AD (LDAP) Issue

Moderator: crythias

Locked
mflakowski
Znuny newbie
Posts: 1
Joined: 16 Nov 2012, 12:57
Znuny Version: 3.1.11-01
Real Name: Michal Flakowski
Company: Integer SA

AD (LDAP) Issue

Post by mflakowski »

Hello,

First of all I've serached trough the documentation, this forum and google before posting it.

I've introduced an OTRS / LDAP (Particullary AD @ Win2K8 R2) and encountered some problem:
I've got working Agent Auth&Sync, Customer Auth, but I've completly stuck at Customer Mapping.

Working part & result.

Code: Select all

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'A.D.D.R';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=company,dc=loc';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Domain Users,CN=Users,DC=company,DC=loc';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldapsearchaccount@company.loc';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'secret';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
        port => PORT,
        timeout => 120,
        async => 0,
        version => 3,
    };
With feedback:

Code: Select all

[Fri Nov 16 11:26:09 2012][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: mflakowski (CN=Flakowski MichaÅ,OU=OU_Aleja_Pokoju,OU=OU_Dzial_IT,OU=OU_USERS,DC=company,DC=loc) authentication ok (REMOTE_ADDR: A.D.D.R).
And the problematic part:

Code: Select all

   $Self->{CustomerUser} = {
      Name => 'AD USers',
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
         Host => 'A.D.D.R',
         BaseDN => 'dc=company,dc=loc',
         SSCOPE => 'sub',
#         UserDN => 'ldapseachaccount@company.loc', or
         UserDN => 'CN=ldapsearchaccount,OU=OU_Services,OU=OU_USERS,DC=company,DC=loc',
         UserPW => 'secret',
         AlwaysFilter => '',
         Params => {
            port => PORT,
            timeout => 120,
            async => 0,
            version => 3,
         },
      },
      CustomerKey => 'sAMAccountName',
      CustomerID => 'mail',
      CustomerUserListFields => ['sn', 'cn', 'mail'],
      CustomerUserSearchFields => ['sAMAccountName', 'cn', 'sn', 'mail'],
      CustomerUserSearchPrefix => '',
      CustomerUserSearchSuffix => '*',
      CustomerUserSearchListLimit => 250,
      CustomerUserPostMasterSearchFields => ['mail'],
      CustomerUserNameFields => ['givenname', 'sn'],
      CustomerUserExcludePrimaryCustomerID => 0,
      AdminSetPreferences => 0,
      Map => [
           [ 'UserSalutation', 'Title',      'title',           1, 0, 'var', '', 0 ],
           [ 'UserFirstname',  'Firstname',  'cn',              1, 1, 'var', '', 0 ],
           [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
           [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
           [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
           [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
           [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
           [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
           [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
       ],
    };
With feedback:

Code: Select all

[Fri Nov 16 11:26:09 2012][Error][Kernel::System::CustomerUser::LDAP::CustomerUserDataGet][621] 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
[Fri Nov 16 11:26:09 2012][Error][Kernel::System::CustomerUser::SetPreferences][506] No such user 'mflakowski'!
It seems that function CustomerUserDataGet do not provide auth at all.

Any ideas would be apreciated.
Top
crythias
Moderator
Posts: 10170
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:
Contact crythias

Re: AD (LDAP) Issue

Post by crythias »

[Fri Nov 16 11:26:09 2012][Error][Kernel::System::CustomerUser::LDAP::CustomerUserDataGet][621] 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

This means that the search user didn't authenticate, though it's not necessarily about credentials.

[Fri Nov 16 11:26:09 2012][Error][Kernel::System::CustomerUser::SetPreferences][506] No such user 'mflakowski'!

This means that it can't find the user, mostly because the bind failed and there is no user in the database or alternative backends with this user.

Code: Select all

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'A.D.D.R';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=company,dc=loc';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Domain Users,CN=Users,DC=company,DC=loc';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldapsearchaccount@company.loc';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'secret';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
        port => PORT,
        timeout => 120,
        async => 0,
        version => 3,
    }; 

Code: Select all

      Params => {
         Host => 'A.D.D.R',
         BaseDN => 'dc=company,dc=loc',
         SSCOPE => 'sub',
#         UserDN => 'ldapseachaccount@company.loc', or
         UserDN => 'CN=ldapsearchaccount,OU=OU_Services,OU=OU_USERS,DC=company,DC=loc',
         UserPW => 'secret',
         AlwaysFilter => '',
         Params => {
            port => PORT,
            timeout => 120,
            async => 0,
            version => 3,
         },
      }, 
viewtopic.php?f=60&t=16543
This part might help you reduce errors:

Code: Select all

my $BaseDN = 'dc=domain,dc=tld';
my $Host = 'ldapserver.domain.tld';
my $SearchUserDN = 'cn=ldapreader,ou=someOU,dc=domain,dc=tld';
my $SearchUserPw = 'som3$3cr3t';
#... code...
$Self->{'Customer::AuthModule::LDAP::Host'} = $Host;
$Self->{'Authmodule::LDAP::Host'} = $Host;
$Self->{'AuthSyncModule::LDAP::Host'}  = $Host;
$Self->{CustomerUser} = {
#... other params (Name, Module)
   Params => {
      Host => $Host,
      #other params ...
   }
};
  
Sometimes I hear Domain\User is a valid entry for SearchUser.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Top
Locked

Return to “Help”