Hi,
I am for some days trying to configure LDAP authentication.
Now I am in this situation: after entering in customer.pl userID and password, if it matches for that in LDAP or defautl DB, I got Internal server error. In error.log I have
Undefined subroutine &Kernel::Config::Load called at /opt/otrs//Kernel/Config/Defaults.pm line 1770.\n
If password doesn't match LDAP or default DB, user is rejected and I see a shake and then login again.
In Kernel/Config.pm I added:
# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.19.11.205';
$Self->{'AuthModule::LDAP::BaseDN'} = '';
$Self->{'AuthModule::LDAP::UID'} = 'bubenickova';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'o=lecebna,ou=sivt,CN=bubenickova';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxx';
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '172.19.11.205';
#$Self->{'Customer::AuthModule::LDAP::BaseDN'} = '';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'bubenickova';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} =
'o=lecebna,ou=sivt,cn=bubenickova';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user does NOT ave permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'o=lecebna,ou=sivt,cn=bubenickova';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'buben';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {.
Module => 'Kernel::System::CustomerUser::LDAP',
Name => 'ASI AD LDAP',
Params => {
Host => '172.19.11.205',
BaseDN => '',
SSCOPE => 'sub',
UserDN => 'bubenickova',
UserPw => 'xxxx',
},
CustomerKey => 'bubenickova',
CustomerID => 'bubenickova@plbohnice.cz',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# timeout => 120,
# async => 0,
# version => 3,
# };
#$Self->{CustomerUser} = {
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
# [ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
-------------------------
thank you for any advice
LDAP authentication
Moderator: crythias
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
LDAP authentication
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
The very first line has an index of 1 but no subsequent entries for that AuthModule do.
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
I haven't bothered to further troubleshoot after that, but likely what's happening is that AuthModule is using Defaults.pm which connects to DB.
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
I haven't bothered to further troubleshoot after that, but likely what's happening is that AuthModule is using Defaults.pm which connects to DB.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Thanks, that was one mistake,
but after I corrected it, I can only login as user in LDAP, not as user in default db,
but after login I got Internal server error again,
in error.log I have again
Undefined subroutine &Kernel::Config::Load called at /opt/otrs//Kernel/Config/Defaults.pm line 1770
but after I corrected it, I can only login as user in LDAP, not as user in default db,
but after login I got Internal server error again,
in error.log I have again
Undefined subroutine &Kernel::Config::Load called at /opt/otrs//Kernel/Config/Defaults.pm line 1770
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
Append the index (1) to all such entries for LDAP and you should regain both access.katerina wrote:but after I corrected it, I can only login as user in LDAP, not as user in default db
Also, what version OTRS?
This is because Config.pm doesn't have sub Load, or it's broken.katerina wrote:Undefined subroutine &Kernel::Config::Load called at /opt/otrs//Kernel/Config/Defaults.pm line 1770
Can you please post your entire (password redacted) Config.pm?
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Thanks for your help, I am totaly lost in the code for LDAP.
I tried several versions of code, that I found in otrs manual and in discussions here.
Our LDAP for sure doesn't contain all informations about customers,
I wanted to add them later if needed.
I would like to authenticate users against database or LDAP, if possible (one of them). The agents could be only in DB, it doesn,t matter. (That means I need to authenticate via customer.pl with LDAP, I don't need to authenticate in index.pl with LDAP and I would apreciate if I could add another customer into db, not into LDAP)
I reinstalled otrs and I haven't got internal server error any more. But now I can authenticate only with db, not with LDAP.
I use an account for searching LDAP which is lecebna.sivt.bubenickova, o=lecebna, ou=sivt, cn=bubenickova.
I was told dc is only for AD, for LDAP novell it is empty.
-----------------Config.pm
package Kernel::Config;
use utf8;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/otrs.CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'hot';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
# $Self->{DatabasePostgresqlBefore82} = 1;
# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';
# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;
# ---------------------------------------------------- #
# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule1::LDAP::Host'} = '172.19.11.68';
$Self->{'AuthModule1::LDAP::BaseDN'} = '';
$Self->{'AuthModule1::LDAP::UID'} = 'bubenickova';
$Self->{'AuthModule1::LDAP::SearchUserDN'} = 'o=lecebna,ou=sivt,CN=bubenickova';
$Self->{'AuthModule1::LDAP::SearchUserPw'} = 'xxx';
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule1::LDAP::Host'} = '172.19.11.68';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = '';
$Self->{'Customer::AuthModule1::LDAP::UID'} = 'bubenickova';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule1::LDAP::GroupDN'} =
'o=lecebna,ou=sivt,cn=bubenickova';
$Self->{'Customer::AuthModule1::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule1::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user does NOT ave permission to read from the LDAP tree
$Self->{'Customer::AuthModule1::LDAP::SearchUserDN'} = 'o=lecebna,ou=sivt,cn=bubenickova';
$Self->{'Customer::AuthModule1::LDAP::SearchUserPw'} = 'buben';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule1::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP).
$Self->{'Customer::AuthModule1::LDAP::Params'} = {.
Module => 'Kernel::System::CustomerUser::LDAP',
Name => 'LDAP datasource',
Params => {
Host => '172.19.11.68',
BaseDN => '',
SSCOPE => 'sub',
UserDN => 'bubenickova',
UserPw => 'xxx',
timeout => 120,
async => 0,
version => 3,
},
CustomerKey => 'bubenickova',
CustomerID => 'bubenickova@plbohnice.cz',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],.
.
#$Self->{CustomerUser} = {
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
# [ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}
# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;
use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.25 $)[1];
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');
# -----------------------------------------------------#
1;
I tried several versions of code, that I found in otrs manual and in discussions here.
Our LDAP for sure doesn't contain all informations about customers,
I wanted to add them later if needed.
I would like to authenticate users against database or LDAP, if possible (one of them). The agents could be only in DB, it doesn,t matter. (That means I need to authenticate via customer.pl with LDAP, I don't need to authenticate in index.pl with LDAP and I would apreciate if I could add another customer into db, not into LDAP)
I reinstalled otrs and I haven't got internal server error any more. But now I can authenticate only with db, not with LDAP.
