I tried the DN vs UID thing - nothing. I will attempt a fresh install.
ugh. According to CPAN I have the latest net::ldap package.
BTW, what part of the planet are you on? - either you're a night owl or
you're in europe. Looks like a lot of the lists subscribers are 8+
hours different than me as most questions seem to get asked answered
overnight (relative to my timezone).
Again, thanks very much for your assistance. Will keep you apprised of
progress. This system looks way to powerful to give up on.
Christophe Flaviani wrote:
Sorry Jeff,
Can't see what's wrong with your install.
Possible clues could be the version of the Net::LDAP package you
installed or the version of otrs.
My implementation works fine (with the userLDAPSync), but with an AD
backend.
I had to replace the UID (which is not present in AD) by the DN. Maybe
this would solve the problem.
Good luck,
C.
On Thu, Jun 12, 2008 at 7:46 PM, Jeff Davis <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hi Jeff,
If you do an ldapsearch, does the attribute givenName exists?
C.
Yes.
(BTW thanks for responding - I appreciate your willingness to give
me a hand on this - I'm about at the end of my rope in identifying
my configuration error).
If you have additional ideas for testing/debugging this I would
very much like to hear them...
Fields asked for in Config.pm are present using
AuthModule::LDAP::SearchUserDN account, so I don't think ACLs are
the issue. Even tried with root dn account to be sure. If I had
to guess I'd say it's unable to pull something from LDAP. Just
don't know why as ldapsearch has no issues with it.
Here's an LDIF:
dn: uid=tstaff,ou=Users,dc=example,dc=com
uidNumber: 2306
*givenName: Test*
ssdSiteName: ESC
uid: tstaff
cn: Test Staff
homeDirectory: /u/tstaff
*sn: Staff*
ssdRole: Test Staff User
departmentNumber: Test Staff User
*mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>*
mailLocalAddress: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
mailRoutingAddress: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: inetLocalMailRecipient
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: standardSchoolDistrict
objectClass: sambaSamAccount
gidNumber: 2000
gecos: Test Staff Account
description: Test Staff Account
displayName: Test Staff Account
loginShell: /bin/bash
Christophe Flaviani wrote:
On Wed, Jun 11, 2008 at 7:32 PM, Jeff Davis
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>> wrote:
Well, I've gotten openldap auth to work but cannot get the
UserSyncLDAPMap to work. I've copied the code from Defaults.pm
and configured for our ldap config. Have been working on
this on
and off for 3 days, and still no luck. The code in LDAP.pm
that
fails appears to be trying to pull attribute values from the
directory, but adding code to put more detail into the log
has not
been illuminating. Posts ive found in the archive seemto speak
primarily to AD issues, which in some ways makes me think that
OpenLDAP or a more standards-based LDAP implementation
should be
more straightforward. "Obviously I'm mistaken". I would sure
like to get this figured out so we can move forward.
Otherwise I
will probably have to look at a different system.
This is the value that throws the error:
Net::LDAP::Entry=HASH(0xace6e04)->get_value(Kernel::Config=HASH(0x9af735c)->Get('UserSyncLDAPMap'.)->{UserFirstname})
The following code block in LDAP.pm is where the problem occurs
(line 348 is bolded):
foreach my $Entry ($Result->all_entries) {
$UserDN = $Entry->dn();
foreach my $Key (keys
%{$Self->{ConfigObject}->Get('UserSyncLDAPMap'.$Self->{Count})})
{
# detect old config setting
if ($Key =~ /^(Firstname|Lastname|Email)/) {
$Key = "User".$Key;
$Self->{LogObject}->Log(
Priority => 'error',
Message => "Old config setting detected,
please use
the new one from Kernel/Config/Defaults.pm (User* has been
added!).",
);
}
* $SyncUser{$Key} =
$Entry->get_value($Self->{ConfigObject}->Get('UserSyncLDAPMap'.$Self->{Count})->{$Key});*
# e. g. set utf-8 flag
$SyncUser{$Key} = $Self->_ConvertFrom($SyncUser{$Key},
$Self->{ConfigObject}->Get('DefaultCharset'));
}
if ($Entry->get_value('userPassword')) {
$SyncUser{Pw} = $Entry->get_value('userPassword');
# e. g. set utf-8 flag
$SyncUser{Pw} = $Self->_ConvertFrom($SyncUser{Pw},
$Self->{ConfigObject}->Get('DefaultCharset'));
}
}
When logging in it throws the following error:
Software error:
Can't locate object method "get_value" via package
"Net::LDAP::Entry" at ../..//Kernel/System/Auth/LDAP.pm
line 348,
<PRODUCT> line 4.
For help, please send mail to the webmaster ([EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>>), giving this
error message and the time and date of the error.
Here's the agent portion of my config.pm
<http://config.pm/> <http://config.pm/>.
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.example.com
<http://ldap.example.com/>
<http://ldap.example.com/>';
$Self->{'AuthModule::LDAP::BaseDN'} =
'ou=users,dc=example,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} =
'cn=techsupport,ou=Groups,dc=example,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the
LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} =
'cn=xxxxxxxxx,ou=xxx,dc=example,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';
# in case you want to add always one filter to each ldap
query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or
AlwaysFilter =>
'(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists [EMAIL PROTECTED]
#$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com
<http://domain.com/>
<http://domain.com/>';
# Net::LDAP new params (if needed - for more info see perldoc
Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthModule::LDAP::Die'} = 1;
# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after
login)
$Self->{UserSyncLDAPMap} = {
## DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# UserSyncLDAPGroups
# (If "LDAP" was selected for AuthModule, you can specify
initial
# user groups for first login.)
$Self->{UserSyncLDAPGroups} = [
'users',
];
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
------------------------------------------------------------------------
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
------------------------------------------------------------------------
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
begin:vcard
fn:Jefferson Davis
n:Davis;Jefferson
org:Standard School District
adr:;;1200 North Chester Ave;Bakersfield;CA;93308;usa
email;internet:[EMAIL PROTECTED]
title:Technology and Information Systems Mgr
tel;work:661.392.2110
tel;fax:661.392.0681
x-mozilla-html:TRUE
url:http://www.standard.k12.ca.us
version:2.1
end:vcard
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/