[SOLVED] LDAP Configuration Error When Logging In

[jlodense]

Good Afternoon All,

I'm receiving the following error with my LDAP configuration (OTRS 3.1.5, CentOS 5.8 x86_64) when attempting to login to OTRS. Any thoughts regarding the error? I am able to successfully connect to LDAP via the command line of the OS. Also, I've verified DNS and IP connectivity.

ERROR: OTRS-CGI-10 Perl: 5.8.8 OS: linux Time: Wed Jun 6 15:07:34 2012

Message: Search failed! 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece^@

Traceback (4763):
Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 216
Module: Kernel::System::Auth::Auth (v1.56) Line: 189
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31

Here's my configuration:

# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;

# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '#######.#######.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=#######,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsagents,ou=otrs,dc=######,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,ou=otrs,dc=######,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '#######';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com'

# In case you want to convert all given usernames to lower letters you
# should activate this option. It might be helpfull if databases are
# in use that do not distinguish selects for upper and lower case letters
# (Oracle, postgresql). User might be synched twice, if this option
# is not in use.
$Self->{'AuthModule::LDAP::UserLowerCase'} = 0;

# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
$Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthModule::LDAP::Die'} = 1;

# This is an example configuration for an LDAP auth sync. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '######.######.com';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=#######,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthModule::LDAP::Die'} = 1;

# This is an example configuration for an LDAP auth sync. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '######.#######.com';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=#######,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrs,ou=otrs,dc=######,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '######';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
$Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthSyncModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthSyncModule::LDAP::Die'} = 1;

[crythias]

This is your likely culprit

Code: Select all

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,ou=otrs,dc=######,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '#######';

But needing a successful bind is practically any of connectivity issues. High probability: Security or port.

[jlodense]

Thanks for the feedback!

I've found when I login locally, and then set my password to my account manually I am able to login. It appears at this point to pull AD data, but when I log-out, the password data is removed. Any thoughts on why OTRS isn't retaining the password data?

[crythias]

Are you asking about single signon or why password information isn't replicating back to you ldap source? OTRS isn't going to write to a read-only (usually ldap) setup.

[jlodense]

It was actually an issue with the AccessAttr line. Once modified to member rather than memberUid I am no able to login via LDAP.

Thanks again for the assist!