LDAP Bind Issue

[siilit]

I'm setup a brand new centos 7 server to host this and after sorting out a few dependency issues & disabling SELinux, i've installed otrs-5.0.21-02.

I've got a read only AD domain controller (2012) on the same subnet as this server and am trying to bind to that to get my agents and customers/users (several thousand so I don't want to have to manually enter them) able to login using their domain credentials.

Starting with the agents, I've added the following into config.pm

Code: Select all

# Enable LDAP lookups for Agent logins
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'you.me.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=me,DC=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=service,OU=Accounts,DC=me,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '**';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Helpdesk,OU=Groups,DC=me,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

$Self->{'AuthModule::LDAP::Parms'} = {
   port => 389,
   timeout => 120,
   async => 0,
   version => 3,
   sscope => 'sub',
};

#Enable LDAP lookups of Agent account info and roles
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'you.me.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=me,DC=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=service,OU=Accounts,DC=me,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '**';
$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthSyncModule::LDAP::GroupDN'} = 'CN=Helpdesk,OU=Groups,DC=me,DC=local';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
  UserFirstname => 'givenName',
  UserLastname => 'sn',
  UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
  'CN=Helpdesk,OU=Groups,DC=me,DC=local' => {
    'Helpdesk' => 1,
  }
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];

As well as the root account, i've setup another account before applying the ldap settings which i've given admin permissions to. This account also matches one of the accounts in AD.

When I try to login with one of the AD accounts in the 'helpdesk' group into the index.pl page I get login failed and the error log shows

Code: Select all

Search failed! 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
No UserID found for 'username'

The centos server can ping and resolve the domain controller
I know the credentials are right and work as i've tested them with ldapsearch and I get data back.
I've tried setting SearchUserDN to the distinguished name, username@domain and domain\username but with no joy.

Am I missing something obvious in my code or is there something else I need to do to get this working? Is there an issue with the fact the 2012 DC it's querying is a Read Only Domain Controller?

My brain is already frazzled by a hectic past 2 weeks and I'm struggling to dig further into this.

[wurzel]

Hi,

check CN=service,OU=Accounts,DC=me,DC=local
again.

Seems, the user is wrong.

Reduce possible values to following minimum requirements:

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'you.me.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=me,DC=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=service,OU=Accounts,DC=me,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '**';

and read the logs, if Authentication is OK. Then go further.

Flo