Re: [otrs] Another painful LDAPS problem

30 Jun 2017

      To clarify, I've tried both with and without the domain suffix, using
both UPN and sAMAccountname (with and without the default domain suffix
option)

Same error message on all. To me, it looks like OTRS is successfully
authenticating and pulling ldap info (otherwise it wouldn't populate
the customers, and anonymous ldap queries are disabled) but is trying
to authenticate customers to the local DB at the logon portal.

--
---

Evan Spangler
Systems Administrator

TEK Fusion Global, Inc

On Fri, 2017-06-30 at 17:24 -0400, Evan Spangler wrote:
...
[This sender failed our fraud detection checks and may not be who
they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSp
oofing]
Hi Roy,
Thanks for looking at my config! I hadn't considered using the UPN
instead of the sAMAccountName. No luck, unfortunately.
The old and new installations are on two different VMs, and I used
the
same syntax and similar parameters with the exception of switching to
LDAPS instead of plaintext LDAP. I didn't have to specify the port
and
protocol in the Net::LDAP or hostname fields. Besides that, nothing
has
changed. They weren't rolled out to production yet so are/were stock
(besides this LDAP auth) with no tickets except for test tickets.
I've switched sAMAccountname to userPrincipalName in the relevant
fields and commented out the appending UserSuffix line.
The customer fields repopulated using the UPN as username and
customer
ID, but same error.
Syslog:
OTRS-CGI-10[3833]:
[Error][Kernel::System::User::UserLookup][Line:922]:
No UserID found for 'Test.User@tekfusioninc.com'!
OTRS-CGI-10[3832]:
[Error][Kernel::System::User::UserLookup][Line:922]:
No UserID found for 'test.user'!
Apache error.log:
ERROR: OTRS-CGI-10 Perl: 5.22.1 OS: linux Time: Fri Jun 30 17:20:15
2017
Message: No UserID found for 'Test.User@tekfusioninc.com'!
RemoteAddress: 192.168.0.61
 RequestURI: /otrs/index.pl
Traceback (3833):
   Module: Kernel::System::User::UserLookup Line: 922
   Module: Kernel::System::Auth::Auth Line: 241
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 226
   Module:
ModPerl::ROOT::ModPerl::Registry::usr_share_otrs_bin_cgi_2dbin_index_
2e
pl::handler Line: 40
   Module: (eval) (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
   Module: ModPerl::Registry::handler (v1.99) Line: 32
ERROR: OTRS-CGI-10 Perl: 5.22.1 OS: linux Time: Fri Jun 30 17:20:20
2017
Message: No UserID found for 'test.user'!
RemoteAddress: 192.168.0.61
 RequestURI: /otrs/index.pl
Traceback (3832):
   Module: Kernel::System::User::UserLookup Line: 922
   Module: Kernel::System::Auth::Auth Line: 241
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 226
   Module:
ModPerl::ROOT::ModPerl::Registry::usr_share_otrs_bin_cgi_2dbin_index_
2e
pl::handler Line: 40
   Module: (eval) (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
   Module: ModPerl::Registry::handler (v1.99) Line: 32
Thanks!
--
---
Evan Spangler
Systems Administrator
TEK Fusion Global, Inc
On Fri, 2017-06-30 at 22:27 +0200, Roy Kaldung wrote:
...
Hi Evan,
Is this the same config you’re using on your other system?
...
On Jun 30, 2017, at 9:08 PM, Evan Spangler  wrote:
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com'
;
Looks weird to me to add the domain to the sAMAccountName. AFAIK
know
sAMAccountName plus the domain is mostly the userPrincipalName.
Did you tried it without the UserSuffix when the customer enter the
sAMAccountName?
- Roy
This e-mail may contain confidential or privileged information. This
communication and any attached documents may also contain data
subject to the International Traffic in Arms Regulations or U.S.
Export Administration Regulations and cannot be disseminated,
distributed or copied to foreign nationals, residing in the U.S. or
abroad, without the prior approval of the U.S. Department of State or
appropriate export licensing authority. If you are not the intended
recipient, please notify the sender immediately by return e-mail with
a copy to: IT@tekfusioninc.com and delete this e-mail and all copies
and attachments. Opinions, conclusions and other information in this
message that do not relate to the official business of Tek Fusion
Global, Inc., shall be understood as neither given nor endorsed by
it.
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs
This e-mail may contain confidential or privileged information. This communication and any attached documents may also contain data subject to the International Traffic in Arms Regulations or U.S. Export Administration Regulations and cannot be disseminated, distributed or copied to foreign nationals, residing in the U.S. or abroad, without the prior approval of the U.S. Department of State or appropriate export licensing authority. If you are not the intended recipient, please notify the sender immediately by return e-mail with a copy to: IT@tekfusioninc.com and delete this e-mail and all copies and attachments. Opinions, conclusions and other information in this message that do not relate to the official business of Tek Fusion Global, Inc., shall be understood as neither given nor endorsed by it.