Dear collegues, I'm facing a strange behaviour with LDAP authentication against Active Directory with the different Auth modules - Agent - Sync - Customer User Active Directory consists of 12 subdomains The server I'm querying with OTRS is the global catalog server (config below) Scenario 1) user is located on same AD server Agent login working Sync not working: OTRS-CGI-10[21812]: [Error][Kernel::System::Auth::Sync::LDAP::Sync][Line:177]: Search failed! (DC=holding,DC=ah) filter='(sAMAccountName=schedu)' 0000202B: RefErr: DSID-0310063C, data 0, 1 access points ref 1: 'holding.ah' ^@ Customer login working Scenario 2) user is located on other domain server Agent login not working Sync not working Customer login working! Nov 3 12:43:36 aohsupport01 OTRS-CGI-10[13245]: [Notice][Kernel::System::Auth::LDAP::Auth] User: sprmax authentication failed, no LDAP entry found!BaseDN='DC=asamer,DC=holding,DC=ah', Filter='(&(sAMAccountName=sprmax)(objectclass=user))', (REMOTE_ADDR: 195.29.236.59). Nov 3 12:44:01 aohsupport01 /usr/sbin/cron[13266]: (otrs) CMD ($HOME/bin/PostMasterMailbox.pl >> /dev/null) Nov 3 12:44:06 aohsupport01 OTRS-CGI-10[13245]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: sprmax (CN=Sprung Max,OU=Manag,OU=Dept,OU=CSP,OU=SITES,DC=alashr,DC=holding,DC=ah) authentication ok (REMOTE_ADDR: 195.29.236.59). What am I doing wrong? Wolfgang #--> activate LDAP $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'aohdc03.asamer.holding.ah'; $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=asamer,DC=holding,DC=ah'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs,OU=ServicesAccounts,DC=asamer,DC=holding,DC=ah'; $Self->{'AuthModule::LDAP::SearchUserPw'} = <a valid password> $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)'; # <-- $Self->{'AuthModule::LDAP::Charset'} = 'utf-8'; $Self->{'AuthModule::LDAP::Params'} = { port => 3268, timeout => 10, #--> activate LDAP 120, async => 0, version => 3, }; # Sync $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'aohdc03.asamer.holding.ah'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=asamer,DC=holding,DC=ah'; $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs,OU=ServicesAccounts,DC=asamer,DC=holding,DC=ah'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'sup4port@asa1'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', Username => 'sAMAccountName', }; Self->{'AuthModule::LDAP::Die'} = 0; $Self->{UserSyncLDAPMap} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; $Self->{UserSyncLDAPGroups} = ['user',]; $Self->{CustomerUser1} = { Name => 'Active Directory ', Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => 'aohdc03.asamer.holding.ah', BaseDN => 'DC=holding,DC=ah', SSCOPE => 'sub', UserDN => 'CN=otrs,OU=ServicesAccounts,DC=asamer,DC=holding,DC=ah', UserPw => 'a valid password', AlwaysFilter => '(objectclass=user)', DestCharset => 'iso-8859-1', SourceCharset => 'utf-8', Params => { port => 3268, timeout => 10, async => 0, version => 3, }, }, CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields => ['cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], CustomerUserExcludePrimaryCustomerID => 0, AdminSetPreferences => 0, Map => [ #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1,'var', '', 0 ], [ 'UserLastname', 'Lastname', 'sn', 1, 1,'var', '', 0 ], [ 'UserLogin', 'Username', 'sAMAccountName', 1, 1,'var', '', 0 ], [ 'UserEmail', 'Email', 'mail', 1, 1,'var', '', 0 ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1,'var', '', 0 ], [ 'UserPhone', 'Phone', 'phone', 1, 0,'var', '', 0 ], [ 'UserMobile', 'Mobile', 'mobile', 1, 0,'var', '', 0 ], # [ 'UserAddress', 'Address', 'postaladdress', 1, 0,'var', '', 0 ], # [ 'UserComment', 'Comment', 'description', 1, 0,'var', '', 0 ], ], }; ## AuthModule 1 is against DB $Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host2'} = 'aohdc03.asamer.holding.ah'; $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'DC=holding,DC=ah'; $Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=otrs,OU=ServicesAccounts,DC=asamer,DC=holding,DC=ah'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = <a valid password>'; $Self->{'Customer::AuthModule::LDAP::AlwaysFilter2'} = '(objectclass=user)'; $Self->{'Customer::AuthModule::LDAP::Params2'} = { port => 3268, timeout => 10, async => 0, version => 3, };