LDAP: First bind failed! I/O Error Connection reset by peer

[otrssk]

Cannot authenticate using secure LDAP connection to Active Directory (MS WinSrv 2008 R2).

Client OS: Centos 6.3 x64
OTRS: 3.1.12

Errors:

Code: Select all

First bind failed! I/O Error Connection reset by peer
No UserID found for 'johndoe'!

/var/log/httpd/error_log (debug enabled in LDAP.pm):

Code: Select all

Net::LDAP=HASH(0x7fd812650970) sending:
0000   65: SEQUENCE {
0002    1:   INTEGER = 3
0005   60:   [APPLICATION 0] {
0007    1:     INTEGER = 3
000A   45:     STRING = 'CN=LDAP browse user,OU=Users,DC=domain,DC=tld'
0039    8:     [CONTEXT 0]
003B     :       70 34 58 76 30 69 6F 6B __ __ __ __ __ __ __ __ password
0043     :   }
0043     : }
ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Fri Jan 25 15:20:34 2013

 Message: First bind failed! I/O Error Connection reset by peer

 Traceback (2513):
   Module: Kernel::System::Auth::LDAP::Auth (v1.60.2.1) Line: 187
   Module: Kernel::System::Auth::Auth (v1.56) Line: 189
   Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
   Module: (eval) (v1.90) Line: 204
   Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
   Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
   Module: ModPerl::Registry::handler (v1.99) Line: 31

ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Fri Jan 25 15:20:34 2013

 Message: No UserID found for 'johndoe'!

 Traceback (2513):
   Module: Kernel::System::User::UserLookup (v1.121) Line: 797
   Module: Kernel::System::Auth::Auth (v1.56) Line: 244
   Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
   Module: (eval) (v1.90) Line: 204
   Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
   Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
   Module: ModPerl::Registry::handler (v1.99) Line: 31

/opt/otrs/Kernel/Config.pm

Code: Select all

 # This is an example configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'dc.domain.tld';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=staff,ou=Users,dc=domain,dc=tld';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_agents,ou=staff,ou=Users,dc=domain,dc=tld';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=LDAP browse user,ou=Users,dc=domain,dc=tld';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 636,
        timeout => 120,
        async => 0,
        version => 3,
    };

   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'dc.domain.tld';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'ou=staff,ou=Users,dc=domain,dc=tld';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=LDAP browse user,ou=Users,dc=domain,dc=tld';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

AD hierarchy:

Code: Select all

Users [ou]
|
+--LDAP browse user (user)
|
+--staff (ou)
   |
   +--OTRS_agents (group)
   |
   +--johndoe (user)

This command works just fine:

Code: Select all

ldapsearch -ZZZ -x -h dc.domain.tld -b "ou=staff,ou=Users,dc=domain,dc=tld" -D "cn=LDAP browse user,ou=Users,dc=domain,dc=tld" -w password

It outputs apart of other things these values numResponses: 299 and numEntries: 298.
So ldapsearch can connect to AD but OTRS can't.

[crythias]

First bind failed! I/O Error Connection reset by peer
port => 636,

ldapsearch -ZZZ -x -h dc.domain.tld -b "ou=staff,ou=Users,dc=domain,dc=tld" -D "cn=LDAP browse user,ou=Users,dc=domain,dc=tld" -w password
how does ldap search know it's port 636? usually it's port 389...

[otrssk]

If I use port 389 I'll get error:

Code: Select all

Message: First bind failed! 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1.

[otrssk]

how does ldap search know it's port 636? usually it's port 389...

Yes, you're right, it does not know.
I've tried to invoke ldapsearch with argument -p 636 along with -ZZZ and it failed. Apparently I've misunderstood whole thing about SSL and TLS.

I have to setup OTRS to use LDAP over TLS.

[crythias]

try adding start_tls in your Params location
http://search.cpan.org/~marschap/perl-l ... #start_tls

[otrssk]

try adding start_tls in your Params location

Perl is not my cup of tea, to be honest. Params are parameters of new() method/constructor. start_tls() is method too.

[otrssk]

This should be documented in manual or FAQ.

Code: Select all

$Self->{'AuthModule::LDAP::Host'} = 'ldaps://dc.domain.tld';

$Self->{'AuthModule::LDAP::Params'} = {
        port => 636,
        timeout => 120,
        async => 0,
        version => 3,
        verify => 'none',
};

$Self->{'AuthSyncModule::LDAP::Host'} = 'ldaps://dc.domain.tld';

Don't forget to grant root privileges to a user (root@localhost won't be able to log in).

Code: Select all

SELECT id, login FROM users;
INSERT INTO group_user(user_id, group_id, permission_key, permission_value) VALUES (id_of_some_user, 2, 'rw', 1);

[crythias]

Don't forget to grant root privileges to a user (root@localhost won't be able to log in).

or add authentication by ldap as an additional auth source, so db auth still works.
$Self->{'AuthModule::LDAP::Host1'}
$Self->{'AuthModule::LDAP::Params1'}

[otrssk]

or add authentication by ldap as an additional auth source, so db auth still works.

So, in the same way I can add another LDAP server for failover setup. Am I right?

[crythias]

So, in the same way I can add another LDAP server for failover setup. Am I right?

Yes. index values are "" and 1-9