Need help with LDAP/AD Auth

pseudoyams · Post by **pseudoyams** » 28 Feb 2012, 00:07

Hi everyone-
Im working on a new install of OTRS (v3.1.1) on a clean install of Windows 2008 R2 SP1 server. I have that base install of OTRS working fine (aka can login with root@localhost) and want to get authentication working with LDAP/AD. Im having troubles getting this working. I get the following error in the otrs.log file each time I try to login:

Code: Select all

[Mon Feb 27 15:56:56 2012][Notice][Kernel::System::Auth::DB::Auth] User: User1 doesn't exist or is invalid!!! (REMOTE_ADDR: 127.0.0.1)
[Mon Feb 27 15:56:56 2012][Error][Kernel::System::User::UserLookup][746] No UserID found for 'User1'!

Shouldnt Auth::DB be Auth::LDAP????

Here is my config.pm file. LDAP settings have been taken from http://wiki.otterhub.org/index.php?titl ... _Directory.

Code: Select all

	# ---------------------------------------------------- #
    # Begin Active Directory/LDAP Auth Config              #
    # ---------------------------------------------------- #

	# This is an example configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Group-IT,OU=Groups,OU=IT,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=LDAP_Proxy,OU=Services,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
 
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '';
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
		sscope => 'sub',
    };
 
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap.domain.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=LDAP_Proxy,OU=Services,DC=domain,DC=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
	
	# ---------------------------------------------------- #
    # End Active Directory/LDAP Auth Config                #
    # ---------------------------------------------------- #

Id apprecite any help anybody can throw my way on this.

rtorres · Post by **rtorres** » 28 Feb 2012, 03:03

Been fighting with the same error since last week on 3.1.1 Any help would be awesome!

sameer666 · Post by **sameer666** » 28 Feb 2012, 07:06

should dc=domain,dc=local be set to your-domain.com

for example dc=your-domain,dc=com

(REMOTE_ADDR: 127.0.0.1) mean you are ldap by setting is local host

HTH

ferrosti · Post by **ferrosti** » 28 Feb 2012, 13:02

I don´t know what you do, but your log says
[Mon Feb 27 15:56:56 2012][Notice][Kernel::System::Auth::DB::Auth]
which means, that you are trying to auth against your local DB, not LDAP.

pseudoyams · Post by **pseudoyams** » 28 Feb 2012, 15:30

ferrosti - yes, i know (as pointed out in the OP)...that is why I was looking for help

Regardless I figured it out lastnight. First off, I had to restart the services. After that I was able to LDAP auth, but not login to the OTRS system. The following line is needed in v3.1.1... all the other configs I came across did not include it.

Code: Select all

    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';

After I added that (and a little more) I was able to login and sync with LDAP.

So here is my working config for agent auth and sync:

Code: Select all

	# This is an example configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Group-IT,OU=Groups,OU=IT,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=LDAP_Proxy,OU=Services,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
 
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '';
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
		sscope => 'sub',
    };
	
   # Now sync data with OTRS DB
   	$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';	
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap.domain.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=LDAP_Proxy,OU=Services,DC=domain,DC=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
	
	# UserTable
    $Self->{DatabaseUserTable}       = 'users';
    $Self->{DatabaseUserTableUserID} = 'id';
    $Self->{DatabaseUserTableUserPW} = 'pw';
    $Self->{DatabaseUserTableUser}   = 'login';

Now I have to tackle customer authentication.

kekkek · Post by **kekkek** » 28 Feb 2012, 15:42

Hello, the code bellow it´s working for me in Config.pm.

