Unable to authenticate customers

[sids1]

Hello all,

Below is the LDAP module I have added in my config.pm:
My problem is very weird. I am able to pull up the details of the users however I am not able to authenticate them. I am not sure where I am going wrong.

Below is the error I am getting when someone tries to login. Now I know 52e means wrong username and password but I dont know what is wrong. Any help will be deeply appreciated.

First bind failed! 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1

Code: Select all

# CustomerUser
# (customer ldap backend and settings)
$Self->{CustomerUser} = {
    Name => 'LDAP Data Source',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => 'bgsidom02.trilegal.in',
        # ldap base dn
        BaseDN => 'DC=Trilegal,DC=in',
        # search scope (one|sub)
        SSCOPE => 'sub',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => 'otrs',
        UserPw => 'somepass',
        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '',
            # if both your frontend and your LDAP are unicode, use this:
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',
            # if your frontend is unicode and the charset of your
            # ldap server is iso-8859-1, use these options.
            # SourceCharset => 'iso-8859-1',
            # DestCharset => 'utf-8',
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
    },
    # customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add an ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # administrator can't change customer preferences
    AdminSetPreferences => 0,
#    # cache time to live in sec. - cache any database queries
#    CacheTTL => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
#        [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
        [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
        [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
        [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
    ],
};


   $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'bgsidom02.trilegal.in';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'CN=otrs,CN=Users,DC=Trilegal,DC=in';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

[root]

The used account for the bind user is not valid or do you provide the wrong password.
Check the settings for UserDN and UserPw

[sids1]

Hi Root,

I have read the same comment as you have been saying but it is puzzling because I am able to see the list of users in "Customer User Management" but when I try to login from customer.pl, it says:

Login failed! Your user name or password was entered incorrectly.

So, I have the users but cannot authenticate them.

And in the system log, I see the below error:

Search failed! 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

P.S: The error has changed now.

[sids1]

I came back to the original error:

First bind failed! 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1

The error changed in between because I changed something in the auth module.

[root]

As I mentioned, v52e says: Wrong credentials for the bind user. The configuration you posted is not about authentication, it's just the CustomerUser database. Seeing users in Customer User Management has nothing to do with authentication settings.
Check $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} and $Self->{'Customer::AuthModule::LDAP::SearchUserPw'}

[sids1]

Well,

Thanks. I just changed the below
UserDN: CN=otrs,CN=Users,DC=Trilegal,DC=in
Password: "I just reset the password myself"

This still does not work. Any ideas?

I dont think the username or password is wrong. Can there be any other reason?

[root]

Can there be any other reason?

No, 52e still says that's something wrong with the Binduser. I recommend connecting with the credentials via ldapsearch or a LDAP browser like Apache Directory Studio

[sids1]

Okay, I just did some testing with the UserDN and password and I observed the following.

When I changed the UserDN and password (gave a wrong value on purpose), the Customer User Management did not have any data. When I put the right user and pass, I am able to get that data.

But I trust you about 52e, I just do not know where to look.

[sids1]

Oh sorry, I just read your post again,

I do not have the following

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} and $Self->{'Customer::AuthModule::LDAP::SearchUserPw'}

I presume I have to add these.

[sids1]

Now I have a weirder problem.

I added the 2 modules and tried logging into customer.pl.

Very weirdly, only I am able to login and no one else in the org is.

Also, I am able to login with my domain username and password. I am also not getting any sysconfig error when others are not able to login.

Now I am confused.

[root]

Post your complete authentication configuration - without password please

[sids1]

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'bgsidom02.trilegal.in';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=Trilegal,DC=in';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Somerandpass';

$Self->{'Customer::AuthModule::LDAP::Params'} = {
# port => 389,
# timeout => 120,
# async => 0,
# version => 3,
# };

Very weird that only me in the whole organization am able to login and not anyone else. There are no error logs as well when someone else tries to logs in and fails

Edit: Missed adding params

[sids1]

I figured it out root.

There were some old config settings which I did from frontend which was overriding the codes. Removing those params fixed the issue.

Thanks a lot. Cheers as always.