AD FirstBind Failed

[nickyls]

I am able to authenticate for agents but for customer i am getting the error as

Code: Select all

Message: First bind failed! 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

I am using the same search user and password.

Below is my Config.pm

Code: Select all

  
# Enable LDAP Authentication for Agent #
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'XXX.XX.XX.XXX';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=test,dc=test2,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    #$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    #$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrs@test.test2.com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'Secret';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

    $Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    };

    # Enable LDAP Authentication Sync for Agent #
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'XXX.XX.XX.XXX';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=test,dc=test2,dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otrs@test.test2.com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'secret';
    #--------------------------------------------------------------------------------------------------#

    #Enable LDAP authentication for Customers / Users
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'XXX.XX.XX.XXX';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=test,dc=test2,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    #$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
    #The following is valid but would only be necessary if the
    #anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs@test.tets2.com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Secret';
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'Customer::AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };
    $Self->{CustomerUser} = {
        Name => 'LDAP',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
        Host => 'XXX.XX.XX.XXX',',
        BaseDN => 'DC=test,DC=test2,DC=com',
        SSCOPE => 'sub',
        UserDN => 'otrs@test.test2.com',
        UsePw => 'Secret',
        #AccessAttr => 'member',
        #UserAttr => 'UID',
        AlwaysFilter => '',
    },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 500,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
      Map => [
    # note: Login, Email and CustomerID needed!
    # var, frontend, storage, shown, required, storage-type
    #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
    [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
    #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
    #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
    };

Please Help!!!

[jojo]

this is not a DN:

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrs@test.test2.com';

So Username/Password combination fails.

Try the UserPrincipalName or the DN instead

[nickyls]

Thanks,

But have no issue in Authenticating Agents, its working fine.
I am facing in binding for customers.

[jojo]

again, check username and password

[nickyls]

yes its perfect, is there anything i am missing in code?

[nickyls]

Thanks Jojo, username/password was wrong.
I am getting this error

Code: Select all

Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.

And my log shows

Code: Select all

Message: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

[nickyls]

Anyone faced this?

[crythias]

Anyone faced this?

first bind failed
v1db1
viewtopic.php?f=60&t=16543

Code: Select all

    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrs@test.test2.com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'Secret';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otrs@test.test2.com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'secret';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs@test.tets2.com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Secret';
        UserDN => 'otrs@test.test2.com',
        UsePw => 'Secret',

Use my hint to use variables to hold the values that repeat. It will help minimize errors. (If one works, they all should work).

[nickyls]

Thanks have overcomed the first bind error, but i am unable to complete the look up ldap.
getting the error as "Authentication successful but no record found" as above post and logs says as above and "No such user 'test'!".

But able to login with same user as Agent.

[crythias]

"Authentication successful but no record found" as above post and logs says as above and "No such user 'test'!".

It means what it says. There's likely an additional log entry in System Log/otrs.log that tells you more information.

In general, this would mean that the user is not found in an available back end for CustomerUser. Make sure you're not also attempting to use both Config.pm and the GUI for configuration.

[nickyls]

Thanks,

You post and your suggestion helped. Cleared in sysconfig and runned via config.pm. It worked.

One more query, there is no email entry in AD. so can have like this?

Code: Select all

my $EmailID = 'sAMAccountName@domain.com';
CustomerID = $EmailID';
[ 'UserEmail',      'Email',       $EmailID,            1, 1, 'var', '', 0 ],

[crythias]

there is no email entry in AD

This would be a problem. OTRS won't work effectively via email without knowing the customer assigned to an email address. If you don't plan to use the email feature, okay...

[nickyls]

But their email id's would be like firstname.lastname@mydomain.com, where firstname.lastname is the 'sAMAccountName'.
So i am trying to append "@mydomain.com" to sAMAccountName and use this as Email field. Is it possible?

[crythias]

But their email id's would be like firstname.lastname@mydomain.com, where firstname.lastname is the 'sAMAccountName'.

Are you using Exchange? Then the email address is in AD.
maybe you can use the SPN.
If you're still not set up, I'd recommend that you at least attempt to assign an AD attribute with the value of the email address.

or, if none of the above works for your situation, you'll have to figure out a way to configure the parameters of an ldapsearch to append a string to an attribute's value (something like MySQL's CONCATENATE(usernamefield, '@domain'))