Ok I could be wrong because I don't know your AD structure but take a look
here..
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=LDAP
Lookup,OU=Service Accounts,OU=Users,OU=Dept,DC=mydomain,DC=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'mypw123';
Mine looks like this
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
'cn=testaccount,cn=Users,dc=ocusd,dc=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'test123';
What I have is the user account test witch which is located in the users
directly under the base DN.. the folder it's located in needs to be a container
not an OU I believe this is where your issue lies once again I could be wrong
however
Same applies with
UserDN => 'CN=LDAP Lookup,OU=Service
Accounts,OU=Users,OU=Dept,DC=mydomain,DC=local',
UserPW => 'mypw123',
Shawn Gadow
Network Administrator
Oregon CUSD 220
"Security is when everything is settled. When nothing can happen to you.
Security is the denial of life." - Germaine Greer
From: otrs-boun...@otrs.org [mailto:otrs-boun...@otrs.org] On Behalf Of Rory
Sent: Friday, May 13, 2011 8:00 AM
To: otrs@otrs.org
Subject: [otrs] Customer LDAP Auth Issue - not anonymous
Hi All,
I'm having an issue while authenticating a Customer user against our windows
Active Directory tree and I hope somebody can help me.
I've been watching the network traffic on the AD server with Wireshark to see
exactly what's happening. Here's the steps:
1. OTRS requests to bind to LDAP using a specified user "CN=LDAP
Lookup,OU=Service Accounts,OU=Users,OU=EFC,DC=mydomain,DC=local".
2. LDAP server accepts the bind.
3. OTRS searches for the username.
4. LDAP server returns the correct user
5. OTRS searches for the group with the condition that the user is in the group
6. LDAP server returns the correct group
7. OTRS unbinds from LDAP
8. OTRS requests to bind to LDAP using the login user that was returned in step
4.
9. LDAP server accepts the bind
10. OTRS unbinds from LDAP server
So far this is good and shows that the initial authentication succeeds. The
next few steps are where OTRS tries to retrieve the customer attributes from
LDAP
11. OTRS requests to bind to LDAP using "<root>".
12. LDAP server accepts the bind
13. OTRS searches the specified OU's subtree for the attributes listed in the
map
14. LDAP server gives an error "000004DC: LdapErr: DSID-0C0906E8, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, v1db1"
The problem seems to be that OTRS tries to access the LDAP tree as an anonymous
user in order to retrieve the customer attributes. Everything I've tried has
not made any change to this part of the process.
Here are some of the things I've tried;
* The customer config format, in the manual, at the following link which
authenticates but doesn't have details to map customer data
http://doc.otrs.org/3.0/en/html/auth-backends.html
* The customer config format, in the manual, at the following link which
authenticates but fails to map customer data
http://doc.otrs.org/3.0/en/html/customer-user-backend.html
* Using both the above config formats at the same time.
* Copying the Customer Config details into the Default.pm file which seemed to
work for another user.
* Using different attributes of the LDAP user to search and authenticate with
e.g. sAMAccountName and userPrincipleName.
* Using the domain suffix as part of the search and authenticate settings.
I've included my customer config below which isn't working (and is currently
written in the Default.pm file).
I've sanitised the domain and password details but otherwise the config is
exactly as on my server.
############################
# Start Customer LDAP config copied over from Config.pm
############################
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'svr004.mydomain.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'ou=dept,dc=mydomain,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} =
'CN=OTRS_Customers,OU=Security,OU=Groups,OU=Dept,DC=mydomain,DC=local';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=LDAP
Lookup,OU=Service Accounts,OU=Users,OU=Dept,DC=mydomain,DC=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'mypw123';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} =
'(objectclass=user)';
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@mydomain.local';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{CustomerUser} = {
Name => 'LDAP Datasource',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'svr004.efc.local',
BaseDN => 'ou=EFC,dc=mydomain,dc=local',
SSCOPE => 'sub',
UserDN => 'CN=LDAP Lookup,OU=Service
Accounts,OU=Users,OU=Dept,DC=mydomain,DC=local',
UserPW => 'mypw123',
AlwaysFilter => '(objectclass=user)',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'sn', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'sn',
'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title',
1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'cn',
1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn',
1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName',
1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail',
1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail',
0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephoneNumber',
1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress',
1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description',
1, 0, 'var', '', 0 ],
],
};
############################
# End Customer LDAP config copied over from Config.pm
############################
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
