Re: [otrs] LDAP tls authentication Fun

Rory wrote:

I had some confusion with this recently too. As I understand it, you can have either DB or LDAP authentication for agents, not both.

Oh lovely. I guess that explains why I cannot login even as the root/localhost user.

The way OTRS authenticates is by checking the user against its own database. Once the user exists in its database it will authenticate the user against the LDAP directory.

So, otrs is only using ldap to check the passwords? Is the access/ownership info (i.e. who belongs to which group and can do what kind of harm) stored in the local DB then? I guess it has to since the documentation states otrs only does read only access to ldap.

In order for the local DB to have the same user details in the otrs DB as in the LDAP directory. To do this you need to configure OTRS to sync its data from the LDAP directory. The data is sync'd the first time the user logs in. Have a look through the following doc for the sync config settings;

http://doc.otrs.org/2.4/en/html/x1890.html

After reading it, I began to wonder if it meant that once it gathers the data it will use the local DB entirely instead of ldap. If that is the case, wouldn't it mean that it should be able to lookup user info on both local db and ldap at the same time?

The "first bind failed" TLS error you are getting means that your LDAP server needs to have a TLS secured connection. Make sure you have the correct Perl package for TLS installed on your system. You may or may not need to do somthing like this;

$Self->{'AuthModule::LDAP::Host'} = 'ldaps://ldap-pserver.internal.domain.com';

I hope that helps,

Rory

Support my 365 Challenge in aid of the Irish Cancer Society

www.365challenge.ie

2009/8/5 Mauricio Tavares :

...

I am trying to have otrs to have some of my agents defined in ldap. So, I set /etc/otrs/Kernel/Config.pm as follows:

# Authenticate agents against LDAP backend $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'ldap-pserver.internal.domain.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'uid'; $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=users,ou=Groups,dc=domain,dc=com'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid'; $Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, verify => 'require', cafile => '/etc/ssl/certs/root.pem', # async => 0, version => 3, };

When I try to login, either as a previously defined (in its database, and that includes root) otrs user or as one of the ldap users, it seems to be looking for them in ldap:

ERROR: OTRS-CGI-10 Perl: 5.10.0 OS: linux Time: Wed Aug 5 12:09:54 2009

Message: First bind failed! TLS confidentiality required

Traceback (32329): Module: Kernel::System::Auth::LDAP::Auth (v1.46) Line: 191 Module: Kernel::System::Auth::Auth (v1.29) Line: 121 Module: Kernel::System::Web::InterfaceAgent::Run (v1.34) Line: 192 Module: /usr/share/otrs/bin/cgi-bin/index.pl (v1.87) Line: 47

What should I tell otrs to look for users in its own database there and then for ldap users, well, in ldap? And, what would this "TLS confidentiality required" error be trying to tell me? --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/