Lotus Domino Ldap sync

[rmaul]

So i have everything set up for login and it works fine on OTRS 3.3.6. Now im trying to map my roles using the LDAP groups i created. One of them for instance is called CS-CTI. I got 10 members inside this group which i want to be admin of OTRS. That being said, the member

Code: Select all

CN=Erli Pires Matos,OU=CS,OU=CTI,O=SESCDN

for example is inside this group. But when my OTRS checks his login, he is able to autenticate without a problem but the log error says:

Code: Select all

[Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: ematos not in GroupDN='CN=CS-CTI', Filter='(member=ematos)'! (REMOTE_ADDR: 10.1.21.55).

Clearly because he is trying to search for a member called ematos, which is his UID, and i want otrs to look for CN=Erli Pires Matos,OU=CS,OU=CTI,O=SESCDN, because my abribute member is set like that. If i add a "new member" called ematos, he is able to login with the credentials i want, but i dont want to add everyones UID to the group, cuz makes it confusing.

Any ideas what i can change that will make OTRS look up for DN and not UID ?

i got those 2 lines set up like this if that matters.

Code: Select all

	
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';

The mapping below works fine when i add the pure UID inside the group.

Code: Select all

 $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition1'} = { 
 # GRUPO NO LDAP 
 'CN=CS-CTI' => { 
 # PAPEL NO OTRS
 'AdminRole' => 1, 
 },

Here is also a SS showing him as a member of the group CS-CTI

Untitled.jpg

The LDAP is lotus domino v9.0.
With OTRS 3.3.6
Windows Server 2008 R2

Thank you in advice !!! I hope i explained well enough to get someone to help me fix it !

-- Rita

[crythias]

First, this: viewtopic.php?f=60&t=16543
Then documentation for Lotus
and here

Relevant from the first link:
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com'; #directly assigned members of this group are allowed to authenticate

$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid'; #only relevant if GroupDN is specified. This is an attribute that exists only to indicate group membership. (See also member, or memberOf for instance)

Also, what's the full distinguishedName of the group?

[rmaul]

The full DN is exactly that ->> CN=CS-CTI.
My lotus base has a blank top tree ( yeahh u can do that in lotus ) and my base really starts in O=SESCDN. My group is where it would be considered, the same level as the O=SESCDN.
So the full DN is >> CN=CS-CTI.
Would look like this in a browser
[1.1.1.1]
:
: +CN=CS-CTI
: +O=SESCDN

Or something like that... As u can see i dont really have anything on top of my tree.

I did try different attributes here:

Code: Select all

$Self->{'AuthModule::LDAP::UserAttr1'} = 'CN';

Like CN, DN, UID. It still lookup for the uid and not for the persons DN as it should.
I also tried different attributes here:

Code: Select all

$Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';

Like, memberUid, member, memberOf, dominoPerson, inetOrgPerson, organizationalPerson.
And everytime i change it i get the same error (different variable) in my log:

Code: Select all

User: ematos not in GroupDN='CN=CS-CTI', Filter='(dominoPerson=ematos)'!

Code: Select all

User: ematos not in GroupDN='CN=CS-CTI', Filter='(member=ematos)'!

Code: Select all

User: ematos not in GroupDN='CN=CS-CTI', Filter='(memberUid=ematos)'!

Code: Select all

User: ematos not in GroupDN='CN=CS-CTI', Filter='(memberOf=ematos)'!

Code: Select all

User: ematos not in GroupDN='CN=CS-CTI', Filter='(inetOrgPerson=ematos)'!

Code: Select all

User: ematos not in GroupDN='CN=CS-CTI', Filter='(organizationalPerson=ematos)'!

The attribute here seems to be member alright, as i can see the member attribute in my group like it shows on the SS i posted before, but NOT searching for ematos, it should be searching for :

Code: Select all

CN=Erli Pires Matos,OU=CS,OU=CTI,O=SESCDN

What i cant figure out in any documentation is how to make OTRS search for his DN instead of his UID.

Did i explain well or did i confuse u even more ?
I appreciate all the help !!
Thank you very much.

[rmaul]

I also did a search like

Code: Select all

(&(objectclass=dominoGroup)(member=CN=Erli Pires Matos,OU=CS,OU=CTI,O=SESCDN))

In my LDAP browser and it shows the results as expected, he IS in the group CS-CTI as he should.
So what i believe is missing the the correct attribute to make OTRS search for his DN like i manually did in my browser.

[crythias]

The code (Kernel/System/Auth/LDAP.pm) is:

Code: Select all

        my $Filter2 = '';
        if ( $Self->{UserAttr} eq 'DN' ) {
            $Filter2 = "($Self->{AccessAttr}=$UserDNQuote)";
        }
        else {
            $Filter2 = "($Self->{AccessAttr}=$UserQuote)";
        }

There's a bit more to it (above)

Code: Select all

    # get whole user dn
    my $UserDN = '';
    for my $Entry ( $Result->all_entries() ) {
        $UserDN = $Entry->dn();
    }

Summary: what's the attribute that holds the distinguishedName for the user in the user's ldap info?

[rmaul]

The code (Kernel/System/Auth/LDAP.pm) is:

Code: Select all

        my $Filter2 = '';
        if ( $Self->{UserAttr} eq 'DN' ) {
            $Filter2 = "($Self->{AccessAttr}=$UserDNQuote)";
        }
        else {
            $Filter2 = "($Self->{AccessAttr}=$UserQuote)";
        }

There's a bit more to it (above)

Code: Select all

    # get whole user dn
    my $UserDN = '';
    for my $Entry ( $Result->all_entries() ) {
        $UserDN = $Entry->dn();
    }

Summary: what's the attribute that holds the distinguishedName for the user in the user's ldap info?

Here are all attributes when i look inside his UID

Untitled2.jpg

I supose there should be a dominoUNID attribute ? Or is there any other unique attribute i could use so i wont have to edit thousands of users ?

[rmaul]

I just had a little chat with my ldap admin and he told me the attribute that holds all that information is fullname .
But i still cant figure out what to replace.

[crythias]

I'd try (and this is just because I don't know)
In Config.pm,
UserAttr1 should be 'DN'

in Kernel/System/Auth/LDAP.pm

$UserDN = $Entry->dn(); change to $UserDN = $Entry->fullname();

At least, possibly. Can't test/verify. Comment/backup before changes.

[rmaul]

That didn´t work well... i got a failed to send script data error.
If i have to add every group member again with his uid, i will get a duplicity in my ldap that i dont believe its the real solution. There must be a place where i can force OTRS to use the attribute i want it to use in the group lookup.
I will keep searching the .pm and i appreciate all the help and atention. In case u remember anything else, please feel free to let me know. I will keep looking this post as i hope someone else had the same problem before.

Thank you very much once more.

[crythias]

just ... one other thing ...
Let's say you have a custom ldap attribute that you can apply to a bunch of users .. (In Active Directory, you can select a bunch of users and then mass update an attribute).

myCustomAttribute1="OTRSGroup1"

Now you can use this as a filter instead of a group config.

[rmaul]

I figured lotus domino uses backslash instead of commas to separate their parent DN... like name/ou=xxx/o=xxx and so on, that may be why its not reconizing the member inside the group. However, my FullName attribute contains both comma and backslash, as well as the uid from the user. So how do i set this custom attribute ?
lets say i put in my config.pm
myCustomAttribute1="FullName"
and how do i filter this ?

Thank you for your help !!!

-- Rita

[crythias]

http://www.petri.co.il/ldap_search_samp ... change.htm