LDAP Sync Problem nach DC Zertifikatswechsel

[nikolauspflege]

Hallo,

nach der Migration unserer Root CA auf SHA256 habe ich neue Domänencontroller Zertifikate generiert.
Seit dieser Änderung funktioniert die Synchroinisation der Benutzer aus der AD Gruppe nicht mehr.

Allerdings finde ich in der OTRS Konfiguration keinen Hinweis auf eine verschlüsselte LDAP Verbindung. (Ist auf Port 389 konfiguriert)

Ich bin totaler OTRS Newb und daher ein wenig planlos wo ich nach dem Log des Synchronisationsvorgänge suchen soll bzw. wie ich die Synchronisation manuell triggern könnte.

OTRS: 6.0.7
CentOS7

Grüße,

[nikolauspflege]

config.pm

Code: Select all

 $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'ads1.np.lan';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=np,dc=lan';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::SSCOPE'} = 'sub';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Agents,CN=Users,dc=np,dc=lan';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrssearcher,cn=users,dc=np,dc=lan';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'XXXXXXX';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
 
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '';
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };
 
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ads1.np.lan';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=np,dc=lan';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SSCOPE'} = 'sub';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrssearcher,cn=users,dc=np,dc=lan';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'XXXXXXX';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

#	$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
#		'cn=OTRS-Agents,CN=Users,dc=np,dc=lan' => {
#			'admin' => {
#				rw => 1,
#				ro => 1,
#			},
#		},
#		'cn=OTRS-Agents,CN=Users,dc=np,dc=lan' => {
#			'users' => {
#				rw => 1,
#				ro => 1,
#			},
#		},
#	};


#########################
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'ads1.np.lan';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=np,dc=lan';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrssearcher,cn=users,dc=np,dc=lan';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'XXXXXX';
	$Self->{'Customer::AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

	# CustomerUser LDAP backend 
    $Self->{CustomerUser} = {
        Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => 'ads1.np.lan',
            BaseDN => 'dc=np,dc=lan',
            SSCOPE => 'sub',
            UserDN => 'cn=otrssearcher,cn=users,dc=np,dc=lan',
            UserPw => 'XXXXXXX',
            # in case you want to add always one filter to each ldap query, use
            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)',
			AlwaysFilter => '(&(objectclass=user)(kerio-mail-accountenabled=1))',
	    	SourceCharset => 'utf-8',
	    	DestCharset => 'iso-8859-1',
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
        }, 
        CustomerKey => 'sAMAccountName',
        CustomerID => 'sAMAccountName',
        CustomerUserListFields => ['displayname','mail'],
        CustomerUserSearchFields => ['sn','givenname','sAMAccountName'],
        CustomerUserSearchPrefix => '*',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 200,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        AdminSetPreferences => 0,
	ReadOnly => 1,
        CacheTTL => 60*60,

[nikolauspflege]

Danke Roy für deine Hilfe!

Das Problem lag daran, dass der User sich nicht am OTRS angemeldet hatte um den Sync seines Users in die Agent DB zu triggern.
Funktioniert wieder alles, passend zum Freitag