I use an account for searching LDAP which is lecebna.sivt.bubenickova, o=lecebna, ou=sivt, cn=bubenickova.
I was told dc is only for AD, for LDAP novell it is empty.
-----------------Config.pm
package Kernel::Config;
use utf8;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/otrs.CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'hot';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
# $Self->{DatabasePostgresqlBefore82} = 1;
# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';
# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;
# ---------------------------------------------------- #
# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule1::LDAP::Host'} = '172.19.11.68';
$Self->{'AuthModule1::LDAP::BaseDN'} = '';
$Self->{'AuthModule1::LDAP::UID'} = 'bubenickova';
$Self->{'AuthModule1::LDAP::SearchUserDN'} = 'o=lecebna,ou=sivt,CN=bubenickova';
$Self->{'AuthModule1::LDAP::SearchUserPw'} = 'xxx';
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule1::LDAP::Host'} = '172.19.11.68';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = '';
$Self->{'Customer::AuthModule1::LDAP::UID'} = 'bubenickova';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule1::LDAP::GroupDN'} =
'o=lecebna,ou=sivt,cn=bubenickova';
$Self->{'Customer::AuthModule1::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule1::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user does NOT ave permission to read from the LDAP tree
$Self->{'Customer::AuthModule1::LDAP::SearchUserDN'} = 'o=lecebna,ou=sivt,cn=bubenickova';
$Self->{'Customer::AuthModule1::LDAP::SearchUserPw'} = 'buben';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule1::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP).
$Self->{'Customer::AuthModule1::LDAP::Params'} = {.
Module => 'Kernel::System::CustomerUser::LDAP',
Name => 'LDAP datasource',
Params => {
Host => '172.19.11.68',
BaseDN => '',
SSCOPE => 'sub',
UserDN => 'bubenickova',
UserPw => 'xxx',
timeout => 120,
async => 0,
version => 3,
},
CustomerKey => 'bubenickova',
CustomerID => 'bubenickova@plbohnice.cz',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],.
.
#$Self->{CustomerUser} = {
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
# [ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}
# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #
use strict;
use warnings;
use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.25 $)[1];
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');
# -----------------------------------------------------#
1;
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
You made the same mistake that I made when I first fought this. When I said, 'append', I really meant append, not insert. :)
This is for agents. Customers have a similar index/numbering scheme.
but you'll probably want more than this. All you've currently included was how to connect. Also, UID is literally supposed to be 'uid', the field name.
http://doc.otrs.org/3.1/en/html/auth-ba ... h-backends
"Why didn't I use 1 after AuthSync?" Because it doesn't matter ... it's the only AuthSync that's going to run, because the other interface is DB.
This is for agents. Customers have a similar index/numbering scheme.
Code: Select all
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '172.19.11.205';
$Self->{'AuthModule::LDAP::BaseDN1'} = '';
$Self->{'AuthModule::LDAP::UID1'} = 'bubenickova';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'o=lecebna,ou=sivt,CN=bubenickova';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxxx'; http://doc.otrs.org/3.1/en/html/auth-ba ... h-backends
Code: Select all
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '172.19.11.205';
$Self->{'AuthModule::LDAP::BaseDN1'} = '';
$Self->{'AuthModule::LDAP::UID1'} = 'uid';
$Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'UID';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'o=lecebna,ou=sivt,CN=bubenickova';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.19.11.205';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = '';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'o=lecebna,ou=sivt,CN=bubenickova';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'some_pass';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Sorry for my silence,
My code now look like that:
And it doesn't work, that means I couldn't authenticate by my LDAP account (katerina). I have a group in LDAP named HelpDesk and I am a member of the HelpDesk group. I can authenticace with DB all the time.
I asked our support for Novell technologies and I was said that LDAP for Active Directory differs from that for Novell and I can't use uid for searching because in Novell LDAP uid is not unique. He suggested to search by cn or dn (in the code above it si cn, but id doesn't work with dn either).
Also he said it is important to have the right order in cn=admin,o=lecebna (not reverse o=lecebna,cn=admin).
So my question is:
Is it possible to authenticate with novell LDAP (not with AD)? Is there anybody who succeded?
Thanks a lot
My code now look like that:
Code: Select all
$self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '172.19.11.65';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'o=lecebna';
$Self->{'AuthModule::LDAP::UID1'} = 'admin';
# $Self->{'AuthModule::LDAP::UID1'} = 'cn';
$Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=HelpDesk,o=lecebna';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'cn';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=admin,o=lecebna,';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.19.11.65';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'o=lecebna';
$Self->{'AuthSyncModule::LDAP::UID'} = 'cn';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=admin,o=lecebna';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'',
];
And it doesn't work, that means I couldn't authenticate by my LDAP account (katerina). I have a group in LDAP named HelpDesk and I am a member of the HelpDesk group. I can authenticace with DB all the time.
I asked our support for Novell technologies and I was said that LDAP for Active Directory differs from that for Novell and I can't use uid for searching because in Novell LDAP uid is not unique. He suggested to search by cn or dn (in the code above it si cn, but id doesn't work with dn either).
Also he said it is important to have the right order in cn=admin,o=lecebna (not reverse o=lecebna,cn=admin).
So my question is:
Is it possible to authenticate with novell LDAP (not with AD)? Is there anybody who succeded?
Thanks a lot
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
but earlier you said:katerina wrote:And it doesn't work, that means I couldn't authenticate by my LDAP account (katerina). I have a group in LDAP named HelpDesk and I am a member of the HelpDesk group. I can authenticace with DB all the time.
So, what happened?Thanks, that was one mistake,
but after I corrected it, I can only login as user in LDAP, not as user in default db,
Before:
Code: Select all
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '172.19.11.205';
$Self->{'AuthModule::LDAP::BaseDN1'} = '';
$Self->{'AuthModule::LDAP::UID1'} = 'bubenickova';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'o=lecebna,ou=sivt,CN=bubenickova';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxxx'; There shouldn't be a reason db doesn't work after this change.
Now:
lowercase $self not upppercase $Self (that's why LDAP doesn't work at all, before any other troubleshooting).
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Before I have reinstalled otrs, I tried to loggin, but sometimes I got rejection user/password, sometimes I got internal server error.
