AD/LDAP Problems [SOLVED]

[Khris]

I've got OTRS 3.0b6 configured to authenticate via LDAP with AD. Everything works assuming that the AD username is already listed in the OTRS database. If not, I get the following error in the system log.

Code: Select all

Mon Nov 8 07:01:10 2010	notice	OTRS-CGI-10	Panic! No UserData for user: 'ctpadmin'!!!
Mon Nov 8 07:01:10 2010	error	OTRS-CGI-10	No UserID found for 'ctpadmin'!
Mon Nov 8 07:01:10 2010	error	OTRS-CGI-10	No UserID found for 'ctpadmin'!
Mon Nov 8 07:01:10 2010	error	OTRS-CGI-10	Can't create user 'ctpadmin' (CN=Chris T. Phillips Admin,OU=Users,OU=IT,DC=psg,DC=net) in RDBMS!
Mon Nov 8 07:01:10 2010	error	OTRS-CGI-10	Need UserEmail!
Mon Nov 8 07:01:10 2010	notice	OTRS-CGI-10	Panic! No UserData for user: 'ctpadmin'!!!
Mon Nov 8 07:01:10 2010	notice	OTRS-CGI-10	User: ctpadmin (CN=Chris T. Phillips Admin,OU=Users,OU=IT,DC=psg,DC=net) authentication ok (REMOTE_ADDR: 192.168.100.100).

Can anyone make any suggestions as to what I'm missing??

Here is the relavant parts of my Config.pm file.

Code: Select all

# Using MS AD as backend for authentication
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = '192.168.200.32';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=psg,dc=net';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS Agents,ou=OTRS,dc=psg,dc=net';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS LDAP,OU=OTRS,DC=psg,DC=net';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxxxx';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    #$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
 
    # in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '';
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };
 
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = '192.168.200.31';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=psg, dc=net';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=OTRS LDAP,ou=OTRS,dc=psg,dc=net';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxxxxx';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenname',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

[crythias]

Auth isn't data. Check the Wiki.

[Khris]

Could you please elaborate a little more?

[crythias]

Oops. Right. You probably do need to establish *agents* in your database manually (AD/LDAP won't know anything about permissions or queues in otrs), though the Authentication can be handled by LDAP/AD after.

http://doc.otrs.org/2.4/en/html/x1872.h ... h-backends

[Khris]

Shouldn't this section of code automatically add the user to the local OTRS database into the "Users" group without any permissions?? This is how I'm understanding it.

Code: Select all

# Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = '192.168.200.31';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=psg, dc=net';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=OTRS LDAP,ou=OTRS,dc=psg,dc=net';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxxxxx';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenname',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

[Khris]

Figured out the problem......and now it makes sense because I've read this answer before.

If you are getting this error message, it means that there is no associated email address in Active Directory that you are trying to access OTRS with. Enter in the email address in AD and you can log right in.

[adininggar]

I have some problem and I can't use this way..
Is there any idea?
Thanks

Adininggar

[crythias]

Don't hijack 2 year old topics. Create your own and link back to this one. Describe your problem in real English.