[SOLVED] LDAP backend configuration

[philippech]

Dear All,
We’ve just installed OTRS version 3.2 and I figured out some strange behavior with the LDAP backend.
Firstly, here’s my needs: we need to different authentication backend for the agents. The first one must be LDAP (Active Directory) and the second one is the local DB for external partners who are involved in product’ support. The constraint is that the external partners can’t be in the LDAP for legacy reasons.
We configured OTRS to have both authentications but we figured out three strange authentication behaviors.
Behavior 1: regardless the position of the local DB authentication (default or second auth system) OTRS does a request to the LDAP with the local login name and the LDAP authentication fails (actually, the login OTRS works and grants access). Can we avoid OTRS doing requests to LDAP when the user is local?
Behavior 2: if the local DB authentication is set as the default one (means, the first one) it offers the possibility to recover the password on the login page. We tried the password recovery procedure for a LDAP account and it appears it can regenerate a password and grants access even the account is locked in LDAP. When the LDAP authenticates with the new generated password, it grants access to OTRS and does a LDAP request in background which fails. Is this behavior “normal”?
Behavior 3: if the user change its LDAP password, and use it to login into OTRS, the authentication fails. The user has to login into OTRS with his old password and then change it in the personal detail page. In background, OTRS does a LDAP request with its old password and fails until the user change within the system.
We tried not to sync the users’ details from LDAP but it terminates with a Panic error:
“Panic, user authenticated but no user data can be found in OTRS DB”
Basically, interrogating the LDAP every time isn’t an issue on our side, so my question is: is there something I missed?

Thanks a lot for your help

Philippe
Here’s the configuration we made based on the OTRS documentation.
$Self->{'AuthModule'} = 'Kernel::System::Auth::DB';

$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'ldap.lan.net';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=lan,dc=net';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

$Self->{'AuthModule::LDAP::SearchUserDN1'} = '<ServiceAccount DN>';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = '<ServiceAccount pwd>';

$Self->{'AuthModule::UseSyncBackend1'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'ldap.lan.net';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=lan,dc=net';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = '<ServiceAccount DN>';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = '<ServiceAccount PWD>';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

[crythias]

multiple back end support requires a consistent number appended for each key. (see the docs)

[philippech]

Hello,

Thanks for the first idea!

So, I kept the configuration for the LDAP like I posted before and appended the number 2 to

Code: Select all

$Self->{'AuthModule2'} = 'Kernel::System::Auth::DB';

With this configuration my LDAP user still can ask for the password recovery and I can connect with the generate password.
In addition, after receiving the recoverd password, I could connect with it but if I use the LDAP password I get a 500 error and this message appears in the logs

Can't call method "Sync" on an undefined value at /opt/otrs//Kernel/System/Auth.pm line 206

.

Is there any effect if I change the value of UserAuthBackend for the user's DB ? (at the moment, I only have 2-3 users and no tickets, I can easily change values in the DB).

Thanks a lot for your help
Philippe

[crythias]

please post your config.pm

[philippech]

Here it is:

Code: Select all

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{'DatabaseHost'} = 'localhost';

    # The database name
    $Self->{'Database'} = 'otrs';

    # The database user
    $Self->{'DatabaseUser'} = 'otrs';

    # The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords

    $Self->{'DatabasePw'} = '<DB PWD>';

    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
	
	# AUTH
	$Self->{'AuthModule2'} = 'Kernel::System::Auth::DB';

	$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
	$Self->{'AuthModule::LDAP::Host1'} = 'ldap.lan.net';
	$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=lan,dc=net';
	$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

	$Self->{'AuthModule::LDAP::SearchUserDN1'} = '<ServiceAccount DN>';
	$Self->{'AuthModule::LDAP::SearchUserPw1'} = '<ServiceAccount pwd>';

	$Self->{'AuthModule::UseSyncBackend1'} = 'AuthSyncBackend';
	$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
	$Self->{'AuthSyncModule::LDAP::Host1'} = 'ldap.lan.net';
	$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=lan,dc=net';
	$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = '<ServiceAccount DN>';
	$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = '<ServiceAccount PWD>';
	$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
	$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
	# DB -> LDAP
	UserFirstname => 'givenName',
	UserLastname => 'sn',
	UserEmail => 'mail',
	};


    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';



}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA);

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

Regards

Philippe

[philippech]

Hey,

It's me again
I updated my config file:

• LDAP auth has no number and DB has number "1"
• Deleted the number for the LDAP sync

Config:

Code: Select all

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{'DatabaseHost'} = 'localhost';

    # The database name
    $Self->{'Database'} = 'otrs';

    # The database user
    $Self->{'DatabaseUser'} = 'otrs';

    # The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords

    $Self->{'DatabasePw'} = '<DB PWD>';

    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
   
   # AUTH
   $Self->{'AuthModule1'} = 'Kernel::System::Auth::DB';

   $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
   $Self->{'AuthModule::LDAP::Host'} = 'ldap.lan.net';
   $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=lan,dc=net';
   $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

   $Self->{'AuthModule::LDAP::SearchUserDN'} = '<ServiceAccount DN>';
   $Self->{'AuthModule::LDAP::SearchUserPw'} = '<ServiceAccount pwd>';

   $Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
   $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
   $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap.lan.net';
   $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=lan,dc=net';
   $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = '<ServiceAccount DN>';
   $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '<ServiceAccount PWD>';
   $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
   $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
   # DB -> LDAP
   UserFirstname => 'givenName',
   UserLastname => 'sn',
   UserEmail => 'mail',
   };


    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';



}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA);

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

Since this update, I can login with both DB and LDAP accounts and the lost password's links disappeared.
If I login with a local account, it still request LDAP for a sync/mapping, is there a possibility to prevent that ?

Many thanks
Philippe

[crythias]

btw, ldap is read only, so there's that.

[philippech]

Yes, but can I prevent OTRS to do the mapping for a local user ?

[crythias]

The login will try all available auth backends until it matches.

[philippech]

So... Okey!

Thanks a lot for your help