I thought, internal server error means I am logged in.
But after some research which I unfortunatelly didn't describe here I realized that it is completely random when I got intrenal error and when I was rejected. When I reloaded once, I got internal errror and reloaded again and got rejection user/password. So when I typed user/password once I was rejected and second time I got internal error and I thought that I was in and the previous case was mistyping the password.
I thought that after reinstalling otrs all (or majority) of my problems were solved. But it looks like I never was logged in LDAP and I only thought I was in.
Sorry again I didn't write about all my tryings.
I thought, internal server error means I am logged in.
But after some research which I unfortunatelly didn't describe here I realized that it is completely random when I got intrenal error and when I was rejected. When I reloaded once, I got internal errror and reloaded again and got rejection user/password. So when I typed user/password once I was rejected and second time I got internal error and I thought that I was in and the previous case was mistyping the password.
I thought that after reinstalling otrs all (or majority) of my problems were solved. But it looks like I never was logged in LDAP and I only thought I was in.
Sorry again I didn't write about all my tryings.
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Now I corrected $self to $Self and $Self->{'AuthModule::LDAP::UID1'} = 'cn';
I can loggin with default db, bud LDAP still doesn't work.
Isn't there something like restart otrs and I missed it?
I can loggin with default db, bud LDAP still doesn't work.
Isn't there something like restart otrs and I missed it?
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
Please post relevant otrs System Logs regarding this.I can loggin with default db, bud LDAP still doesn't work.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
In /var/log/messages:
I use different usernames for db and ldap
And my code producing invalid syntax
Code: Select all
Jul 31 14:50:33 CentosIntra OTRS-CGI-10[23697]: [Notice][Kernel::System::Auth::DB::Auth] User: bubenickova doesn't exist or is invalid!!! (REMOTE_ADDR: 172.19.11.83)
Jul 31 14:50:33 CentosIntra OTRS-CGI-10[23697]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! Invalid syntax
Jul 31 14:50:33 CentosIntra OTRS-CGI-10[23697]: [Error][Kernel::System::User::UserLookup][Line:797]: No UserID found for bubenickova'!
Jul 31 14:52:54 CentosIntra OTRS-CGI-10[23697]: [Notice][Kernel::System::Auth::DB::Auth] User: katerina.bubenickova@xxx.cz authentication ok (REMOTE_ADDR: 172.19.11.83)And my code producing invalid syntax
Code: Select all
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '172.19.11.65';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'o=lecebna';
$Self->{'AuthModule::LDAP::UID1'} = 'cn';
$Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=HelpDesk,o=lecebna';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'cn';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=admin,o=lecebna,';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxx';
$Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.19.11.65';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'o=lecebna';
$Self->{'AuthSyncModule::LDAP::UID'} = 'cn';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=admin,o=lecebna';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'cn=HelpDesk,o=lecebna',
]; otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
This is helpful:
Means what it says. There's no bubenickova in the db.
first bind failed means the searchuser isn't being handled properly
invalid syntax because of the trailing comma in the dn?
:)
Code: Select all
Jul 31 14:50:33 CentosIntra OTRS-CGI-10[23697]: [Notice][Kernel::System::Auth::DB::Auth] User: bubenickova doesn't exist or is invalid!!! (REMOTE_ADDR: 172.19.11.83)Means what it says. There's no bubenickova in the db.
Code: Select all
Jul 31 14:50:33 CentosIntra OTRS-CGI-10[23697]: [Error][Kernel::System::Auth::LDAP::Auth][Line:187]: First bind failed! Invalid syntax
Jul 31 14:50:33 CentosIntra OTRS-CGI-10[23697]: [Error][Kernel::System::User::UserLookup][Line:797]: No UserID found for bubenickova'! invalid syntax because of the trailing comma in the dn?
Code: Select all
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=admin,o=lecebna,'; Code: Select all
Jul 31 14:52:54 CentosIntra OTRS-CGI-10[23697]: [Notice][Kernel::System::Auth::DB::Auth] User: katerina.bubenickova@xxx.cz authentication ok (REMOTE_ADDR: 172.19.11.83)OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Thanks again for your help and patience.
I corrected the coma and looked at log,
there was
so I after some research of LDAP tried to create user bubenickova in DB with another passwd, then I tried to login by my LDAP passwd and failed.
Then I tried login with my DB passwd and succeded but then some synchronization occured and now I cannot login with any passwd.
So now I can authenticate with db and if there is an account in LDAP some synchronisation happens and I couldn't authenticate neither with db passw nor with passwd I use for login into novell. The passwd isn't empty neither. I can login as another user, change password for my account and authenticate for the first time and then sync happens again. And I have no passwd.
But I wanted not to insert users into db manually, I hoped it wil be automated (I only add user into HelpDesk group).
I corrected the coma and looked at log,
there was
Code: Select all
Aug 1 07:54:21 CentosIntra OTRS-CGI-10[23703]: [Notice][Kernel::System::Auth::DB::Auth] User: bubenickova doesn't exist or is invalid!!! (REMOTE_ADDR: 172.19.11.83)
Aug 1 07:54:21 CentosIntra OTRS-CGI-10[23703]: [Error][Kernel::System::Auth::LDAP::Auth][Line:278]: Search failed! base='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', success
Aug 1 07:54:21 CentosIntra OTRS-CGI-10[23703]: [Error][Kernel::System::User::UserLookup][Line:797]: No UserID found for 'bubenickova'!
Then I tried login with my DB passwd and succeded but then some synchronization occured and now I cannot login with any passwd.
Code: Select all
Aug 2 12:15:38 CentosIntra OTRS-CGI-10[17622]: [Notice][Kernel::System::User::UserAdd] User: 'bubenickova' ID: '4' created successfully (3)!
Aug 2 12:15:38 CentosIntra OTRS-CGI-10[17622]: [Notice][Kernel::System::User::SetPassword] User: 'bubenickova' changed password successfully!
