Bart, we are also using eDir. I think you have to change the Filter string to member $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; The attribut of the group is named member not memberUID. regards Christoph Bart Wallace schrieb:

Hello,

I have User LDAP authentication working using Novell's eDirectory as the backend but want to make the addition of requiring group membership. When I enable the group code: $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=HelpDeskAgents,ou=office,o=protected'; I get the following error: User: blw authentication failed, no LDAP group entry foundGroupDN='cn=HelpDeskAgents,ou=office,o=protected', Filter='(memberUID=cn=blw,ou=OFFICE,o=protected)'! (REMOTE_ADDR: 10.xx.xx.xx).

Here is the relevant config.pm code: $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'vos1.protected.protected.us'; $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=office,o=protected'; $Self->{'AuthModule::LDAP::UID'} = 'cn';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=HelpDeskAgents,ou=office,o=protected'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUID'; # for ldap posixGroups objectclass (just uid) # $Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=ldapproxy,o=protected'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'protected';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. # $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

My group, HelpDeskAgents, has the posixGroup extensions and I have tried both the posixGroups and the non ldap posixGroups but get the same results. Currently I'm set for non ldap posixGroups.

Here is a command line ldapsearch against the same LDAP directory for the group HelpDeskAgents: ldapsearch -h vos1.protected.protected.us -p 389 -D cn=ldapproxy,o=protected -W -b "ou=office,o=protected" -x "(&(objectClass=Group)(cn=HelpDeskAgents))" Enter LDAP Password:

# extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=Group)(cn=HelpDeskAgents)) # requesting: ALL #

# HelpDeskAgents, OFFICE, PROTECTED dn: cn=HelpDeskAgents,ou=OFFICE,o=PROTECTED uamPosixWorkstationList: cn=UNIX Workstation - SERVERNAME,ou=OFFICE,o=PROTECTED gidNumber: 601 equivalentToMe: cn=blw,ou=OFFICE,o=PROTECTED objectClass: groupOfNames objectClass: Top objectClass: posixGroup objectClass: uamPosixGroup member: cn=blw,ou=OFFICE,o=PROTECTED cn: HelpDeskAgents ACL: 2#entry#[Root]#member ACL: 2#entry#[Public]#gidNumber ACL: 2#entry#[Public]#uamPosixWorkstationList ACL: 2#entry#[Public]#member ACL: 1#entry#[Public]#cn ACL: 2#entry#[Public]#uamPosixPAMServiceExcludeList

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1

Any assistance would be greatly appreciated.

Thanks,

Bart _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs