[solved] New install - trying to use LDAP

[smurray]

Hello all! =] I'm VERY new to OTRS and just slightly newer to the world of *nix. So please... Bear with me. ;D Having said that... I'm trying to authenticate and login as a user/agent and getting some odd errors. Here is the Config.pm and then the error I get when trying to authenticate. Still trying to figure out how I'm going to do authentication later on, I'm thinking a combination of RADIUS/LDAP might get me what I'm needing. But wanting to get LDAP running for now. TIA!!

Code: Select all

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # DatabaseHost (The database host.)
  $Self->{'DatabaseHost'} = 'localhost';

    # Database (The database name.)
  $Self->{'Database'} = 'otrs';

    # DatabaseUser (The database user.)
  $Self->{'DatabaseUser'} = 'otrs';

    # DatabasePw (The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords.)
  $Self->{'DatabasePw'} = '***';

    # DatabaseDSN (The database DSN for MySQL ==> more: "man DBD::mysql")
  $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

    # (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
    # if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
    # if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
# $Self->{DatabasePostgresqlBefore82} = 1;


    # ---------------------------------------------------- #
    # fs root directory                                    #
    # ---------------------------------------------------- #

  $Self->{Home} = '/opt/otrs';


    # ---------------------------------------------------- #
    # Misk settings                                        #
    # ---------------------------------------------------- #

# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;


    # ----------------------------------------------------#
    # log settings                                        #
    # ----------------------------------------------------#

    # LogModule (log backend module)
  $Self->{LogModule} = 'Kernel::System::Log::SysLog';
  $Self->{LogModule} = 'Kernel::System::Log::File';

    # param for LogModule Kernel::System::Log::File (required!)
  $Self->{'LogModule::LogFile'} = '/tmp/otrs_Config.log'; 

    # param if the date (yyyy-mm) should be added as suffix to logfile [0|1]
  $Self->{'LogModule::LogFile::Date'} = 1;


    # ----------------------------------------------------#
    # authentication settings                             #
    # ----------------------------------------------------#

    # This is an example configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = '10.11.2.6';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=chicago,ou=payflex user accounts,dc=payflex,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'otrs_ldap';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrs_test,OU=Temp_Test,OU=Chicago,OU=PayFlex User Accounts,DC=payflex,DC=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs ldap,OU=system accounts,DC=payflex,DC=com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = '**';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
 
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    $Self->{'AuthModule::LDAP::UserSuffix'} = '@payflex.com';
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };
 
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = '10.11.2.6';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=payflex, dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'otrs_ldap';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrs_test, ou=temp_test, ou=chicago, ou=paflex user accounts dc=payflex, dc=
com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '***';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

Code: Select all

[Wed Mar 28 14:43:52 2012][Notice][Kernel::System::Auth::LDAP::Auth] User: smurray@payflex.com authentication failed, no LDAP entry 
found!BaseDN='ou=chicago,ou=payflex user accounts,dc=payflex,dc=com', Filter='(otrs_ldap=smurray@payflex.com)', (REMOTE_ADDR: 10.11.
7.250).
[Wed Mar 28 14:43:52 2012][Error][Kernel::System::User::UserLookup][746] No UserID found for 'smurray'!

[artjoms15]

The only thing I noticed might be
[code$Self->{'AuthModule::LDAP::UserSuffix'} = '@payflex.com';][/code]
It seems that OTRS cannot find users in your AD, so maybe you should check AD settings like if user murray is in group 'CN=otrs_test,OU=Temp_Test,OU=Chicago,OU=PayFlex User Accounts,DC=payflex,DC=com';

Cheers,
A.

[smurray]

Huh.... Easy fix. Ish. =]

While that was an issue (will look into that later). Something else is still broken. I've commented out the UserSuffix out, and now I'm getting this:

Code: Select all

Backend ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Fri Mar 30 09:22:29 2012 Message: Access denied for user 'otrs'@'localhost' (using password: YES) Traceback (5411): Module: Kernel::System::DB::new (v1.144) Line: 227 Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 143 Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46 Module: (eval) (v1.90) Line: 204 Module: ModPerl::RegistryCooker::run (v1.90) Line: 204 Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170 Module: ModPerl::Registry::handler (v1.99) Line: 31 

Code: Select all

[Fri Mar 30 09:22:29 2012][Error][Kernel::System::DB::new][227] Access denied for user 'otrs'@'localhost' (using password: YES)

The odd thing, I am using my AD account to login, so why would otrs@localhost be used? The only log I know to check, resides in /tmp/ - Yet that error is referring to lines in something else, right? Not the Config.pm - Again, TY! The possibilities of OTRS are really encouraging. [=

[smurray]

Error: /var/log/httpd/error_log

Code: Select all

[Tue May 01 10:13:08 2012] [error] [Tue May  1 10:13:08 2012] -e: Can't connect to chi-dc1.payflex.com.com: IO::Socket::INET: connec
t: Connection refused at /opt/otrs//Kernel/System/CustomerAuth/LDAP.pm line 176.\n

Config.pm

Code: Select all

[root@otrs-test Kernel]# more Config.pm
# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2011 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.25 2011/09/16 10:58:28 mg Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> OTRS does have a lot of config settings. For more settings
#       (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
#       LDAP, PostMaster, Session, Preferences, ...) see
#       Kernel/Config/Defaults.pm and copy your wanted lines into "this"
#       config file. This file will not be changed on update!
#
# --

package Kernel::Config;

use utf8;

sub Load {
    my $Self = shift;
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #         Start of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #
    # DatabaseHost
    # (The database host.)
    $Self->{'DatabaseHost'} = 'localhost';
    # Database
    # (The database name.)
    $Self->{'Database'} = 'otrs';
    # DatabaseUser
    # (The database user.)
    $Self->{'DatabaseUser'} = 'otrs';
    # DatabasePw
    # (The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords.)
    $Self->{'DatabasePw'} = 'hot';
    # DatabaseDSN
    # (The database DSN for MySQL ==> more: "man DBD::mysql")
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