Aug 2 12:16:36 CentosIntra OTRS-CGI-10[23700]: [Notice][Kernel::System::Auth::DB::Auth] User: bubenickova authentication with wrong Pw!!! (REMOTE_ADDR: 172.19.11.83)
Aug 2 12:16:37 CentosIntra OTRS-CGI-10[23700]: [Error][Kernel::System::Auth::LDAP::Auth][Line:278]: Search failed! base='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', Success
Aug 2 12:18:07 CentosIntra OTRS-CGI-10[6945]: [Notice][Kernel::System::Auth::DB::Auth] User: katerina.bubenickova@xxx.cz authentication ok (REMOTE_ADDR: 172.19.11.83).
Aug 2 12:18:07 CentosIntra OTRS-CGI-10[6945]: [Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: katerina.bubenickova@xxx.cz sync failed, no LDAP entry found!BaseDN='o=lecebna', Filter='(cn=katerina.bubenickova@xxx.cz)', (REMOTE_ADDR: 172.19.11.83).
Aug 2 12:18:56 CentosIntra OTRS-CGI-10[15307]: [Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 101cbdb8ca9b5e0c494f4b3a6237cde72b.
Aug 2 12:19:04 CentosIntra OTRS-CGI-10[23704]: [Notice][Kernel::System::Auth::DB::Auth] User: bubenickova authentication ok (REMOTE_ADDR: 172.19.11.83).
Aug 2 12:19:04 CentosIntra OTRS-CGI-10[23704]: [Notice][Kernel::System::User::UserUpdate] User: 'bubenickova' updated successfully (1)!
Aug 2 12:19:04 CentosIntra OTRS-CGI-10[23704]: [Notice][Kernel::System::User::SetPassword] User: 'bubenickova' changed password successfully!
Aug 2 12:19:42 CentosIntra OTRS-CGI-10[21321]: [Notice][Kernel::System::AuthSession::DB::RemoveSessionID] Removed SessionID 104a0cca8bc76db1b63ba557d376a7b976.
Aug 2 12:19:49 CentosIntra OTRS-CGI-10[23703]: [Notice][Kernel::System::Auth::DB::Auth] User: bubenickova authentication with wrong Pw!!! (REMOTE_ADDR: 172.19.11.83)
Aug 2 12:19:49 CentosIntra OTRS-CGI-10[23703]: [Error][Kernel::System::Auth::LDAP::Auth][Line:278]: Search failed! base='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', Success
Aug 2 12:20:11 CentosIntra OTRS-CGI-10[25664]: [Notice][Kernel::System::Auth::DB::Auth] User: bubenickova authentication with wrong Pw!!! (REMOTE_ADDR: 172.19.11.83)
But I wanted not to insert users into db manually, I hoped it wil be automated (I only add user into HelpDesk group).
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
Aug 2 12:16:37 CentosIntra OTRS-CGI-10[23700]: [Error][Kernel::System::Auth::LDAP::Auth][Line:278]: Search failed! base='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', Success
Aug 2 12:18:07 CentosIntra OTRS-CGI-10[6945]: [Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: katerina.bubenickova@xxx.cz sync failed, no LDAP entry found!BaseDN='o=lecebna', Filter='(cn=katerina.bubenickova@xxx.cz)', (REMOTE_ADDR: 172.19.11.83).
no ldap entry found.
filter = cn=email address
This means the user is an email address and you're using cn to look it up in ldap. try changing cn to mail in AuthSyncModule::LDAP::UID
Aug 2 12:18:07 CentosIntra OTRS-CGI-10[6945]: [Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: katerina.bubenickova@xxx.cz sync failed, no LDAP entry found!BaseDN='o=lecebna', Filter='(cn=katerina.bubenickova@xxx.cz)', (REMOTE_ADDR: 172.19.11.83).
no ldap entry found.
filter = cn=email address
This means the user is an email address and you're using cn to look it up in ldap. try changing cn to mail in AuthSyncModule::LDAP::UID
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
No ldap entry found -
OK that's right. I have user bubenickova in LDAP and user katerina.bubenickova@xxx.cz in db. I hoped that in the end I would be able to authenticate with boht accounts. But now I can authenticate only with katerina.bubenickova@xxx.cz which is only in db.
I added bubenickova in db and after synchronization occured I couldn't authenticate with this account. I can use katerina.bubenickova@xxx, login, change password for bubenickova in db, loging as bubenickova, but as soon as I am logged in again sync happens and then I can't login as bubenickova.
It looks like otrs gets for password another ldap field than I use when I am logged in Novell, or some errors ocured during synchronization
OK that's right. I have user bubenickova in LDAP and user katerina.bubenickova@xxx.cz in db. I hoped that in the end I would be able to authenticate with boht accounts. But now I can authenticate only with katerina.bubenickova@xxx.cz which is only in db.
I added bubenickova in db and after synchronization occured I couldn't authenticate with this account. I can use katerina.bubenickova@xxx, login, change password for bubenickova in db, loging as bubenickova, but as soon as I am logged in again sync happens and then I can't login as bubenickova.
It looks like otrs gets for password another ldap field than I use when I am logged in Novell, or some errors ocured during synchronization
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
I tried to read something and search for some solution but my capabilities are limited, so I ask for help again.
I realized that what I need is customer authentication against LDAP and I don't need agent authentication.
But maybe problems with agent authentication can help to solve problems with LDAP.
After I set password for agent bubenickova, I can log in. I can see encrypted password in mysql. After my logging in the password is changed in db, as you can see in log and I can see it in mysql too. But I don't know the changed password as it is encrypted.
It is not my ldap password (or precisely my password which I use for novell authentication and I thing it is the same as ldap password)
I have in /var/log/messages
Aug 17 13:35:33 CentosIntra OTRS-CGI-10[27469]: [Notice][Kernel::System::Auth::DB::Auth] User: bubenickova authe
ntication ok (REMOTE_ADDR: 172.16.0.10).
Aug 17 13:35:33 CentosIntra OTRS-CGI-10[27469]: [Notice][Kernel::System::User::UserUpdate] User: 'bubenickova' u
pdated successfully (1)!
Aug 17 13:35:33 CentosIntra OTRS-CGI-10[27469]: [Notice][Kernel::System::User::SetPassword] User: 'bubenickova'
changed password successfully!
I have installed jXplorer for searching fields in LDAP, but I can't see there anything that could help - I don't see there my password and any field that could help.
