Problem with LDAP (AD) lookups
AD Authentication is working OK, but I have to create an entry in the customer table before a customer can login. That's not a big deal, hopefully that will be working nicely in later versions :-) What's not working is that when I select the Customer User page under the Admin Area I only see the users that I've manually setup. I also get messages such as the following in my system's messages log file. At around 16:40 I changed the user to the Administrator of the AD tree to see if it was a permissions issue that was causing the browsing to fail. ____________________________________________________________________________ ____ Sep 21 16:39:35 test OTRS-CGI-10[4266]: [Error][Kernel::System::CustomerUser::LDAP::CustomerUserList][Line:169]: 00000000: LdapErr: DSID-0C0905FF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece Sep 21 16:39:35 test Sep 21 16:39:35 test OTRS-CGI-10[4266]: [Error][Kernel::System::CustomerUser::LDAP::CustomerUserList][Line:169]: 00000000: LdapErr: DSID-0C0905FF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece Sep 21 16:39:35 test Sep 21 16:40:00 test /USR/SBIN/CRON[27178]: (otrs) CMD ($HOME/bin/PostMasterPOP3.pl >> /dev/null) Sep 21 16:40:00 test /USR/SBIN/CRON[27180]: (otrs) CMD ($HOME/bin/GenericAgent.pl >> /dev/null) Sep 21 16:41:37 test OTRS-CGI-10[4267]: [Error][Kernel::System::CustomerUser::LDAP::CustomerUserList][Line:169]: 0000208D: NameErr: DSID-031001C6, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=corp,DC=hiplab2003,DC=com' Sep 21 16:41:37 test Sep 21 16:41:37 test OTRS-CGI-10[4267]: [Error][Kernel::System::CustomerUser::LDAP::CustomerUserList][Line:169]: 0000208D: NameErr: DSID-031001C6, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=corp,DC=hiplab2003,DC=com' ____________________________________________________________________________ ____ Below is the Config.pm section that I added so far: ____________________________________________________________________________ ____ $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = '10.1.104.153'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=corp,dc=hiplab2003,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'pmcdonnell@corp.hiplab2003.com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxx'; $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = '10.1.104.153'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=corp,dc=hiplab2003,dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'pmcdonnell@corp.hiplab2003.com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxx'; # CustomerUser # (customer user database backend and settings) $Self->{CustomerUser} = { Name => 'Datenbank', Module => 'Kernel::System::CustomerUser::DB', Params => { Table => 'customer_user', # to use an external database # DSN => 'DBI:odbc:yourdsn', # DSN => 'DBI:mysql:database=customerdb;host=customerdbhost', # User => '', Password => '', }, # customer uniq id CustomerKey => 'login', CustomerID => 'customer_id', CustomerValid => 'valid_id', CustomerUserListFields => ['first_name', 'last_name', 'email'], # CustomerUserListFields => ['login', 'first_name', 'last_name', 'customer_id', 'email'], CustomerUserSearchFields => ['login', 'last_name', 'customer_id'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['email'], CustomerUserNameFields => ['salutation', 'first_name', 'last_name'], # ReadOnly => 1, Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type, http-link [ 'UserSalutation', 'Salutation', 'salutation', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'first_name', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'last_name', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'login', 1, 1, 'var' ], [ 'UserPassword', 'Password', 'pw', 0, 1, 'var' ], [ 'UserEmail', 'Email', 'email', 0, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var' ], [ 'UserComment', 'Comment', 'comments', 1, 0, 'var' ], [ 'ValidID', 'Valid', 'valid_id', 0, 1, 'int' ], ], }; # CustomerUser1 # (customer user ldap backend and settings) $Self->{CustomerUser1} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { # ldap host Host => '10.1.104.153', # ldap base dn BaseDN => 'ou=Users, dc=corp, dc=hiplab2003, dc=com', # search scope (one|sub) SSCOPE => 'sub', # The following is valid but would only be necessary if the # anonymous user does NOT have permission to read from the LDAP tree UserDN => 'cn=Pete McDonnell, ou=Users, dc=corp, dc=hiplab2003, dc=com', UserPw => 'xxx', AlwaysFilter => '', SourceCharset => 'utf-8', DestCharset => 'iso-8859-1', }, # customer uniq id CustomerKey => 'sAMAccountName', # customer # CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; ____________________________________________________________________________ ____ Is anyone able to provide any insight? - Pete McDonnell Manager, Technical Services Hip Interactive Phone: (519) 272-0234 x228
Pete McDonnell schrieb:
AD Authentication is working OK,
It isn't.
but I have to create an entry in the customer table before a customer can login. That's not a big deal, hopefully that will be working nicely in later versions :-)
It should not be necessary at all.
What's not working is that when I select the Customer User page under the Admin Area I only see the users that I've manually setup. I also get messages such as the following in my system's messages log file. At around 16:40 I changed the user to the Administrator of the AD tree to see if it was a permissions issue that was causing the browsing to fail.
I guess the user you're using to connect isn't equipped with a right's range broad enough. "cn=Pete McDonnell, ou=Users, dc=corp, dc=hiplab2003, dc=com" is probably not capable of reading all the necessary info. Try to create a designated reader user with no write access to any part of the AD tree, but all area read access (yes, except for the passwords). Unfortunately, I cannot tell you how to incorporate such a user, as I luckily do not have to work with AD or stuff like that. I could tell you what code would be necessarily on a regularyl LDAP server based on OpenLDAP, though. Better choice, btw. *scnr* hth, Robert Kehl
participants (2)
-
Pete McDonnell -
Robert Kehl