(Solved) Customer Radius setup issue

[ctbfalcon]

I am getting this message after setting up radius auth.

"Authentication succeeded, but no customer record is found in the customer backend"

I get a message from windows radius server that I was granted full access so it seems radius is working

Code: Select all

Description:
Network Policy Server granted full access to a user because the host met the defined health policy.

What am I missing here? Is there a radius sync like there is a ldap sync?
Does there need to be a matching user in the local DB?

3.3.5 OTRS on windows server. Authen::Radius installed

Thanks

[crythias]

Authentication succeeded, but no customer record is found in the customer backend

Is there a radius sync like there is a ldap sync

What demographics would radius have?

[ctbfalcon]

Can you rephrase the question? I'm not sure what you are asking for.

[crythias]

RADIUS is generally authentication only: If you give it a username and a password, it determines if it's OK (yes/no). RADIUS doesn't generally know or care anything about who's making the request.

Summary: You need demographics (Name, login name, email address, phone number, etc...) in a customer database resource of some type. AND you need authentication. Ok, you've authenticated. OTRS doesn't know anything about the user who has authenticated unless it knows where to obtain that information, and RADIUS doesn't tend to provide this. LDAP, yes... Customer database table, yes... external customer data table, yes...

[ctbfalcon]

So you are saying there needs to be some other config to get the demographics? Does it need to work in conjunction with LDAP?
I didn't change any other settings besides
Customer::AuthModule::Radius::Host
Customer::AuthModule::Radius::Password
Customer::AuthModule

Is there something else that I need to configure in order for OTRS to obtain the demographics?

[crythias]

So you are saying there needs to be some other config to get the demographics? Does it need to work in conjunction with LDAP?

I don't know. You still haven't told me where you expect the information to come from. I've told you three places it could exist (Yes, LDAP is a possibility) and that RADIUS won't have the information.

So, back to you... Given user X that authenticates with RADIUS (why?) there needs to be a source of demographic information:
Internally with OTRS (via the built-in Customer Information Center database, which you'd manually configure one user at a time)
Externally with something like LDAP (which, yes, you would need to configure something to talk to LDAP to retrieve this information, and, btw, while you're there, use LDAP/Active Directory for authentication as well)
or
Externally with some other database that holds information on your customer, such as SalesForce or some such, which, again, you need a configuration to point to it.

Much of this is already discussed in the OTRS documentation (see backends).

[ctbfalcon]

Ok we will change to use LDAP to for auth and demo.

Can you help with which settings under Frontend::Customer::Auth as to which ones are the bare minimum required to auth and to get demo.

such as in Customer::AuthModule::LDAP::GroupDN, does that need to defined?

i'd be also interested in standardvalues for common settings.
ie Customer::AuthModule::LDAP::UID = sAMAccountName

Thanks for you assistance.

[crythias]

viewtopic.php?f=60&t=16543

[ctbfalcon]

Here is the config.pm

I am still having issues with just the auth.
I was going to add the lookup later. Just trying to keep it simple and get the cust auth to work first.
The login still fails, I created a otrs search user because I was using my creds which were a domain admin.
I know the new search user can see the AD because i am using a third party ldap admin tool to view the tree
What am I doing wrong?

And the log file shows this error every time

Code: Select all

[Tue Mar 25 10:57:24 2014][Error][Kernel::System::CustomerAuth::LDAP::Auth][188] First bind failed! Bad file descriptor

Code: Select all

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #

    $Self->{'LogModule'}          = 'Kernel::System::Log::File';
    $Self->{'LogModule::LogFile'} = 'C:/otrs/OTRS/var/log/otrs.log';
	
	# This is an example configuration for an LDAP auth. backend.
	# (make sure Net::LDAP is installed!)
	$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
	$Self->{'Customer::AuthModule::LDAP::Host'} = 'DOMAIN.DOMAIN';
	$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=DOMAIN';
	$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

	# Check if the user is allowed to auth in a posixGroup
	# (e. g. user needs to be in a group xyz to use otrs)
	#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
	#$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
	# for ldap posixGroups objectclass (just uid)
	#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
	# for non ldap posixGroups objectclass (full user dn)
	#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