I tried to insert into Config.pm code for customer authenticating with LDAP
When I try to auntheticate thru customers.pl I have in log (and authentication fails)
Aug 17 14:24:24 CentosIntra OTRS-CGI-10[27470]: [Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Sea
rch failed! base='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', Success
I don't know what does success mean. Does it mean that provided user and passw for searching LDAP is ok (and only passwd for member=bubenickova doesn't match) ?
Or searching failed because of password or user for searching was not accepted?
Thanx in advance for any suggestions
I realized that what I need is customer authentication against LDAP and I don't need agent authentication.
But maybe problems with agent authentication can help to solve problems with LDAP.
After I set password for agent bubenickova, I can log in. I can see encrypted password in mysql. After my logging in the password is changed in db, as you can see in log and I can see it in mysql too. But I don't know the changed password as it is encrypted.
It is not my ldap password (or precisely my password which I use for novell authentication and I thing it is the same as ldap password)
I have in /var/log/messages
Aug 17 13:35:33 CentosIntra OTRS-CGI-10[27469]: [Notice][Kernel::System::Auth::DB::Auth] User: bubenickova authe
ntication ok (REMOTE_ADDR: 172.16.0.10).
Aug 17 13:35:33 CentosIntra OTRS-CGI-10[27469]: [Notice][Kernel::System::User::UserUpdate] User: 'bubenickova' u
pdated successfully (1)!
Aug 17 13:35:33 CentosIntra OTRS-CGI-10[27469]: [Notice][Kernel::System::User::SetPassword] User: 'bubenickova'
changed password successfully!
I have installed jXplorer for searching fields in LDAP, but I can't see there anything that could help - I don't see there my password and any field that could help.
I tried to insert into Config.pm code for customer authenticating with LDAP
Code: Select all
# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '172.19.11.65';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'o=lecebna';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'cn';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=HelpDesk,o=lecebna';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'cn';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=admin,o=lecebna';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxx';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
Aug 17 14:24:24 CentosIntra OTRS-CGI-10[27470]: [Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Sea
rch failed! base='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', Success
I don't know what does success mean. Does it mean that provided user and passw for searching LDAP is ok (and only passwd for member=bubenickova doesn't match) ?
Or searching failed because of password or user for searching was not accepted?
Thanx in advance for any suggestions
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
katerina,
The first thing is to determine whether you want your agents to authenticate versus database or ldap.
If you don't want to authenticate agents against ldap, don't include that code.
In general, you want to have a one-to-one login <-> authentication method. I'd recommend to ignore database completely if LDAP makes sense in your installation. It will remove the questions about passwords updating in database and use LDAP authentication as the "real" version.
All the code you've provided in your latest post is for CustomerAuth (log in to customer.pl), so everything about "agent" you spoke of earlier doesn't apply, including the log.
Now, this:
Aug 17 14:24:24 CentosIntra OTRS-CGI-10[27470]: [Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Search failed! base='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', Success
viewtopic.php?f=60&t=16543
Which is, essentially, ignoring BaseDN and going directly for the group with common name/DN:
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=HelpDesk,o=lecebna';
This means that a *customer* with a login of bubenickova has to have the attribute called "member" (as in, member of GroupDN. Sometimes this is memberOf or memberUID)
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
In this case, success means that the request was attempted successfully, but the result doesn't return a value that is usable.
The first thing is to determine whether you want your agents to authenticate versus database or ldap.
If you don't want to authenticate agents against ldap, don't include that code.
In general, you want to have a one-to-one login <-> authentication method. I'd recommend to ignore database completely if LDAP makes sense in your installation. It will remove the questions about passwords updating in database and use LDAP authentication as the "real" version.
All the code you've provided in your latest post is for CustomerAuth (log in to customer.pl), so everything about "agent" you spoke of earlier doesn't apply, including the log.
Now, this:
Aug 17 14:24:24 CentosIntra OTRS-CGI-10[27470]: [Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Search failed! base='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', Success
viewtopic.php?f=60&t=16543
You have the error saying: base='cn=HelpDesk,o=lecebna',filter='(member=bubenickova)'"No LDAP entry found!"
This means you've successfully queried (logged in to query) the LDAP server, but the request doesn't return a result. Usually, this means you're trying to ask for a username in the wrong field or basedn.
You'll see Filter='(Param1=Param2Param3)'
Param1 is uid or the value of UserAttr
Param2 is the submitted username/login entry
Param3 is the UserSuffix, if provided
If you have an additional filter, it may show up as
Filter='(&(Param1=Param2Param3)(Param4))'
In which Param4 will be your filter parameters.
Which is, essentially, ignoring BaseDN and going directly for the group with common name/DN:
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=HelpDesk,o=lecebna';
This means that a *customer* with a login of bubenickova has to have the attribute called "member" (as in, member of GroupDN. Sometimes this is memberOf or memberUID)
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
In this case, success means that the request was attempted successfully, but the result doesn't return a value that is usable.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Thanks for your answer.
Now I commented agent authentication, so I have left only user authentication.
I have a group named Helpdesk with two members: (atribute member I could see in JXplorer)
cn=bubenickova,ou=SIVT,o=lecebna
cn=admin,o=lecebna
When I try to log in, I have these log messages:
loggin as bubenickova, correct pw into ldap: (the same log I obtain if I write a wrong password)
loggin as nikdo (non existing user, not member of Helpdesk)
Existing user, but not member of HelpDesk
Existing user, superadmin pasword of him is used for searching ldap, so I think system can accept this password (if it doesn't search with anonymous rights, I am not absolutly sure)
logging as bubenickova.SIVT.lecebna
logging as cn=bubenickova,ou=SIVT,o=lecebna
I don't understand what is nested something and if it is the case and the structure of our LDAP doesn't allow to log in.
I can see two possible problems:
system couldn't recognise if user is a member of group HelpDesk
or system couldn't recognise the right password (I don't know if system accepts the admin password for searching the LDAP, because if I log in JXplorer as anonymous, I couldn't see any member of the group HelpDesk - that means if otrs searches ldap as anonymous, it couldn't see who is member of the group HelpDesk, but it could see if any login exists in system)
I tried to comment out
and the result was the same as if there were these lines active, so I think system couldn't recognise the password (I came to the same conclusion when I tried to authenticate agents because after synchronization password from ldap to db my password didn't work).
