OTRS and Active Directory
I've put more time into this than I can afford - but I'm trying hard to keep opensource alive in our workplace, so I'll ask here. We have: A WIN2K Domain controller at 192.168.1.10 A Debian (Lenny) box with a clean install of OTRS 2.3.3 (installed from source, not a prepacked deb file) The debian box is joined to the domain, which we'll call "company.com.au" Nothing I do will permit me to get customers authenticating via the AD. The relevant parts of the Config.pm: $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = '192.168.1.10'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=company,dc=com,dc=au'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldap.lookup'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => '192.168.1.10', BaseDN => 'DC=company,DC=com,DC=au', SSCOPE => 'sub', UserDN =>'ldap.lookup', UserPw => 'password', }, CustomerKey => 'uid', CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], ], }; The error I'm currently getting: Jan 19 16:20:03 ithlp OTRS-GenericAgent-03[7967]: [Error][Kernel::System::CustomerUser::LDAP::new][Line:144]: First bind failed! 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893 Any ideas? ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal #####################################################################################
Hi Wayne, For this value:
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldap.lookup';
Are you using just the username? or are you using the full LDAP DN, I believe LDAP requires the use of the full DN e.g. cn=Ldap Lookup,ou=container,dc=domain,dc=tld I know for our system the Auth mechanism for agents is LDAP and we have the full DN of the user in the SearchUserDN variable. Steve -- Steven Carr Senior Network Security Engineer - Khipu Networks Ltd. support@khipu-networks.com - www.khipu-networks.com Secure - Compliant - Infrastructure Registered Office: Fairfax House, 15 Fulwood Place, London WC1V 6AY Registered in England. Company Number 5218573
Also, unless you have added extra values into your AD schema, the UID value for AD is 'sAMAccountName' not 'uid'
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid'; CustomerKey => 'uid',
Steve -- Steven Carr Senior Network Security Engineer - Khipu Networks Ltd. support@khipu-networks.com - www.khipu-networks.com Secure - Compliant - Infrastructure Registered Office: Fairfax House, 15 Fulwood Place, London WC1V 6AY Registered in England. Company Number 5218573
Also, unless you have added extra values into your AD schema, the UID value for AD is 'sAMAccountName' not 'uid'
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid'; CustomerKey => 'uid',
Steve, As per your 2 emails I gave your suggestions a try: Firstly I fully qualified the ldap user: $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=ldap.lookup, OU=Support, OU=IT, OU=Melbourne, OU=Staff, DC=company, DC=com, DC=au'; This gave me Jan 20 09:44:17 mel-ithlp OTRS-CGI-03[11782]: [Error][Kernel::System::CustomerUser::LDAP::new][Line:144]: First bind failed! 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893 Then I changed the uid value to sAMAccountname CustomerKey => 'sAMAaccountName', This gave me Jan 20 09:44:17 mel-ithlp OTRS-CGI-03[11782]: [Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:199]: First bind failed! 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893 I note that in the first the error is taking place in [Kernel::System::CustomerUser::LDAP::new][Line:144] whereas in the second the error is in [Error][Kernel::System::CustomerAuth::LDAP::Auth][Line:199] I have no idea what THAT means. As of right now my Config.pm is: $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = '192.168.1.10'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=company,dc=com,dc=au'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=ldap.lookup, OU=Support, OU=IT, OU=Melbourne, OU=Staff, DC=company, DC=com, DC=au'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => '192.168.1.10', BaseDN => 'DC=company,DC=com,DC=au', SSCOPE => 'sub', UserDN =>'CN=ldap.lookup, OU=Support, OU=IT, OU=Melbourne, OU=Staff, DC=company, DC=com, DC=au', UserPw => 'password', }, CustomerKey => 'sAMAaccountName', CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], ], }; ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal #####################################################################################
Wayne Scott wrote:
Steve,
As per your 2 emails I gave your suggestions a try:
Firstly I fully qualified the ldap user:
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=ldap.lookup, OU=Support, OU=IT, OU=Melbourne, OU=Staff, DC=company, DC=com, DC=au';
Dear Wayne If I may please say so that might not be the place where you need to change it. But before you make any other change, could you please make sure that you can connect to your AD using the username you have chosen? Now, for the changes, this is what I have in my system and it is working #Enable LDAP authentication for Customers / Users $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldapServer.admin.myOrganisation.net'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=Staff,DC=admin,DC=myOrganisation,DC=net'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; #The following is valid but would only be necessary if the #anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'MyOTRS_User'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'PassWord'; #CustomerUser #(customer user database backend and settings) $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => 'ldapServer.admin.myOrganisation.net', BaseDN => 'OU=Staff,DC=admin,DC=myOrganisation,DC=net', SSCOPE => 'sub', UserDN =>'MyOTRS_User', UserPw => 'PassWord', }, # customer unique id CustomerKey => 'sAMAccountName', # customer # CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 2500, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; Hope this helps
If I may please say so that might not be the place where you need to change it.
But before you make any other change, could you please make sure that you can connect to your AD using the username you have chosen?
I can certainly confirm that - I'm actually using a domain-admin account at the moment. I realise that is insecure, however temporarily I'm using that account to be completely sure that isn't an issue.
Now, for the changes, this is what I have in my system and it is working
I finally got it working. What I ended up doing was using the windows domain entry in the username field $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'company\ldap.lookup'; UserDN =>'company\ldap_lookup', To clarify the windows domain entry - I had to use the domain which shows up in the login dialog for a PC logging into the domain. I've now Thanks for everyone's efforts. Wayne ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal #####################################################################################
participants (3)
-
Free BSD -
Steven Carr -
Wayne Scott