	# The following is valid but would only be necessary if the
	# anonymous user does NOT have permission to read from the LDAP tree
	$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs otrs,OU=MIS,DC=hqprod';
	$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '****';

	# in case you want to add always one filter to each ldap query, use
	# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	#$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = 'objectclass=user';

	# in case you want to add a suffix to each customer login name, then
	# you can use this option. e. g. user just want to use user but
	# in your ldap directory exists user@domain.
	#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

	# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
	# $Self->{'Customer::AuthModule::LDAP::Params'} = {
		# port => 389,
		# timeout => 120,
		# async => 0,
		# version => 3,
	# };
	
    # $DIBI$


    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

[crythias]

search and then determine if nothing you find will help

[ctbfalcon]

I have been over the first 3 results from the wonderful search link you provided already. but since you are so generous with your expertise I reviewed them again just in case I missed something. ... nope nothing helpful.... Thanks again for all you hard work and effort in helping me get this working. I'm so grateful to the OTRS community and its moderators for the support and helpful attitudes.
But since I still have the issue I should never the less bow to your superior googling skills and kiss the ground you walk on.

[crythias]

could you at least say, "Hey, I removed the Inet6.pm file and I still had the same error?"

Or, you know, something that at least would be helpful to solve your question. Because "I Got this error, solve it for me" isn't quite working.

I don't have any ability to replicate your environment. I don't have any knowledge that you actually tried anything but posted a complaint on a forum. So, first, give us some information that's actually fixable, that you tried to do something, and it did ___________ and provided error _________ which YOU SEARCHED FOR and then ATTEMPTED to do ___________ which resulted in ______________.

And, besides which, search is the only thing *I* have at the moment to solve your issue, which should achieve the same results as you had. MEANWHILE, read my Before you ask link.

[ctbfalcon]

Before I attempted otrs again I wanted to make something webbased work with ldap

So I got joomla to work. Just to make sure MS AD was not the issue with otrs.

I attached the settings i used to connect to MS AD in the screen shot.

I also mirrored as best I could the settings to otrs.

Code: Select all

    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #

    $Self->{'LogModule'}          = 'Kernel::System::Log::File';
    $Self->{'LogModule::LogFile'} = 'C:/otrs/OTRS/var/log/otrs.log';
	
	# This is an example configuration for an LDAP auth. backend.
	# (make sure Net::LDAP is installed!)
	$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
	$Self->{'Customer::AuthModule::LDAP::Host'} = '172.20.5.8';
	$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=hqprod';
	$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

	# Check if the user is allowed to auth in a posixGroup
	# (e. g. user needs to be in a group xyz to use otrs)
	#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
	#$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
	# for ldap posixGroups objectclass (just uid)
	#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
	# for non ldap posixGroups objectclass (full user dn)
	#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

	# The following is valid but would only be necessary if the
	# anonymous user does NOT have permission to read from the LDAP tree
	$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs otrs,OU=MIS,DC=hqprod';
	$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'otrs';

	# in case you want to add always one filter to each ldap query, use
	# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	#$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = 'objectclass=user';

	# in case you want to add a suffix to each customer login name, then
	# you can use this option. e. g. user just want to use user but
	# in your ldap directory exists user@domain.
	#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

	# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
	$Self->{'Customer::AuthModule::LDAP::Params'} = {
		port => 389,
		timeout => 120,
		async => 0,
		version => 3,
	};
	
    # $DIBI$

Not much changed

I went through both thet google search for fail bind and the link for ldap troubleshooting.
I could see anything I needed to change. Im not doing agent authsync so i didnt add that.

What i am confused about is this section

Code: Select all

Remember that you'll need a list of users (and customers) and how to authenticate them. They are two different things. You could, for instance, use LDAP to authenticate a user list in database, or HTTPBasicAuth to authenticate LDAP customers. The key is to remember that the login for a customer/agent must be viable in the authentication method. Note, this doesn't mean it has to be the same. As in the "errors" section above, what the user enters for a login name has ample means of transformation within the authentication method -- changing a login to an email, for instance, or bundling the username into a distinguished name.

what do I need to add/change to satisfiy the list of users if in fact I have the authentication working?

Thanks

[crythias]

list of users means, in reality, the demographics. Just because something can authenticate doesn't mean the authentication method is a source of the list of allowed/provisioned users/customers.

I know, you're saying ..."If I authenticate, that should be enough..." But it's not. The best way to be able to provide an analogy is *somewhat* like being able to authenticate to your domain and not having access to a folder structure because the folder structure doesn't provide you with permissions. You'd have to be a member of the permissions list on that folder.

The folder doesn't allow you access, even if you've authenticated, because you're not on the list of users for the folder.

So it is with OTRS: If you're able to authenticate, that's like showing a bouncer at a club your driver's license. OK, you are who you say you are. You're still not on the access list.

what do I need to add/change to satisfiy the list of users if in fact I have the authentication working?

Customer User information:
Described: http://doc.otrs.org/3.1/en/html/custome ... ckend-ldap (link copied from the LDAP troubleshooting page).

Internally with OTRS (via the built-in Customer Information Center database, which you'd manually configure one user at a time)
Externally with something like LDAP (which, yes, you would need to configure something to talk to LDAP to retrieve this information, and, btw, while you're there, use LDAP/Active Directory for authentication as well)
or
Externally with some other database that holds information on your customer, such as SalesForce or some such, which, again, you need a configuration to point to it.

[ctbfalcon]

So I now have added the CustomerUser Selection

Code: Select all

	# CustomerUser
	# (customer ldap backend and settings)
	$Self->{CustomerUser} = {
		Name => 'LDAP Data Source',
		Module => 'Kernel::System::CustomerUser::LDAP',
		Params => {
			# ldap host
			Host => '172.20.5.8',
			# ldap base dn
			BaseDN => 'DC=hqprod',
			# search scope (one|sub)
			SSCOPE => 'sub',
			# The following is valid but would only be necessary if the
			# anonymous user does NOT have permission to read from the LDAP tree
			UserDN => 'CN=*********,OU=MIS,DC=hqprod',
			UserPw => '****',
			# in case you want to add always one filter to each ldap query, use
			# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
			AlwaysFilter => '',
				# if both your frontend and your LDAP are unicode, use this:
				SourceCharset => 'utf-8',
				DestCharset   => 'utf-8',
				# if your frontend is unicode and the charset of your
				# ldap server is iso-8859-1, use these options.
				# SourceCharset => 'iso-8859-1',
				# DestCharset => 'utf-8',
				# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
				Params => {
					port => 389,
					timeout => 120,
					async => 0,
					version => 3,
				},
		},
		# customer unique id
		CustomerKey => 'sAMAccountName',
		# customer #
		CustomerID => 'sAMAccountName',
		CustomerUserListFields => ['cn', 'sAMAccountName'],
		CustomerUserSearchFields => ['uid', 'cn', 'sAMAccountName'],
		CustomerUserSearchPrefix => '',
		CustomerUserSearchSuffix => '*',
		CustomerUserSearchListLimit => 500,
		CustomerUserPostMasterSearchFields => ['mail'],
		CustomerUserNameFields => ['givenName', 'sn'],
		# show not own tickets in customer panel, CompanyTickets
		CustomerUserExcludePrimaryCustomerID => 0,
		# add an ldap filter for valid users (expert setting)
	#    CustomerUserValidFilter => '(!(description=locked))',
		# administrator can't change customer preferences
		AdminSetPreferences => 0,
	#    # cache time to live in sec. - cache any database queries
	#    CacheTTL => 0,
		Map => [
			# note: Login, Email and CustomerID are mandatory!
			# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
	#		[ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
			[ 'UserFirstname',  'Firstname',  'givenName',       1, 1, 'var', '', 0 ],
			[ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
			[ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
			[ 'UserEmail',      'Email',      'mail',            1, 0, 'var', '', 0 ],
			[ 'UserCustomerID', 'CustomerID', 'sAMAccountName',  0, 1, 'var', '', 0 ],
	#        [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
	#		[ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
	#		[ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
	#		[ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
		],
	};