So I think otrs takes the password from another field or it makes different operation with the pw than novell do.
Of course I can be completely wrong and I would appreciate any ideas.
Now I commented agent authentication, so I have left only user authentication.
I have a group named Helpdesk with two members: (atribute member I could see in JXplorer)
cn=bubenickova,ou=SIVT,o=lecebna
cn=admin,o=lecebna
When I try to log in, I have these log messages:
loggin as bubenickova, correct pw into ldap: (the same log I obtain if I write a wrong password)
Code: Select all
[Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Search failed! base='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', Success
Code: Select all
[Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: nikdo authentication failed, no LDAP entry found!BaseDN='o=lecebna', Filter='(cn=nikdo)', (REMOTE_ADDR: 172.16.0.10).
Code: Select all
[Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Search failed! base='cn=HelpDesk,o=lecebna', filter='(member=Toman)', Success
Code: Select all
[Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Search failed! base='cn=HelpDesk,o=lecebna', filter='(member=admin)', Success
Code: Select all
[Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: bubenickova.SIVT.lecebna authentication failed, no LDAP entry found!BaseDN='o=lecebna', Filter='(cn=bubenickova.SIVT.lecebna)', (REMOTE_ADDR: 172.16.0.10).
Code: Select all
[Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: cn=bubenickova,ou=SIVT,o=lecebna authentication failed, no LDAP entry found!BaseDN='o=lecebna',
Filter='(cn=cn=bubenickova,ou=SIVT,o=lecebna)', (REMOTE_ADDR: 172.16.0.10).
I can see two possible problems:
system couldn't recognise if user is a member of group HelpDesk
or system couldn't recognise the right password (I don't know if system accepts the admin password for searching the LDAP, because if I log in JXplorer as anonymous, I couldn't see any member of the group HelpDesk - that means if otrs searches ldap as anonymous, it couldn't see who is member of the group HelpDesk, but it could see if any login exists in system)
I tried to comment out
Code: Select all
#$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=admin,o=lecebna';
#$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxx';
So I think otrs takes the password from another field or it makes different operation with the pw than novell do.
Of course I can be completely wrong and I would appreciate any ideas.
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
Code: Select all
[Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Search failed! base='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', SuccessThis is what Kernel/System/CustomerAuth/LDAP.pm checks for to return the log message you see.
Code: Select all
my $Result2 = $LDAP->search(
base => $Self->{GroupDN},
filter => $Filter2,
attrs => ['1.1'],
);
if ( $Result2->code ) {
$Self->{LogObject}->Log(
Priority => 'error',
Message => "Search failed! base='$Self->{GroupDN}', filter='$Filter2', "
. $Result->error,
);
$LDAP->unbind;
$LDAP->disconnect;
return;
} OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Thanks,
after change I have
I changed
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=admin,o=lecebna';
to
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'admin';
rolback
new change
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=HelpDesk,o=lecebna';
to
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=HelpDesk';
rolback
new change
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'o=lecebna';
to
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = '';
I remembered to be said by our external novell specialist that novell LDAP has no dn and it has different structure from AD.
So again - is there anybody having working ldap authentication with novell ldap?
after change I have
Code: Select all
[Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Search failed! b
ase='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', Invalid DN syntax
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=admin,o=lecebna';
to
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'admin';
Code: Select all
[Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:193]: First bind faile
d! Invalid DN syntax
new change
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=HelpDesk,o=lecebna';
to
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=HelpDesk';
Code: Select all
Aug 20 13:58:16 CentosIntra OTRS-CGI-10[24579]: [Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Search failed! b
ase='cn=HelpDesk', filter='(member=bubenickova)', NDS error: no such entry (-601)
new change
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'o=lecebna';
to
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = '';
Code: Select all
[Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:282]: Search failed! b
ase='cn=HelpDesk,o=lecebna', filter='(member=bubenickova)', Invalid DN syntax
So again - is there anybody having working ldap authentication with novell ldap?
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
Create the query in jXplorer and let us know one that works.
1)
Invalid DN syntax is exactly that. cn=HelpDesk,o=lecebna is an invalid DN syntax. This is reported from ldap query. It is what Novell is returning for this DN. If HelpDesk is in an ou, make sure you include that: cn=HelpDesk,ou=OrgUnit,o=lecebna
2)
First bind failed because the SearchUserDN isn't a valid DN.
3) NDS error: no such entry (-601)
http://www.novell.com/documentation/nwe ... 39nje.html
An attempt was made to read information for an eDirectory or NDS object that does not exist on the eDirectory or NDS server that is replying to the request.
4)
Invalid DN syntax. same thing as 1.
When you ask for someone with a valid novell ldap connection, consider the audience who visits this forum.
First, this forum has low traffic, probably 3-5 people at a time, *MOST* of them seeking answers, just like you. There are a few moderators, but there are only about 3 people who are prolific helpers *at all*, then consider that Novell is a niche setup that has rabidtepid support in the Novell community, but outside, not so much. Then take all of the people who are using Novell, and then those who use ldap, and then who use OTRS, and if you get that *one* person to read your post on this forum asking for help, you probably should buy a lottery ticket.
Further, I'm trying to help ... I mean, really, actively trying to help, but I have none of these things to test against. Not the least of which, the error messages are, so far, related to data entry problems, not OTRS, which means that anything that someone could show you that works would be specific to their implementation, not yours.
1)
Invalid DN syntax is exactly that. cn=HelpDesk,o=lecebna is an invalid DN syntax. This is reported from ldap query. It is what Novell is returning for this DN. If HelpDesk is in an ou, make sure you include that: cn=HelpDesk,ou=OrgUnit,o=lecebna
2)
First bind failed because the SearchUserDN isn't a valid DN.
3) NDS error: no such entry (-601)
http://www.novell.com/documentation/nwe ... 39nje.html
An attempt was made to read information for an eDirectory or NDS object that does not exist on the eDirectory or NDS server that is replying to the request.
4)
Invalid DN syntax. same thing as 1.
When you ask for someone with a valid novell ldap connection, consider the audience who visits this forum.
