Dear collegues,

I'm facing a strange behaviour with LDAP authentication against Active Directory with the different Auth modules

- Agent

- Sync

- Customer User

Active Directory consists of 12 subdomains

The server I'm querying with OTRS is the global catalog server

(config below)

Scenario 1) user is located on same AD server

Agent login working

Sync not working: OTRS-CGI-10[21812]: [Error][Kernel::System::Auth::Sync::LDAP::Sync][Line:177]: Search failed! (DC=holding,DC=ah) filter='(sAMAccountName=schedu)' 0000202B: RefErr: DSID-0310063C, data 0, 1 access points ref 1: 'holding.ah' ^@

Customer login working

Scenario 2) user is located on other domain server

Agent login not working

Sync not working

Customer login working!

Nov 3 12:43:36 aohsupport01 OTRS-CGI-10[13245]: [Notice][Kernel::System::Auth::LDAP::Auth] User: sprmax authentication failed, no LDAP entry found!BaseDN='DC=asamer,DC=holding,DC=ah', Filter='(&(sAMAccountName=sprmax)(objectclass=user))', (REMOTE_ADDR: 195.29.236.59).
Nov 3 12:44:01 aohsupport01 /usr/sbin/cron[13266]: (otrs) CMD ($HOME/bin/PostMasterMailbox.pl >> /dev/null)
Nov 3 12:44:06 aohsupport01 OTRS-CGI-10[13245]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: sprmax (CN=Sprung Max,OU=Manag,OU=Dept,OU=CSP,OU=SITES,DC=alashr,DC=holding,DC=ah) authentication ok (REMOTE_ADDR: 195.29.236.59).

What am I doing wrong?

Wolfgang

#--> activate LDAP

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';

$Self->{'AuthModule::LDAP::Host'} = 'aohdc03.asamer.holding.ah';

$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=asamer,DC=holding,DC=ah';

$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs,OU=ServicesAccounts,DC=asamer,DC=holding,DC=ah';

$Self->{'AuthModule::LDAP::SearchUserPw'} = <a valid password>

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)'; # <--

$Self->{'AuthModule::LDAP::Charset'} = 'utf-8';

$Self->{'AuthModule::LDAP::Params'} = {

port => 3268,

timeout => 10, #--> activate LDAP 120,

async => 0,

version => 3,

};

# Sync

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';

$Self->{'AuthSyncModule::LDAP::Host'} = 'aohdc03.asamer.holding.ah';

$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=asamer,DC=holding,DC=ah';

$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs,OU=ServicesAccounts,DC=asamer,DC=holding,DC=ah';

$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'sup4port@asa1';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {

UserFirstname => 'givenName',

UserLastname => 'sn',

UserEmail => 'mail',

Username => 'sAMAccountName',

};

Self->{'AuthModule::LDAP::Die'} = 0;

$Self->{UserSyncLDAPMap} = {

# DB -> LDAP

UserFirstname => 'givenName',

UserLastname => 'sn',

UserEmail => 'mail',

};

$Self->{UserSyncLDAPGroups} = ['user',];

$Self->{CustomerUser1} = {

Name => 'Active Directory <holding.ah>',

Module => 'Kernel::System::CustomerUser::LDAP',

Params => {

Host => 'aohdc03.asamer.holding.ah',

BaseDN => 'DC=holding,DC=ah',

SSCOPE => 'sub',

UserDN => 'CN=otrs,OU=ServicesAccounts,DC=asamer,DC=holding,DC=ah',

UserPw => 'a valid password',

AlwaysFilter => '(objectclass=user)',

DestCharset => 'iso-8859-1',

SourceCharset => 'utf-8',

Params => {

port => 3268,

timeout => 10,

async => 0,

version => 3,

CustomerKey => 'sAMAccountName',

CustomerID => 'mail',

CustomerUserListFields => ['cn', 'mail'],

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],

CustomerUserSearchListLimit => 250,

CustomerUserPostMasterSearchFields => ['mail'],

CustomerUserNameFields => ['givenname', 'sn'],

CustomerUserExcludePrimaryCustomerID => 0,

AdminSetPreferences => 0,

Map => [

#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1,'var', '', 0 ],

[ 'UserLastname', 'Lastname', 'sn', 1, 1,'var', '', 0 ],

[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1,'var', '', 0 ],

[ 'UserEmail', 'Email', 'mail', 1, 1,'var', '', 0 ],

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1,'var', '', 0 ],

[ 'UserPhone', 'Phone', 'phone', 1, 0,'var', '', 0 ],

[ 'UserMobile', 'Mobile', 'mobile', 1, 0,'var', '', 0 ],

# [ 'UserAddress', 'Address', 'postaladdress', 1, 0,'var', '', 0 ],

# [ 'UserComment', 'Comment', 'description', 1, 0,'var', '', 0 ],

};

## AuthModule 1 is against DB

$Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';

$Self->{'Customer::AuthModule::LDAP::Host2'} = 'aohdc03.asamer.holding.ah';

$Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'DC=holding,DC=ah';

$Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';

$Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=otrs,OU=ServicesAccounts,DC=asamer,DC=holding,DC=ah';

$Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = <a valid password>';

$Self->{'Customer::AuthModule::LDAP::AlwaysFilter2'} = '(objectclass=user)';

$Self->{'Customer::AuthModule::LDAP::Params2'} = {

port => 3268,

timeout => 10,

async => 0,

version => 3,

};