otrs

Download

otrs@lists.otrs.org

July 2017

24 participants
21 discussions

Another painful LDAPS problem
by Evan Spangler 01 Jul '17

01 Jul '17

Hi all, I've been trying to set up a LDAPS backend for customer auth, but haven't had much luck. I had a working setup with our old domain using plaintext ldap, but new requirements are forcing us to go with LDAPS. The customer list in the Customer Admin section populates correctly, but trying to log in results in "OTRS-CGI-10[1239]: [Error][Kernel::System::User::UserLookup][Line:922]: No UserID found for 'Test.User'!" Running "openssl s_client -connect" results in success but does throw this warning "Verify return code: 21 (unable to verify the first certificate)". All certs are selfsigned, and AD is run on a Win2012 DC. Agents are using the local database. I've tried the Config.pm parameters a few different ways (including versions from OTRS 3 and 4 documentation) with the same results. I've repeated the ldaps://:port in the host directive and in net:ldap parameters, but have tried both independently with the same results. I'm on OTRS 5.0.7 installed via the built-in Ubuntu repositories. I can also install manually if you guys think that might help. $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldaps://domaincontroller.fqdn.com:636'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=xxxx,dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'service_acct(a)domain.com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxx'; '(objectclass=user)' $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)'; $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'Customer::AuthModule::LDAP::Params'} = { port => 636, timeout => 120, async => 0, version => 3, scheme => 'ldaps', onerror => 'warn', verify => 'none', scope => 'subtree', }; # CustomerUser # (customer ldap backend and settings) $Self->{CustomerUser} = { Name => 'LDAP Data Source', Module => 'Kernel::System::CustomerUser::LDAP', Params => { # ldap host Host => 'ldaps://domaincontroller.fqdn.com:636', # ldap base dn BaseDN => 'dc=xxxx,dc=com', # search scope (one|sub) SSCOPE => 'sub', # The following is valid but would only be necessary if the # anonymous user does NOT have permission to read from the LDAP tree UserDN => 'service_acct(a)domain.com', UserPw => 'xxx', # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' AlwaysFilter => '(objectclass=user)', # if the charset of your ldap server is iso-8859-1, use this: # SourceCharset => 'iso-8859-1', # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) Params => { port => 636, timeout => 120, async => 0, version => 3, scheme => 'ldaps', onerror => 'warn', verify => 'none', scope => 'subtree', }, }, # customer unique id CustomerKey => 'sAMaccountName', # customer # CustomerID => 'mail', CustomerUserListFields => ['cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], # show not own tickets in customer panel, CompanyTickets CustomerUserExcludePrimaryCustomerID => 0, # add an ldap filter for valid users (expert setting) # CustomerUserValidFilter => '(!(description=locked))', # administrator can't change customer preferences AdminSetPreferences => 0, # # cache time to live in sec. - cache any database queries # CacheTTL => 0, Map => [ # note: Login, Email and CustomerID are mandatory! # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly, http-link-target, link class(es) [ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ], [ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ], # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ], [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ], [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ], ], }; Let me know if you need any other files or info, and thanks a million!!! -- --- Evan Spangler Systems Administrator TEK Fusion Global, Inc This e-mail may contain confidential or privileged information. This communication and any attached documents may also contain data subject to the International Traffic in Arms Regulations or U.S. Export Administration Regulations and cannot be disseminated, distributed or copied to foreign nationals, residing in the U.S. or abroad, without the prior approval of the U.S. Department of State or appropriate export licensing authority. If you are not the intended recipient, please notify the sender immediately by return e-mail with a copy to: IT(a)tekfusioninc.com and delete this e-mail and all copies and attachments. Opinions, conclusions and other information in this message that do not relate to the official business of Tek Fusion Global, Inc., shall be understood as neither given nor endorsed by it.

3 6