    # (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a tcpip connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
    # if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
#    $Self->{DatabasePostgresqlBefore82} = 1;

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

        # ----------------------------------------------------#
        # authentication settings                             #
        # ----------------------------------------------------#

        # This is an example configuration for using an MS AD backend
        $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
        $Self->{'AuthModule::LDAP::Host'} = 'chi-dc1.payflex.com';
        $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=chicago,ou=payflex user accounts,dc=payflex,dc=com';
        $Self->{'AuthModule::LDAP::UID'} = 'otrs_ldap';

        # Check if the user is allowed to auth in a posixGroup
        # (e. g. user needs to be in a group OTRS_Agents to use otrs)
        $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrs_test,OU=Temp_Test,OU=Chicago,OU=PayFlex User Accounts,DC=payflex,DC=com';
        $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
        $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

        # Bind credentials to log into AD
        $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs ldap,OU=system accounts,DC=payflex,DC=com';
        $Self->{'AuthModule::LDAP::SearchUserPw'} = '***';

        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

        # in case you want to add a suffix to each login name,  then
        # you can use this option. e. g. user just want to use user but
        # in your ldap directory exists user@domain.
        $Self->{'AuthModule::LDAP::UserSuffix'} = '@payflex.com';

        # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
        $Self->{'AuthModule::LDAP::Params'} = {
            port => 389,
            timeout => 120,
            async => 0,
            version => 3,
        };

       # Now sync data with OTRS DB
        $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
        $Self->{'AuthSyncModule::LDAP::Host'} = 'chi-dc1.payflex.com';
        $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=payflex, dc=com';
        $Self->{'AuthSyncModule::LDAP::UID'} = 'otrs_ldap';
        $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrs ldap, ou=system accounts, dc=payflex, dc=com';
        $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '***';
        $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
            # DB -> LDAP
            UserFirstname => 'givenName',
            UserLastname  => 'sn',
            UserEmail     => 'mail',
        };

        # AuthSyncModule::LDAP::UserSyncInitialGroups
        # (sync following group with rw permission after initial create of first agent
        # login)
        $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
            'users',
        ];
    

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #           End of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.25 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

However... This I find odd now, because this works.

[root@otrs-test Kernel]# ldapsearch -p 389 -l 120 -b "ou=System Accounts,DC=payflex,DC=com" -h chi-dc1.payflex.com "(cn=otrs*)" -D 'CN=otrs ldap,OU=System Accounts,DC=payflex,DC=com' -w '***'

Code: Select all

# extended LDIF
#
# LDAPv3
# base <ou=System Accounts,DC=payflex,DC=com> with scope subtree
# filter: (cn=otrs*)
# requesting: ALL
#

# otrs, System Accounts, payflex.com
dn: CN=otrs,OU=System Accounts,DC=payflex,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: otrs
givenName: otrs
distinguishedName: CN=otrs,OU=System Accounts,DC=payflex,DC=com
instanceType: 4
whenCreated: 20120430205205.0Z
whenChanged: 20120430205205.0Z
displayName: otrs
uSNCreated: 215098
uSNChanged: 215104
name: otrs
objectGUID:: nbxKEOqrlEq5K7Da/Y647A==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129802927256311428
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAkSamF3oStiCBCHEYMWYAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: otrs
sAMAccountType: 805306368
userPrincipalName: otrs@payflex.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=payflex,DC=com
dSCorePropagationData: 20120430205205.0Z
dSCorePropagationData: 16010101000000.0Z

# otrs ldap, System Accounts, payflex.com
dn: CN=otrs ldap,OU=System Accounts,DC=payflex,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: otrs ldap
sn: ldap
givenName: otrs
distinguishedName: CN=otrs ldap,OU=System Accounts,DC=payflex,DC=com
instanceType: 4
whenCreated: 20090518162648.0Z
whenChanged: 20120430203806.0Z
displayName: otrs_ldap
uSNCreated: 34174
memberOf: CN=Windows Authorization Access Group,CN=Builtin,DC=payflex,DC=com
memberOf: CN=Domain Admins,OU=System Groups,DC=payflex,DC=com
uSNChanged: 214580
name: otrs ldap
objectGUID:: NjQHoyoWWECvqbJOcDxSZA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129803524172199438
lastLogoff: 0
lastLogon: 129803524443639121
pwdLastSet: 129802917455043788
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAkSamF3oStiCBCHEYKzgAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: otrs_ldap
sAMAccountType: 805306368
userPrincipalName: otrs_ldap@payflex.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=payflex,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129802918861500625

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

This just tells me that LDAP is working properly, and the creds are being accepted. But OTRS is doing something a little funky on the back side and I'm unsure exactly what.... =[ Any ideas?

[dylan650]

The error message is....
Can't connect to chi-dc1.payflex.com.com

so, why don't you type this at the command line to see what happens...

telnet chi-dc1.payflex.com.com 389

or better test, just type 'nslookup chi-dc1.payflex.com.com'

[smurray]

BRILLIANT! You know, you read something a million times, you end up reading what you want to as opposed to what is actually there. SO checking my config, it doesn't look like it is an OTRS but an OS issue or networking/DNS issue. Ish. TY. =D