Hi Markus, Thanks for the suggestion. I had that config in there before but removed it. I just tried it again but it had no effect.. Im still getting the same errors: [Wed Dec 18 10:12:33 2008][Error][Kernel::System::Auth::LDAP::Auth][191] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece Regards, Andy Markus Nagel wrote:
Hello Andy, I'm not sure if this is the reason, but I'm missing some lines in your config when I compare it with ours. I've put them into your original text below
HTH
Greetings Markus Nagel
Andy Ashley schrieb:
Hi all,
Perhaps someone can shed some light on this. I have scoured the net and forums pretty well..
I have a machine, Gentoo Linux running Apache (2.2.9) with PHP (5.2.5-p17) and Net::LDAP (perl-ldap-0.39).
/etc/resolv.conf search subdomain.domain.tld nameserver 192.168.100.10
OTRS (2.3.3, tried 2.3.2 too, same result) is running as an Apache vhost. I have restarted Apache after config changes as suggested by someone who discovered that this is sometimes needed although it really shouldnt be..
I have configured OTRS to authenticate against a Windows 2K3 AD server, relevant(hopefully) config is as follows:
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = '192.168.100.10'; $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=INTERNAL,dc=subdomain,dc=domain,dc=tld'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs_users,cn=Users,dc=subdomain,dc=domain,dc=tld';
----snip----- # missing the AccessAttr $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; ----snip-----
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=binddn_user,OU=Service Accounts,dc=subdomain,dc=domain,dc=tld'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'Mypa55word';
$Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };
$Self->{UserSyncLDAPMap} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', };
$Self->{UserSyncLDAPGroups} = [ 'users', ];
I left out the group filtering bits as I just want to get it working before trying to lock it down. Now, if I attempt to log in as a user in the INTERNAL OU (or any user for that matter), I get a failure:
Login Failed! Your username or password was entered incorrectly. (I double checked the password, AD account is not locked out and is part of the otrs_users group which is in the Service Accounts OU)
From: /var/log/otrs.log
[Wed Dec 17 17:05:11 2008][Error][Kernel::System::Auth::LDAP::Auth][191] First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
A look at the AD Security logs says that the binddn_user is sucessfully authenticating/logging out but nothing much else.
Any help much appreciated!
Thanks.
_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs