We are currently evaluating OTRS and version 2.4.1. We are using MSAD for the majority of the users and OpenLdap for another set of users. I have configured the Config.pm file as shown in the http://faq.otrs.org/otrs/public.pl?Action=PublicFAQ&ItemID=219. A user MSAD can authenticate but a user in OpenLdap can not. The log shows both tries for the MSAD user but stops once it fails for the OpenLdap user with an incorrect password for the MSAD provider, but it does not check the Openldap. The reverse is true if we swap the providers and OpenLdap is first and MSAD is second. Then OpenLdap users are authenticated and MSAD users are not. How do we get FAQ messages updated, http://faq.otrs.org/otrs/public.pl?Action=PublicFAQ&ItemID=219 is out of date? Below is an example of the error [Fri Jul 24 09:46:59 2009][Notice][Kernel::System::Auth::DB::Auth] User: "ABC" authentication with wrong Pw!!! (REMOTE_ADDR: XXX) [Fri Jul 24 09:46:59 2009][Notice][Kernel::System::Auth::LDAP::Auth] User: "ABC" authentication failed, no LDAP entry found! "MSAD base info" (REMOTE_ADDR: XXX). [Fri Jul 24 09:46:59 2009][Notice][Kernel::System::Auth::DB::Auth] User: "ABC" authentication with wrong Pw!!! (REMOTE_ADDR: XXX) Below are the settings in the config.pm with MSAD first # Authentication backend Auth # # ---------------------------------------------------- # #------------------------------------------------------# #***** aus MSAD #------------------------------------------------------# #Enable LDAP authentication for Customers / Users $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host1'} = 'XXXXXX'; $Self->{'AuthModule::LDAP::BaseDN1'} = 'XXXXXX'; #$Self->{'AuthModule::LDAP::UID1'} = 'cn'; $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName'; #The following is valid but would only be necessary if the #anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'XXXXXX'; $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'XXXXXX'; #Add the following lines when only users are allowed to login if they reside in the spicified security group #Remove these lines if you want to provide login to all users specified in the User Base DN $Self->{'AuthModule::LDAP::GroupDN1'} ='XXXXXX'; $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params1'} = { port => 389, timeout => 120, async => 0, version => 3, }; $Self->{'AuthModule::LDAP::Die1'} = 1; #------------------------------------------------------# #***** OpenLDAP #------------------------------------------------------# #Enable LDAP authentication for Customers / Users $Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host2'} = 'YYYYYYY'; $Self->{'AuthModule::LDAP::BaseDN2'} = 'YYYYYYY'; #$Self->{'AuthModule::LDAP::UID2'} = 'cn'; $Self->{'AuthModule::LDAP::UID2'} = 'cssDisplayNameDefault'; #The following is valid but would only be necessary if the #anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN2'} = 'YYYYYYY'; $Self->{'AuthModule::LDAP::SearchUserPw2'} = 'YYYYYYY'; #Add the following lines when only users are allowed to login if they reside in the spicified security group #Remove these lines if you want to provide login to all users specified in the User Base DN $Self->{'AuthModule::LDAP::GroupDN2'} ='YYYYYYY'; $Self->{'AuthModule::LDAP::AccessAttr2'} = 'UniqueMember'; $Self->{'AuthModule::LDAP::UserAttr2'} = 'DN'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params2'} = { port => 58089, timeout => 120, async => 0, version => 3, }; $Self->{'AuthModule::LDAP::Die2'} = 1; # ---------------------------------------------------- # # Auth Sync Backend # # ---------------------------------------------------- # #------------------------------------------------------# #***** MSAD #------------------------------------------------------# ## agent data sync against ldap #$Self->{'AuthSyncModule'} $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host1'} = 'XXXX'; $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'XXXXX'; $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName'; $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'XXXXX'; $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'XXXX'; $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = { ## DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; ## AuthSyncModule::LDAP::UserSyncInitialGroups ## (sync following group with rw permission after initial create of first agent ## login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [ 'users','admin','stats' ]; $Self->{'AuthSyncModule::LDAP::Die1'} = 1; #------------------------------------------------------# #***** OpenLDAP #------------------------------------------------------# ## agent data sync against ldap #$Self->{'AuthSyncModule'} $Self->{'AuthSyncModule2'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host2'} = 'YYYYYYY'; $Self->{'AuthSyncModule::LDAP::BaseDN2'} = ' YYYYYYY'; $Self->{'AuthSyncModule::LDAP::UID2'} = 'cssDisplayNameDefault'; $Self->{'AuthSyncModule::LDAP::SearchUserDN2'} = ' YYYYYYY'; $Self->{'AuthSyncModule::LDAP::SearchUserPw2'} = ' YYYYYYY'; $Self->{'AuthSyncModule::LDAP::Params2'} = { port => 58089, timeout => 120, async => 0, version => 3, }; $Self->{'AuthSyncModule::LDAP::UserSyncMap2'} = { ## DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; ## AuthSyncModule::LDAP::UserSyncInitialGroups ## (sync following group with rw permission after initial create of first agent ## login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups2'} = [ 'users','admin','stats' ]; $Self->{'AuthSyncModule::LDAP::Die2'} = 1;