First, this forum has low traffic, probably 3-5 people at a time, *MOST* of them seeking answers, just like you. There are a few moderators, but there are only about 3 people who are prolific helpers *at all*, then consider that Novell is a niche setup that has rabidtepid support in the Novell community, but outside, not so much. Then take all of the people who are using Novell, and then those who use ldap, and then who use OTRS, and if you get that *one* person to read your post on this forum asking for help, you probably should buy a lottery ticket.
Further, I'm trying to help ... I mean, really, actively trying to help, but I have none of these things to test against. Not the least of which, the error messages are, so far, related to data entry problems, not OTRS, which means that anything that someone could show you that works would be specific to their implementation, not yours.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Thanks very much for your answer, I really appreciate your effort.
I realized that in log there was member=bubenickova, while the right answer is member='cn=bubenickova,ou=SIVT,o=lecebna'
In LDAP group helpdesk there is no field with answer only bubbenickova, which is my login.
So I changed
#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=helpdesk,o=lecebna';
#$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
into
Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'cn';
And that suited me better because I rather don't want to add people into any other group.
Now I can authenticate, but not enter the account.
I added some code
In log I have
[Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: bubenickova (cn=bubenickova,ou=SIVT,o=lecebna) authentication ok (REMOTE_ADDR: 172.16.0.10).
[Error][Kernel::System::CustomerUser::SetPreferences][Line:506]: No such user 'bubenickova'!
In admin interface I can see LDAP Datasource, but No data found.
Any ideas how can I troubleshoot? Thanks a lot.
I realized that in log there was member=bubenickova, while the right answer is member='cn=bubenickova,ou=SIVT,o=lecebna'
In LDAP group helpdesk there is no field with answer only bubbenickova, which is my login.
So I changed
#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=helpdesk,o=lecebna';
#$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
into
Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'cn';
And that suited me better because I rather don't want to add people into any other group.
Now I can authenticate, but not enter the account.
I added some code
Code: Select all
$Self->{CustomerUser} = {
Name => 'LDAP Datasource',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '172.19.11.65',
BaseDN => 'o=lecebna',
SSCOPE => 'sub',
UserDN => 'cn=admin,o=lecebna',
UserPW => 'xxxx',
AlwaysFilter => '(objectClass=Person)', #Person is in our LDAP instead of user
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'cn',
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'sn', 'mail'],
CustomerUserSearchFields => [ 'cn', 'sn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*', # there I tried value '' ,too
#CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenName', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenName', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'cn', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postalAddress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
[Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: bubenickova (cn=bubenickova,ou=SIVT,o=lecebna) authentication ok (REMOTE_ADDR: 172.16.0.10).
[Error][Kernel::System::CustomerUser::SetPreferences][Line:506]: No such user 'bubenickova'!
In admin interface I can see LDAP Datasource, but No data found.
Any ideas how can I troubleshoot? Thanks a lot.
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Now I sucseed with agent authentication, I can,t use group but innstead I use ou=SIVT and all members of this ou can log in and their passwd are synchronized with ldap passwd, but not members of this ou couldn't login. That is what I wanted. My code looks like that:
But with customers I am having still troubles.
Code: Select all
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '172.19.11.65';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'o=lecebna';
$Self->{'AuthModule::LDAP::UID1'} = 'cn';
# $Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=HelpDesk,o=lecebna';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'cn';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'cn';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=admin,o=lecebna';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = '6jT.FtjH';
$Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
....
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.19.11.65';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'o=lecebna';
$Self->{'AuthSyncModule::LDAP::UID'} = 'cn';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=admin,o=lecebna';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'ou=SIVT,o=lecebna',
];
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
AccessAttr is only used for GroupDN. It is the fieldname like "member" that is the key part of the key/value pair.
UserAttr is the fieldname for a unique login (dn could be possibly more useful than cn for "uniqueness") [however, if it works for you, don't change it.]
admin login for customer should be "no data found". (Although proper group membership for agents would prevent customers from authenticating on index.pl)
Next,
it's looking for result of an ldap filter of CustomerKey (as a fieldname) = the User that's passed
so, ldap search (for you) of cn=bubenickova
or
ldap filter= (&(cn=bubenickova)(objectClass=Person))
Would this make sense in your ldap? Can you search using jXplorer for this? does case sensitivity make a difference (person, inetOrgPerson, organizationalPerson). Also, does it matter that you have a filter at all for person in CustomerUser? (I think not. don't filter there. There's no point if the person has authenticated, unless a non-person can authenticate.)
UserAttr is the fieldname for a unique login (dn could be possibly more useful than cn for "uniqueness") [however, if it works for you, don't change it.]
admin login for customer should be "no data found". (Although proper group membership for agents would prevent customers from authenticating on index.pl)
Next,
it's looking for result of an ldap filter of CustomerKey (as a fieldname) = the User that's passed
so, ldap search (for you) of cn=bubenickova
or
ldap filter= (&(cn=bubenickova)(objectClass=Person))
Would this make sense in your ldap? Can you search using jXplorer for this? does case sensitivity make a difference (person, inetOrgPerson, organizationalPerson). Also, does it matter that you have a filter at all for person in CustomerUser? (I think not. don't filter there. There's no point if the person has authenticated, unless a non-person can authenticate.)
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
Thanks again,
our ldap is not case sensitive (I have tried it)
When I left ldap filter empty, I got some result, though not exactly what I had expected.
In our ldap there is a container named workstations (in Czech stanice) and it contains all workstations that have installed novell client and connect themselves to the network.
And only objects in that container I can see in Admin section - customer management. These workstations of course have no password to login with them (or I don't know how to set one).
I tried to enlarge CustomerUserSearchListLimit => 1000, and there were no other result. (we have large ldap, about 800 users and about 500 cp and other items).
I tried to move test user right into o=lecebna and I saw only workstations again.
I tried to move test user into workstation container and I finally see it and I can login.
I tried if Czech encoding could be the problem why I can't see the other users, but not, the test user has right encoding.
I tried to move test user into workstation container but I left in source container alias (so that the user could be seen in both containers) and it didn't work, because user couldn't authenticate. If test user is in inicial container and in workstation container only alias, authentication succeded, but no customer record is found.
