users in the company does have a read access to the LDAP tree. So if I understood UserDN => '' and UserPw => '' is not necessary in my situation. I know that I add credential in the authSync part but I don't think it's useful.

Note that Active Directory by default needs a SearchUser and SearchPw for every bind. (A bind is simply the authority/permission to perform a search)

I'll try this!

[Sayannara]

Well yes it works with

UserDN => '',
UserPw => '',

Ok I don't have all the users but it's now really better. I can now continue to work.