[SOLVED] LDAP Authentication to Windows 2012 OTRS 3.3

[taylorfarm]

I have been at this for 3 days and just cannot figure out what I am doing wrong.

Simple LDAP authentication is all I am after right now, and I continue to get bind errors.

LDAP = AD on Windows Server 2012
OTRS Running on = Windows 7 Ultimate (this is a lab right now till I get this working will move to windows server at some point)

Another issue that has made this extremely frustrating to test is making changes to config.pm do not take right away. It takes like 10 minutes for them to actually start working. I have tried restarting OTRS Scheduler service, WWW publishing service, useing DeleteCache.pl and cleanup.pl none of that seems to make the configuration take any sooner. Any idea how to make the configuration changes to config.pm take right away?

Also I have testing ldifde, and 2 other 3rd party connection tools to make sure that my settings were correct and they all work fine and pull the users I am looking for without error. So this is not a password error.

Here is a copy of my config.pm authentication section. I eventually want to do this for agents as well but figured if I can get customers it will be the same setup.

Code: Select all

    # # ---------------------------------------------------- #
    # # Customer authentication section                      #
    # # ---------------------------------------------------- #

     #Enable LDAP authentication for Customers / Users
     $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
     $Self->{'Customer::AuthModule::LDAP::Host'} = 'xx.xx.xx.xx';
     $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=otrs,DC=xxx,DC=local';
     $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
     $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
     $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs ldap,CN=Managed Service Accounts,DC=XXXXXXX,DC=local';
     $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '<password removed for security>';
     $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectCategory=user)';
     $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@xxxx.local';
#    $Self->{'AuthModule::LDAP::Die'} = 1;

     #CustomerUser
     #(customer user database backend and settings)
     $Self->{CustomerUser} = {
		Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
			Host => 'xx.xx.xx.xx',
			BaseDN => 'OU=otrs,DC=xxxxxx,DC=local',
			SSCOPE => 'sub',
			UserDN => 'CN=otrs ldap,CN=Managed Service Accounts,DC=XXXXXX,DC=local',
			UserPw => '<password removed for security>',
			SourceCharset => 'utf-8',
			DestCharset => 'utf-8',
			inet4 => 1,
			},
        CustomerKey => 'sAMAccountName',
        CustomerID => 'mail',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        CustomerUserExcludePrimaryCustomerID => 0,
        AdminSetPreferences => 0,
        CacheTTL => 0,
        Map => [
            [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
            [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
            [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
            [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
            ],
    };

[crythias]

viewtopic.php?f=60&t=16543

I continue to get bind errors

What bind errors do you get that are not addressed in the above link?

[taylorfarm]

LDAP::Auth][188] First bind failed! Bad file descriptor
LDAP::_Connect][197] First bind failed! Bad file descriptor

So I checked time settings, I changed password to very generic password with no special characters for both the binding user and the customer. No help. tested the login again and it is working just fine. It is not locked out, although I do have it set with password never expire not sure if that would cause the issue. Also it is just a member of AD not a domain admin (binding account). Figure it just needs to read but I can make it domain admin if that will help.

I have also been changing the name of the backend file so I can tell when it actually updates and we are going on 30 minutes now and changes I made have still not updated. That seems really odd. Is there a way to stop the cacheing or restart a service to make it pickup the active configuration and not the cached configuration.

[crythias]

LDAP::Auth][188] First bind failed! Bad file descriptor

Bad file descriptor *is* referenced in the above link. inet4 => 1 fixes it.

This error is not related to Customer (customer.pl), but Agent (index.pl).

[taylorfarm]

I have that listed in my config. Is it in the wrong spot or something?

I have not even attempted to do agent ldap sync or authentication only customer.

[crythias]

I have that listed in my config. Is it in the wrong spot or something?

You have it listed in "CustomerUser" which is correct for the demographics, but not for Authentication.

Code: Select all

    $Self->{'Customer::AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
        inet4 => 1,
    };

[taylorfarm]

should the users display in the admin console customer user display? I realize they dont get replicated to the otrs user database but do they display in their the console?

[crythias]

should the users display in the admin console customer user display? I realize they dont get replicated to the otrs user database but do they display in their the console?

If you tried it and it didn't work the way you expected, you'd be asking a different question.

[taylorfarm]

So here is what I have now. Did I put this in the correct spot?

