I've got a read only AD domain controller (2012) on the same subnet as this server and am trying to bind to that to get my agents and customers/users (several thousand so I don't want to have to manually enter them) able to login using their domain credentials.
Starting with the agents, I've added the following into config.pm
Code: Select all
# Enable LDAP lookups for Agent logins
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'you.me.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=me,DC=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=service,OU=Accounts,DC=me,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '**';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Helpdesk,OU=Groups,DC=me,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::Parms'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub',
};
#Enable LDAP lookups of Agent account info and roles
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'you.me.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=me,DC=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=service,OU=Accounts,DC=me,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '**';
$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthSyncModule::LDAP::GroupDN'} = 'CN=Helpdesk,OU=Groups,DC=me,DC=local';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
'CN=Helpdesk,OU=Groups,DC=me,DC=local' => {
'Helpdesk' => 1,
}
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
When I try to login with one of the AD accounts in the 'helpdesk' group into the index.pl page I get login failed and the error log shows
Code: Select all
Search failed! 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580
No UserID found for 'username'
I know the credentials are right and work as i've tested them with ldapsearch and I get data back.
I've tried setting SearchUserDN to the distinguished name, username@domain and domain\username but with no joy.
Am I missing something obvious in my code or is there something else I need to do to get this working? Is there an issue with the fact the 2012 DC it's querying is a Read Only Domain Controller?
My brain is already frazzled by a hectic past 2 weeks and I'm struggling to dig further into this.