LDAP Sync with group autorization

[rmaul]

Hello, this is my first time setting up OTRS. I have managed to sync with my LDAP ( which is NOT AD ) for both users and agents as the code below.
You will notice that GroupDN and AccessAtrr are both commented. Therefor the login works perfect as my log entry shows:

Code: Select all

[Mon Apr 28 09:46:03 2014][Notice][Kernel::System::Auth::LDAP::Auth] User: mloureiro (CN=Rita Maul,OU=CS,OU=CTI,O=SESCDN) authentication ok (REMOTE_ADDR: ::1).

However everytime i try to set up the group DN i want to have access to the agents interface, by uncommenting the proper lines, i get the following error and it wont let me login.

Code: Select all

[Mon Apr 28 10:00:34 2014][Notice][Kernel::System::Auth::LDAP::Auth] User: mloureiro authentication failed, no LDAP group entry foundGroupDN='OU=CS,OU=CTI,O=SESCDN', Filter='(member=mloureiro)'! (REMOTE_ADDR: ::1).

Any thoughts on what i may be doing wrong ? My company has over 1500 emploeeys and i need to filter who has access to what, so in the future i can also set up the roles of each agent.
I really appreciate any help as ive tried everything i could think of.
This is my current config.pm
As for the moment my ldap is working with anonymous search, therefor the lack of that part.
Thank you in advice.

Code: Select all

   

   $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
   $Self->{'AuthModule::LDAP::Host1'} = '10.1.0.30'; 
   $Self->{'AuthModule::LDAP::BaseDN1'} = 'O=SESCDN';
   $Self->{'AuthModule::LDAP::UID1'} = 'uid'; # uid / sAMAccountName
   $Self->{'AuthModule::LDAP::UserAttr1'} = 'UID';
   
 # $Self->{'AuthModule::LDAP::GroupDN1'} = 'OU=CS,OU=CTI,O=SESCDN';
 # $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member'; 


   $Self->{'AuthModule::LDAP::Params1'} = {
       port    => 389,
       timeout => 120,
       async   => 0,
       version => 3,
	   inet4 => 1,
   };

  # # #-------------------------------------------------- #
  # # # authentication sync settings - LDAP SYNC INTO DB  #
  # # # (enable AGENT data sync. AFTER succsessful        #
  # # # authentication)                                   #
  # # # --------------------------------------------------#
  # # # This is an example configuration for an LDAP auth #
  # # # sync. Backend.								      #
  # # # (take care that Net::LDAP is installed!)		  #
###########################################################
	
   $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
   $Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'UID'; 
   $Self->{'AuthSyncModule::LDAP::Host1'} = '10.1.0.30';
   $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'O=SESCDN';
   $Self->{'AuthSyncModule::LDAP::UID1'} = 'uid';
   
##################### DB -> LDAP ########################
# # # AuthSyncModule::LDAP::UserSyncMap
# # # (map if agent should create/synced from LDAP to DB after successful login)
# # # you may specify LDAP-Fields as either
# # #  * list, which will check each field. first existing will be picked ( ["givenName","cn","_empty"] )
# # #  * name of an LDAP-Field (may return empty strings) ("givenName")
# # #  * fixed strings, prefixed with an underscore: "_test", which will always return this fixed string
#########################################################

   $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
       # DB -> LDAP
       UserFirstname => 'givenName',
       UserLastname  => 'sn',
       UserEmail     => 'mail',
   };
   
###################### CHARSET ##########################
# # # In case you need to use OTRS in iso-charset, you can define this
# # # by using this option (converts utf-8 data from LDAP to iso).
#########################################################

   $Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1';

   $Self->{'AuthSyncModule::LDAP::Params1'} = {
       port    => 389,
       timeout => 120,
       async   => 0,
       version => 3,
	   inet4 => 1,
   };

#########################################################
# # # This is an example configuration for an LDAP auth. backend.
# # # (take care that Net::LDAP is installed!)
#########################################################

   $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
   $Self->{'Customer::AuthModule::LDAP::Host1'} = '10.1.0.30';
   $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'O=SESCDN';
   $Self->{'Customer::AuthModule::LDAP::UID1'} = 'uid';

   $Self->{'Customer::AuthModule::LDAP::Params1'} = {
       port    => 389,
       timeout => 120,
       async   => 0,
       version => 3,
	   inet4 => 1,
   };

################## CUSTOMER SYNC #######################
# # CustomerUser
# # (customer user ldap backend and settings)
########################################################
   $Self->{CustomerUser1} = {
       Name => 'LDAP Backend',
       Module => 'Kernel::System::CustomerUser::LDAP',
       Params => {
           # ldap host
           Host => '10.1.0.30',
           # ldap base dn
           BaseDN => 'O=SESCDN',
           # search scope (one|sub)
           SSCOPE => 'sub',

# # if your frontend is unicode and the charset of your
# # ldap server is iso-8859-1, use these options.
           SourceCharset => 'iso-8859-1',
           DestCharset => 'utf-8',
# # # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
           Params => {
               port    => 389,
               timeout => 120,
               async   => 0,
               version => 3,
			   inet4 => 1,
           },
       },
# # # customer unique id
       CustomerKey => 'uid',
# # # customer #
       CustomerID => 'mail',
       CustomerUserListFields => ['cn', 'mail'],
       CustomerUserSearchFields => ['uid', 'cn', 'mail'],
       CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 1000,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       # # # show now own tickets in customer panel, CompanyTickets
       CustomerUserExcludePrimaryCustomerID => 0,
       # # # add a ldap filter for valid users (expert setting)
	   # CustomerUserValidFilter => '(!(description=gesperrt))',
       # # # admin can't change customer preferences
       AdminSetPreferences => 0,
       # # # cache time to live in sec. - cache any ldap queries
       CacheTTL => 0,
       Map => [
           # # # note: Login, Email and CustomerID needed!
           # # # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
           [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
           [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
           [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
           [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
           [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
           [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
           # # # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
           [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
           [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
           [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
       ],
   };

Im using OTRS 3.3.6 and IIS 7. Ive looked up the docs, and other posts but i couldnt find anyone with the same problem.

[crythias]

It means the GroupDN mentioned (not OU, though. It must be the distinguishedName (probably CN=xxxx, OU=,...) of a Group) does not have a user where the AccessAttr1 (member) contains the value of the login.

[rmaul]

Hello and ty for the reply.

I do understand it cannot find the user there, however the log entry as posted, shows the user is inside that group right ? so what is wrong exactly ? Even in my ldap browser when i look up for the user mloureiro for instance it shows the same path:

Code: Select all

CN=Rita Maul,OU=CS,OU=CTI,O=SESCDN

When i dont filter the group, and i leave just at the BaseDN = 'O=SESCDN' i get no erros and i can log in just fine.

Anything i should look up to proper set this ?

[crythias]

shows the user is inside that group right

No, the log entry shows the user is in an OU/Organizational Unit. (Think of this like a nested folder. Think of Group Membership like labels attached to the user.)

If all and only the agents are within an OU, you may set the BaseDN = to the OU without group filter.

A user could be member of multiple groups. The distinguished name (DN) of a user could not possibly reflect all group membership.

[rmaul]

Thank you for the reply. I will try as sugested and i will post the solve in case it works.
I appreciate the help and i see what you are saying now.

[rmaul]

Ok, so this tip seems to work. As all my agents are inside the OU CTI i was able to set the BaseDN as u sugested:

Code: Select all

   $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'OU=CTI,O=SESCDN'; 

And i can log in without a problem.

Thank you very much.