I had a similar problem in my configuration. It sounds like it is not able to authenticate to do the required LDAP calls. Make sure you have an LDAP inquiry user created in the domain that can make the necessary queries for customers.
We have two AD domains. I had to configure two separate entries in the Config.pm. Also, you have to make sure that the users are being created under the DN for the LDAP search. Notice that the BaseDN is the root of my domain and the SSCOPE is set to ‘sub’. This allows me to have ALL members of each domain as customers. Each domain has an LDAP inquiry user account created.
For an example, here is the relevant redacted portion of my Config.pm. This has been working for me for months. It queries all users in two domains to add them as customers.
# ---------------------------------------------------- #
# User Configurations #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# First domain #
# ---------------------------------------------------- #
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'domaincontroller.domain1.com';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain1,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'ldapinquiryuser@domain1.com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# ---------------------------------------------------- #
# Second Domain #
# ---------------------------------------------------- #
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'domaincontroller.domain2.com';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=domain2,dc=com';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'ldapinquiryuser@domain2.com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'password';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# ---------------------------------------------------- #
# LDAP Configuration Settings for Customers #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# First domain #
# ---------------------------------------------------- #
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'domaincontroller.domain1.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain1,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldapinquiryuser@domain1.com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{CustomerUser} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'domaincontroller.domain1.com',
BaseDN => 'DC=domain1,DC=com',
SSCOPE => 'sub',
UserDN => 'ldapinquiryuser@domain1.com',
UserPw => 'password',
AlwaysFilter => '(objectclass=user)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
CacheTTL => 0,
Map => [
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
# ---------------------------------------------------- #
# Second domain #
# ---------------------------------------------------- #
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'domaincontroller.domain2.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=domain2,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'ldapinquiryuser@domain2.com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'password';
$Self->{'Customer::AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{CustomerUser1} = {
Name => 'LDAP Backend1',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'domaincontroller.domain2.com',
BaseDN => 'DC=domain2,DC=com',
SSCOPE => 'sub',
UserDN => 'ldapinquiryuser@domain2.com',
UserPw => 'password',
AlwaysFilter => '(objectclass=user)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
CacheTTL => 0,
Map => [
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Darshak Modi
Sent: Wednesday, February 5, 2014 10:26 PM
To: otrs@otrs.org
Subject: Re: [otrs] customer user sync from AD
Thanks for input. But it is already set to LDAP.
This happens only to new customers created in AD.
On 1/31/2014 8:39 PM, Alvaro Cordero wrote: