Re: [otrs] LDAP tls authentication Fun

5 Aug 2009

      I had some confusion with this recently too.
As I understand it, you can have either DB or LDAP authentication for
agents, not both.

The way OTRS authenticates is by checking the user against its own
database. Once the user exists in its database it will authenticate
the user against the LDAP directory.
In order for the local DB to have the same user details in the otrs DB
as in the LDAP directory. To do this you need to configure OTRS to
sync its data from the LDAP directory. The data is sync'd the first
time the user logs in. Have a look through the following doc for the
sync config settings;

http://doc.otrs.org/2.4/en/html/x1890.html

The "first bind failed" TLS error you are getting means that your LDAP
server needs to have a TLS secured connection.
Make sure you have the correct Perl package for TLS installed on your
system. You may or may not need to do somthing like this;

$Self->{'AuthModule::LDAP::Host'} = 'ldaps://ldap-pserver.internal.domain.com';

I hope that helps,

Rory

Support my 365 Challenge in aid of the Irish Cancer Society

www.365challenge.ie

2009/8/5 Mauricio Tavares :
...
       I am trying to have otrs to have some of my agents defined in ldap.
So, I set  /etc/otrs/Kernel/Config.pm as follows:
   # Authenticate agents against LDAP backend
   $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
   $Self->{'AuthModule::LDAP::Host'} = 'ldap-pserver.internal.domain.com';
   $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';
   $Self->{'AuthModule::LDAP::UID'} = 'uid';
   $Self->{'AuthModule::LDAP::GroupDN'} =
'cn=users,ou=Groups,dc=domain,dc=com';
   $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
   $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
   $Self->{'AuthModule::LDAP::Params'} = {
            port => 389,
            timeout => 120,
            verify => 'require',
            cafile => '/etc/ssl/certs/root.pem',
            # async => 0,
            version => 3,
       };
When I try to login, either as a previously defined (in its database, and
that includes root) otrs user or as one of the ldap users, it seems to be
looking for them in ldap:
ERROR: OTRS-CGI-10 Perl: 5.10.0 OS: linux Time: Wed Aug  5 12:09:54 2009
 Message: First bind failed! TLS confidentiality required
 Traceback (32329):
  Module: Kernel::System::Auth::LDAP::Auth (v1.46) Line: 191
  Module: Kernel::System::Auth::Auth (v1.29) Line: 121
  Module: Kernel::System::Web::InterfaceAgent::Run (v1.34) Line: 192
  Module: /usr/share/otrs/bin/cgi-bin/index.pl (v1.87) Line: 47
What should I tell otrs to look for users in its own database there and then
for ldap users, well, in ldap? And, what would this "TLS confidentiality
required" error be trying to tell me?
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/