Code: Select all

#Enable LDAP authentication for Customers / Users
     $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
     $Self->{'Customer::AuthModule::LDAP::Host'} = 'xx.xx.xx.xx';
     $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=otrs,DC=xxx,DC=local';
     $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
	 $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=otrs_customer_allow,OU=Groups,DC=xxx,DC=local';
	 $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
     $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
     $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs ldap,CN=Managed Service Accounts,DC=xxxx,DC=local';
     $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxxx';
     $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(&(objectCategory=user)(description=otrs\20user*))';
     $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@xxx.local';
#     $Self->{'Customer::AuthModule::LDAP::Die'} = 1;
	 $Self->{'Customer::AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
        inet4 => 1,
    };

     #CustomerUser
     #(customer user database backend and settings)
     $Self->{CustomerUser} = {
		Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
			Host => 'xx.xx.xx.xx',
			BaseDN => 'OU=otrs,DC=xxxx,DC=local',
			SSCOPE => 'sub',
			UserDN => 'CN=otrs ldap,CN=Managed Service Accounts,DC=xxxx,DC=local',
			UserPw => 'xxxxxx',
			SourceCharset => 'utf-8',
			DestCharset => 'utf-8',
			inet4 => 1,
			},

[crythias]

If you tried it and it didn't work the way you expected, you'd be asking a different question.

[taylorfarm]

ok, so here is what I did. I commented out the suffix because I started getting the error "No LDAP entry found" it seems to be adding the suffix into the search criteria for the filter so Samaccountname is suppose to just be test2 but with the suffix it was test2@nst.local.

After I killed the suffix then the authentication worked but it gives me this error... SetPreferences][587] No such user 'test2'!

on the logon screen it says authentication succeeded but no customer record found in the backend database.

any thoughts?

[crythias]

any thoughts?

I like looking at the sky and dreaming of flying ...

Oh, you mean on this issue where I missed where you mentioned that you looked for authentication succeeded but no customer record found on the forum.

it means what it says on the box.
In your case, it could mean that test2 is not a member of BaseDN OU=otrs,DC=xxxx,DC=local or any other sub OU

Edit: it also could mean you didn't completely fill out CustomerUser params.

[taylorfarm]

Thank you Crythias for your help. I finally got this working. here is what I ended up with.

Code: Select all

  # # ---------------------------------------------------- #
    # # Customer authentication section                      #
    # # ---------------------------------------------------- #

     #Enable LDAP authentication for Customers / Users
     $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
     $Self->{'Customer::AuthModule::LDAP::Host'} = 'xx.xx.xx.xx';
     $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=otrs,DC=xxx,DC=local';
	 $Self->{'Customer::AuthModule::LDAP::SSCOPE'} = 'sub';
     $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
#	 $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=otrs_customer_allow,OU=Groups,DC=xxx,DC=local';
#	 $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
     $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
     $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=xxxxxxxxxxx,CN=Managed Service Accounts,DC=xxx,DC=local';
     $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxxx';
     $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectCategory=user)';
	 $Self->{'Customer::AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
        inet4 => 1,
    };

     #CustomerUser
     #(customer user database backend and settings)
     $Self->{CustomerUser} = {
		Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
			Host => 'xx.xx.xx.xx',
			BaseDN => 'OU=otrs,DC=NST,DC=local',
			SSCOPE => 'sub',
			UserDN => 'CN=otrs ldap,CN=Managed Service Accounts,DC=xxxx,DC=local',
			UserPw => 'xxxxxxxx',
			AlwaysFilter => '(objectCategory=user)',
			SourceCharset => 'utf-8',
			DestCharset => 'utf-8',
			Params => {
			inet4 => 1,
			port => 389,
			timeout => 120,
			async   => 0,
			version => 3,
			},
		},
        CustomerKey => 'sAMAccountName',
        CustomerID => 'Company',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'company'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'company'],
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        Map => [
            [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID', 'Company',         0, 1, 'var', '', 0 ],
            [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
            [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
            [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
            ],
    };

I am not using the groupDN or AccessAttr because all the users I want to login are located in the OU structure. I might use that at some point but for now this is working great.
I also went with company attribute in AD for customerid as (and correct me if I am wrong) but customer id is just a reference to the company the user works for.

That being said I am on to my next issue. I will open another post for that.

Again thanks for your help.