The DNs are correct I’ve verified them in the AD. I copied the pasted both DNs directly from the program LDP.exe.

 

 

 

Hm, that error message...

Don't know if it's because of "cleaning" before publication of your config, but one thing that comes to mind, is that the default "Users" container is just that: A container. Not an OU.

 

So, yet another suggestion:

 

Change the "OU" to "CN" in the lines:

 

$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=users,dc=example,dc=org';

 

and

 

$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrs,OU=users,DC=example,DC=org';

 

--

/Sune

 

From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Benedick, Jason
Sent: 21. maj 2007 21:51
To: User questions and discussions about OTRS.org
Subject: RE: [otrs] Active Directory Authentication

I’m getting this error:

 

May 21 15:30:05 websvr OTRS-CGI-10[21731]: [Notice][Kernel::System::Auth::LDAP::Auth] User: benedick authentication failed, no LDAP group entry foundGroupDN='CN=otrs,OU=users,DC=example,DC=org', Filter='(member=CN=Benedick\, Jason,OU=users,DC=example,DC=org)'!

 

 

 

Any details in the logfile?

 

Also, i don't think that nested groups works, so the members has to be "direct" members of the group.

 

--

/Sune

 

 

From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Benedick, Jason
Sent: 21. maj 2007 15:18
To: User questions and discussions about OTRS.org
Subject: RE: [otrs] Active Directory Authentication

Adding that line doesn’t solve the problem I’m having.

 

Thanks,

 

 

Hi Jason,

 

Same authentication setup here, and i think that i might have experienced something like this.

 

Try adding this line to the config:

 

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

 

I think that the otrs default setting is:

 

$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';

 

And that's not quite what the AD LDAP has to offer.

 

As for the host failover, i don't know if you can use multiple host names.

I'm using just the domain name.

That is: "example.org", and the DNS round-robins it. Not entirely failover, but better than nothing.

 

--

/Sune

 

 

From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Benedick, Jason
Sent: 21. maj 2007 00:49
To: otrs@otrs.org
Subject: [otrs] Active Directory Authentication

I have active directory authentication working with the exception of the GroupDN for the admin interface. When I comment out the GroupDN and the UserAttr lines everything works fine again. We are running Windows Server 2003 on our DCs if that matters.

 

    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';

    $Self->{'AuthModule::LDAP::Host'} = 'dc1.example.org';

    $Self->{'AuthModule::LDAP::BaseDN'} = 'OU=users,dc=example,dc=org';

    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=LDAP\\, Linux,OU=Service Accounts,DC=example,DC=org';

    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

 

    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrs,OU=users,DC=example,DC=org';

    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

 

    $Self->{UserSyncLDAPMap} = {

        #DB -> LDAP

        Firstname => 'givenName',

        Lastname => 'sn',

        Email => 'mail',

    };

 

Also while I’m asking can I put multiple DCs in under host for failover? IE can I do something like:

    $Self->{'AuthModule::LDAP::Host'} = 'dc1.example.org;dc2.example.org';

and will OTRS use dc2 if dc1 is down?

 

Thanks,

Jason R. Benedick

Workstation Technician

Thaddeus Stevens College of Technology