[SOLVED] AD Agent group membership.

[Kris]

Hi again,

I got LDAP working.
However, now all users can login to the admin area, so I figured I create group 'otrsagent' in AD and put all the techies in there.

I changed my config.pm like this:

Code: Select all

    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'dc.mycompany.com';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=mycompany,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrsagent,OU=Users,DC=mycompany,DC=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUID';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'user';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

But I can't login. I get the following error when I try:

Code: Select all

[Thu Mar 28 16:02:39 2013][Error][Kernel::System::Auth::LDAP::Auth][276] Search failed! base='CN=otrsagent,OU=Users,DC=mycompany,DC=com', filter='(memberUID=kthoedt)', 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=mycompany,DC=com'

Am I doing something wrong?

[crythias]

check case memberUID vs memberUid

[Kris]

Thanks. Still no luck though...

Code: Select all

[Fri Mar 29 08:06:48 2013][Error][Kernel::System::Auth::LDAP::Auth][276] Search failed! base='CN=otrsagent,OU=Users,DC=mycompany,DC=com', filter='(memberUid=kthoedt)', 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=mycompany,DC=com'

It's a W2K8 R2 DC btw....

[jojo]

Code: Select all

    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'dc.mycompany.com';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=mycompany,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrsagent,OU=Users,DC=mycompany,DC=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = '[color=#FF0000]member[/color]';
    $Self->{'AuthModule::LDAP::UserAttr'} = '[color=#FF0000]DN[/color]';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'user';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

If member does not work, use memberof

[Kris]

Thanks, but still no joy I'm affraid....

Code: Select all

[Fri Mar 29 09:30:10 2013][Error][Kernel::System::Auth::LDAP::Auth][276] Search failed! base='CN=otrsagent,OU=Users,DC=mycompany,DC=com', filter='(memberof=kthoedt)', 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=mycompany,DC=com'

[Fri Mar 29 09:33:12 2013][Error][Kernel::System::Auth::LDAP::Auth][276] Search failed! base='CN=otrsagent,OU=Users,DC=mycompany,DC=com', filter='(memberof=CN=Kris ten Hoedt,OU=ICT,OU=Energieweg,OU=Users,OU=mycompany,DC=mycompany,DC=com)', 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=mycompany,DC=com'

[Fri Mar 29 09:34:47 2013][Error][Kernel::System::Auth::LDAP::Auth][276] Search failed! base='CN=otrsagent,OU=Users,DC=mycompany,DC=com', filter='(member=CN=Kris ten Hoedt,OU=ICT,OU=Energieweg,OU=Users,OU=mycompany,DC=mycompany,DC=com)', 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=mycompany,DC=com'

[Fri Mar 29 09:37:09 2013][Error][Kernel::System::Auth::LDAP::Auth][276] Search failed! base='CN=otrsagent,OU=Users,DC=mycompany,DC=com', filter='(memberUid=CN=Kris ten Hoedt,OU=ICT,OU=Energieweg,OU=Users,OU=mycompany,DC=mycompany,DC=com)', 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=mycompany,DC=com'

[mittfran]

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

check again!

regards mittfran

[Kris]

Been there, done that...
Still:

Code: Select all

[Fri Mar 29 10:41:31 2013][Error][Kernel::System::Auth::LDAP::Auth][276] Search failed! base='CN=otrsagent,OU=Users,DC=mycompany,DC=com', filter='(member=CN=Kris ten Hoedt,OU=ICT,OU=Energieweg,OU=Users,OU=mycompany,DC=mycompany,DC=com)', 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=mycompany,DC=com'

[mittfran]

Either your DN is wrong or you have serious problems with your active directory.
Check the group DN if it is correct.

regards mittfran

[Kris]

DN is copied from adsiedit. No room for typo's there....
I've tried other groups as well, they all give the same result.
Still seems like some syntax thingy to me.

And other than that, I don't think I have any AD issues whatsoever. Well not that I know of anyways hehehe

[Kris]

OK, my bad.
It seems I didn't copy the group DN after all. Must have been something else I copied then....

It was like this:
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrsagent,OU=Users,DC=mycompany,DC=com';

But ofcourse "Users" is a default container, not an OU.

So after changing it to
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrsagent,CN=Users,DC=mycompany,DC=com';

all works fine now.

Sorry for being stubborn

And thanks for reminding me to "read" instead of just "do"

Just for the records, the section looks like this now:

Code: Select all

# Enable LDAP lookups for Agent logins. Must be meber of "otrsagent" group
    $Self->{'AuthModule'}                                  = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'}                      = 'dc02.mycompany.com;
    $Self->{'AuthModule::LDAP::BaseDN'}                    = 'dc=mycompany,dc=com';
    $Self->{'AuthModule::LDAP::UID'}                       = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::AlwaysFilter'}              = '(objectclass=user)';
    $Self->{'AuthModule::LDAP::GroupDN'}                   = 'CN=otrsagent,CN=Users,DC=mycompany,DC=com';
    $Self->{'AuthModule::LDAP::AccessAttr'}                = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'}                  = 'DN';
    $Self->{'AuthModule::LDAP::SearchUserDN'}              = 'CN=ldap,CN=Users,DC=mycompany,DC=com';
    $Self->{'AuthModule::LDAP::SearchUserPw'}              = 'password';