Im using 3.1.1,
I hope it Helps

Code: Select all

 #Enable LDAP authentication for Customers / Users
	  $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
	  $Self->{'Customer::AuthModule::LDAP::Host'} = 'example.com';
	  $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
	  $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

	#The following is valid but would only be necessary if the
	#anonymous user do NOT have permission to read from the LDAP tree
	  $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'username';
	  $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'PASSWORD';
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	#$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectClass=person)';
	#$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectClass=user)';
	



	#CustomerUser
	#(customer user database backend and settings)
		$Self->{CustomerUser} = {
		Name	=>	'AD example',
		  Module => 'Kernel::System::CustomerUser::LDAP',
		  Params => {
			Host => 'example.com',
			BaseDN => 'DC=example,DC=com',
			SSCOPE => 'sub',
			UserDN => 'username',
			UserPw => 'PASSWORD',
		},
	# customer unique id
		CustomerKey => 'sAMAccountName',
		# customer #
		CustomerID => 'mail',
		CustomerUserListFields => ['givenName', 'sn', 'mail'],
		CustomerUserSearchFields => ['sAMAccountName', 'givenName','sn', 'mail'],
		CustomerUserSearchPrefix => '',
		CustomerUserSearchSuffix => '*',
		CustomerUserSearchListLimit => 250,
		CustomerUserPostMasterSearchFields => ['mail'],
		CustomerUserNameFields => ['givenname', 'sn'],
		#CustomerUserEmailUniqCheck => 1,
		#CacheTTL => 0,
		# show now own tickets in customer panel, CompanyTickets
        #CustomerUserExcludePrimaryCustomerID => 0,
		Map => [
		  # note: Login, Email and CustomerID needed!
		  # var, frontend, storage, shown, required, storage-type
		  #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
		  #[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
		  #[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
		  #[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
		  #[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
		  #[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
		  #[ 'UserPhone', 'Phone', 'homePhone', 1, 0, 'var' ],
		  #[ 'UserMobile', 'Mobile', 'mobile', 1, 0, 'var' ],
		  #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
		  #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
		  # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
            [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
            [ 'UserPhone',      'Phone',      'homePhone', 		 1, 0, 'var', '', 0 ],
            [ 'UserMobile',     'Mobile',     'mobile',   		 1, 0, 'var', '', 0 ],
			[ 'UserExt',     	'Ext.',  	  'telephoneNumber',   		 1, 0, 'var', '', 0 ],
			
		],
	  };

pseudoyams · Post by **pseudoyams** » 28 Feb 2012, 16:07

Hi Kekkek-
Thanks for the reply. Your config worked perfectly!

Thanks again for your help!

rtorres · Post by **rtorres** » 28 Feb 2012, 21:08

Here is the complete Config.pm file I used that worked for me. This is the complete file shown with default db info and password. I also added little notes next to each section to explain it better. Works with AD/LDAP on Windows 03 Domain. My issues was I was missing the ' marks in the line $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP'; Thanks to pseudoyams for the help

Update: Well it was woking. I authenticated with 1 user via AD and now I get panic again..

rtorres · Post by **rtorres** » 29 Feb 2012, 03:16

It will let me connect if I create a account manually and assign it a password. Then logoff/back on and it works with LDAP password and local password. I assume I have something wrong but cannot figure out what. Any ideas what could cause this?

ferrosti · Post by **ferrosti** » 29 Feb 2012, 11:00

Do you have

Code: Select all

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';

and all of its following parms configured?

Detailed error messages would be really helpful.

pseudoyams · Post by **pseudoyams** » 29 Feb 2012, 15:06

RTorres-
I had the same problem after ldap auth started working. The fix for me was to put in this line:

Code: Select all

$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

Check out my config above... this is still working for me. Also, IIRC, you had put "1"s after some of the options... perhaps you are missing one?

rtorres · Post by **rtorres** » 29 Feb 2012, 18:07

Got it figured out. Classic rookie mistake, going off to stick my head in a hole..lol The test account I was using had no email, last name etc assigned to it. It was just a test account I created a long time ago. I can actually recreate the error at will. If you open AD / your user account (new one never logged in with) and remove the email you will get the panic. Put email in (not domain specific) and relogin. No need to restart service cause the admin was a dumba..

I do believe I was missing that line though to start with but after adding it and the account setup issues... Thanks for the hlp all.

Znuny Open Source Ticketsystem

Need help with LDAP/AD Auth

Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth

Re: Need help with LDAP/AD Auth