This is my code
Because in my code there is no ou=stanice (which means workstation) or something what could cause that user can be read only from container stanice I don't know what to do again.
our ldap is not case sensitive (I have tried it)
When I left ldap filter empty, I got some result, though not exactly what I had expected.
In our ldap there is a container named workstations (in Czech stanice) and it contains all workstations that have installed novell client and connect themselves to the network.
And only objects in that container I can see in Admin section - customer management. These workstations of course have no password to login with them (or I don't know how to set one).
I tried to enlarge CustomerUserSearchListLimit => 1000, and there were no other result. (we have large ldap, about 800 users and about 500 cp and other items).
I tried to move test user right into o=lecebna and I saw only workstations again.
I tried to move test user into workstation container and I finally see it and I can login.
I tried if Czech encoding could be the problem why I can't see the other users, but not, the test user has right encoding.
I tried to move test user into workstation container but I left in source container alias (so that the user could be seen in both containers) and it didn't work, because user couldn't authenticate. If test user is in inicial container and in workstation container only alias, authentication succeded, but no customer record is found.
This is my code
Code: Select all
$Self->{CustomerUser} = {
Name => 'LDAP Datasource',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '172.19.11.65',
BaseDN => 'o=lecebna',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
SSCOPE => 'sub',
UserDN => 'cn=admin,o=lecebna',
UserPW => 'xxx',
AlwaysFilter => '(objectClass=Person)',
# AlwaysFilter =>'(mail=*)',
# AlwaysFilter =>'',
Params => {
port => 389,
timeout => 300,
async => 0,
version => 3,
},
},
CustomerKey => 'cn',
CustomerID => 'cn',
#CustomerID => 'cn',
#CustomerUserListFields => ['sAMAccountName', 'sn', 'cn', 'mail'],
CustomerUserListFields => ['cn', 'sn'],
CustomerUserSearchFields => [ 'cn', 'sn'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '',
CustomerUserSearchListLimit => 500,
CustomerUserPostMasterSearchFields => ['cn'],
CustomerUserNameFields => ['givenName', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenName', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'fullname', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'cn', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'cn', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'cn', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postalAddress', 1, 0, 'var', '', 0 ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
Katerina,
I don't have enough information to troubleshoot.
CustomerKey => 'cn',
Try
CustomerKey => 'dn',
CustomerUserSearchSuffix => '',
try
I don't have enough information to troubleshoot.
Is this the case for Customers? What is the error message?katerina wrote:Now I can authenticate, but not enter the account.
CustomerKey => 'cn',
Try
CustomerKey => 'dn',
CustomerUserSearchSuffix => '',
try
Code: Select all
CustomerUserSearchSuffix => '*', #if you use CustomerKey as cn, * will help complete for what is missing in ldap search. Otherwise, you're looking for cn=username and that will likely fail.OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication
That means in customer.pl I can see in red letterscrythias wrote:Now I can authenticate, but not enter the account.
Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.
in log I can see
[Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: bubenickova (cn=bubenickova,ou=SIVT,o=lecebna) authentication ok (REMOTE_ADDR: 172.19.15.165).
[Error][Kernel::System::CustomerUser::SetPreferences][Line:506]: No such user 'bubenickova'!
And this situation is equivalent that when in customer.pl - Admin - Customer management I don't see the user I want to log in (for instance there isn't bubenickova).
And I can see in customer.pl - Admin - Customer management only those users which are in container ou=stanice. This container is special, filled automatically with names of workstations, but it is possible to move users there. But we don't want to have all users in one container.
I tried to search for a word stanice through source code, but there is nothing.
I tried your suggestions, bud dn doesn't work at all - we haven't any dn field in ldap for person and if I tried to use CustomerKey => 'dn',
I didn't see any user in customer.pl - Admin - Customer management, where I now see the only test user which is in container stanice.
CustomerUserSearchSuffix => '*', did no change, so I can let it there, but it causes no improvement.
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
crythias
- Moderator
- Posts: 10170
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: LDAP authentication
Check also your backend (the drop down box under "Add Customer")katerina wrote:Admin - Customer management I don't see the user I want to log in (for instance there isn't bubenickova).
Thiskaterina wrote:I can see in customer.pl - Admin - Customer management only those users which are in container ou=stanice
You must have a dn field. You're using it in UserDN (cn=admin, o=lecebna).katerina wrote:dn doesn't work at all - we haven't any dn field in ldap for person and if I tried to use CustomerKey => 'dn',
http://www.novell.com/support/kb/doc.php?id=7008606
I could probably address this within 30 minutes with direct access to your configuration, but as it is, I'm stuck.
ldap filter= (&(cn=bubenickova)(objectClass=Person))
Try this at a command line. If it works, it's good. If it doesn't, adjust this search until it returns the cn and sn you seek. Let me know what you encounter.
Code: Select all
ldapsearch -x -h 172.19.11.65 -b o=lecebna "(&(cn=bubenickova)(objectClass=Person))" cn sn -s baseyour search starts with o=lecebna and all ou underneath it (SSCOPE = > 'sub'). I *think* you want to change 'sub' to 'base' for your purposes.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication [SOLVED]
This is our case
http://www.novell.com/support/kb/doc.php?id=7008606
we have no dn as an atribut of ldap object.
But to expatend schema is very complex task and it can cause problems in other aplications.
So we decided to install openldap and synchronize novell ldap, otrs and other applications with that openldap.
I hope there will be no such problems with authorisation against openldap, but it will take some time.
Thank you again for your help and patience, it helps a lot.
http://www.novell.com/support/kb/doc.php?id=7008606
we have no dn as an atribut of ldap object.
But to expatend schema is very complex task and it can cause problems in other aplications.
So we decided to install openldap and synchronize novell ldap, otrs and other applications with that openldap.
I hope there will be no such problems with authorisation against openldap, but it will take some time.
Thank you again for your help and patience, it helps a lot.
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP
-
katerina
- Znuny newbie
- Posts: 46
- Joined: 19 Jul 2012, 13:01
- Znuny Version: 3.1.7
- Real Name: Katerina
- Company: PNB
Re: LDAP authentication [solved]
I just want to say I have installed openldap and all works well, thanks again for your help
otrs v.5 on linux CentOS 6.8 with MySQL Ver 14.14 Distrib 5.1.73, openLDAP