Now i have two errors saying the same thing

Code: Select all

[Mon Mar 31 13:54:09 2014][Error][Kernel::System::CustomerAuth::LDAP::Auth][188] First bind failed! Bad file descriptor
[Mon Mar 31 13:54:09 2014][Error][Kernel::System::CustomerUser::LDAP::_Connect][197] First bind failed! Bad file descriptor

from this post

Code: Select all

first bind failed
Almost always SearchUser credentials, password. Invalid syntax means poorly formatted dn/distinguished name. 52e is password/credentials. If you doubt this, then it's related to the ldap host not accepting/validating the credentials. This could be for several different reasons, but it is not something OTRS can fix.
See this thread for discussion
Note that Active Directory by default needs a SearchUser and SearchPw for every bind. (A bind is simply the authority/permission to perform a search). The user to perform an LDAP lookup should not be a domain admin. It should be a basic user.

I know the search account is correct because i can use it in joomla, the DN is correct

I dont have special characters in the password
I am pointing at the same AD server as i am with joomla

Nothing else in that post applied.


I am still stumped as to what is wrong here

[crythias]

This link being the first result of the search I posted previously says:

viewtopic.php?f=81&t=22849#p90171

Hi,

A different solution (and the one we're going to apply in OTRS 3.3.2) is to delete the file [OTRS]\StrawberryPerl\perl\vendor\lib\IO\Socket\INET6.pm.

You have not indicated that you've tried this.

[ctbfalcon]

I have not, but Im not using strawberry perl, im using activeperl 5.16.3
There is no directory [OTRS]\StrawberryPerl\

Code: Select all

  o DBD::mysql.......................ok (v4.022)
  o DBD::ODBC........................ok (v1.31)
  o DBD::Oracle......................FAILED! Not all prerequisites for this mo
le correctly installed.
  o DBD::Pg..........................ok (v2.19.3)
  o Encode::HanExtra.................ok (v0.23)
  o GD...............................ok (v2.46)
    o GD::Text.......................ok (v0.86)
    o GD::Graph......................ok (v1.44)
  o IO::Socket::SSL..................ok (v1.84)
  o JSON::XS.........................ok (v2.34)
  o List::Util::XS...................ok (v1.27)
  o LWP::UserAgent...................ok (v6.05)
  o Mail::IMAPClient.................ok (v3.35)
    o IO::Socket::SSL................ok (v1.84)
  o Net::DNS.........................ok (v0.74)
  o Net::LDAP........................ok (v0.60)
  o Net::SSL.........................ok (v2.85)
  o PDF::API2........................ok (v2.021)
    o Compress::Zlib.................ok (v2.060)
  o Text::CSV_XS.....................ok (v0.95)
  o Time::HiRes......................ok (v1.9725)
  o XML::Parser......................ok (v2.41)
  o YAML::XS.........................ok (v0.39)
  o Win32::Daemon....................ok (v20110117)
  o Win32::Service...................ok (v0.06)

this is my checkmodules
LDAP is installed
DBD oracle is not but i dont ever need to connect to it.

[crythias]

I have not, but Im not using strawberry perl, im using activeperl 5.16.3
There is no directory [OTRS]\StrawberryPerl\

This is good information to know.
Is there an equivalent to perl\vendor\lib\IO\Socket\INET6.pm in your activestate perl path? Are you able to remove/rename that file? Can you test that with OTRS?

[crythias]

also, not *literally* [OTRS] but maybe c:\program files\OTRS or its equivalent.

Is there ANY Inet6.pm on your system?

[ctbfalcon]

this is my path
C:\otrs\StrawberryPerl\perl\vendor\lib
thats all i have there is no IO dir
And i do not have inet6.pm in any dir under c:\otrs

[crythias]

OK, I believe you, and I would not expect you to find what I requested in a folder that doesn't match what you're using.

[crythias]

Where is ActiveState Perl installed? Does it have an Inet6.pm in its structure? Can you rename it?

[crythias]

One last suggestion:

In each of the Params section in Config.pm, try to add

Code: Select all

 inet4 => 1,

[ctbfalcon]

Where is ActiveState Perl installed? Does it have an Inet6.pm in its structure? Can you rename it?

Ok my perl install is C:\Perl\

I do have a inet6.pm in C:\Perl\site\lib\IO\Socket

i removed it using the ppm instead of removing it. Same thing? I'm very novice when it comes to perl sorry

I typed to fast, it seems that perl-ldap requires inet6 to be installed. It warns that it may break perl-ldap
thoughts?

[ctbfalcon]

One last suggestion:

In each of the Params section in Config.pm, try to add

Code: Select all

 inet4 => 1,

like so?

Code: Select all

				# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
				Params => {
					port => 389,
					timeout => 120,
					async => 0,
					version => 3,
					inet4 => 1,
				},

and

Code: Select all

	# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
	$Self->{'Customer::AuthModule::LDAP::Params'} = {
		port => 389,
		timeout => 120,
		async => 0,
		version => 3,
		inet4 => 1,
	};
	

[crythias]

Yes. Please report results.

[crythias]

i removed it using the ppm instead of removing it. Same thing? I'm very novice when it comes to perl sorry

No, not the same thing. The ppm removes the entire ldap package. Please replace it.

[ctbfalcon]

Ok i tried a few things

first I renamed the inet6.pm to inet6.pm.bak
and i added the line in the config.pm to params inet4 => 1,

i got new errors

Code: Select all

[Tue Apr  1 09:07:55 2014][Error][Kernel::System::CustomerAuth::LDAP::Auth][188] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Tue Apr  1 09:07:55 2014][Error][Kernel::System::CustomerUser::LDAP::_Connect][197] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 

so i removed the inet4 => 1,

got the same errors

added the inet4 => 1,
renamed inet6 back to the org file name

got the same errors

removed the inet4 => 1, so now im back to the org config and inet6 file.

got these errors

Code: Select all

[Tue Apr  1 09:06:24 2014][Error][Kernel::System::CustomerAuth::LDAP::Auth][188] First bind failed! Bad file descriptor
[Tue Apr  1 09:06:24 2014][Error][Kernel::System::CustomerUser::LDAP::_Connect][197] First bind failed! Bad file descriptor

same as a few days ago.

thoughts? is this related to ?

first bind failed
Almost always SearchUser credentials, password. Invalid syntax means poorly formatted dn/distinguished name. 52e is password/credentials. If you doubt this, then it's related to the ldap host not accepting/validating the credentials. This could be for several different reasons, but it is not something OTRS can fix.
See this thread for discussion

[crythias]

i got new errors

Code: Select all

[Tue Apr  1 09:07:55 2014][Error][Kernel::System::CustomerAuth::LDAP::Auth][188] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece 
[Tue Apr  1 09:07:55 2014][Error][Kernel::System::CustomerUser::LDAP::_Connect][197] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

These are better errors. It means it works. Keep the inet4 => 1,

It also means your bind credentials are not being accepted (bad login/password).
Try also UserDN => 'username',

[crythias]

525 is user not found
For more information on error codes: http://www-01.ibm.com/support/docview.w ... wg21290631

[ctbfalcon]

holy ldap batman it works!

I also came across those ldap codes and decided to create a new user
I created a new user called. CN=ldapUser

i never liked that my netadmin created me a user with a space in the DN.

Thanks for all your time and assistance.

Now I will try to get agent ldap working

[crythias]

Please consider using variables to hold common information (per my LDAP HowTo) ... it should reduce possibility of mistyping, as well as providing a single point of "change everything here" and it works everywhere else.

You did well. Congratulations. You also helped me and others by sticking with it, and I've updated my HowTo because of this conversation. Which means, yeah, I can legitimately point to the post and hopefully it will be even more helpful.

[ctbfalcon]

I did put in place those variables and I also got agent ldap to work with the same fix.

Thanks again