[SOLVED] OTRS 5 and LDAP friendship

[Rbx774]

Caramba!
I have fresh install OTRS 5.0.23-01 over CentOS 7.
More than two weeks trying to set up LDAP auth.
I tried official documentation (which incorrect ?) and other resources, but no luck.
When i login customer.pl or index.pl with AD user or local user i get message " Login failed! Your user name or password was entered incorrectly. "
In /var/log/messages next events:
"OTRS OTRS-CGI-77[27661]: [Error][Kernel::System::User::UserLookup][Line:930]: No UserID found for 'Testuser'!"

Active Directory on MS Windows Server 2012R2

I'm in the dark about what to do. Please, help me

Below my Config.pm


# LDAP Agent Auth Backend
$Self->{'DefaultCharset'} = 'utf-8';
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'dc1.mycompany.ru';
$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=OTRS,DC=mycompany,DC=ru';
$Self->{'AuthModule::LDAP::UID'} = 'sn';
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRSagents,OU=OTRS,DC=mycompany,DC=ru';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs-admin,OU=OTRS,DC=mycompany,DC=ru';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '123456';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
$Self->{'AuthModule::LDAP::Charset'} = 'utf-8';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub'
};


# Sync LDAP and local DB

#$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'dc1.mycompany.ru';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=mycompany,dc=ru';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sn';
#$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otrs-admin@mycompany.ru';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs-admin,OU=OTRS,DC=mycompany,DC=ru';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '123456';
$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {

#BD>LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

$Self->{'AuthSyncModule::LDAP::Charset'} = 'utf-8';

$Self->{'AuthSyncModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users', 'admin',
];


# LDAP Customer Auth Backend

$Self->{Customeruser} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::Customeruser::LDAP',
Params => {
Host => 'dc1.mycompany.ru',
BaseDN => 'DC=mycompany,DC=ru',
SSCOPE => 'sub',
UserDN =>'otrs-admin@mycompany.ru',
UserPw => '123456',

# Below string means that All Users and not disabled users

AlwaysFilter => '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},

CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomeruserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomeruserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomeruserSearchPrefix => '',
CustomeruserSearchSuffix => '*',
CustomeruserSearchListLimit => 10000,
CustomeruserPostMasterSearchFields => ['mail'],
CustomeruserNameFields => ['givenname', 'sn'],
Map => [
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};


# Customer Auth LDAP

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc1.mycompany.ru';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=mycompany,dc=ru';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sn';
#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Domain Users,OU=Users,dc=mycompany,dc=ru';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs-admin,OU=OTRS,DC=mycompany,DC=ru';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '123456';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

[EXG133]

For AD you usually need to set UID to 'sAMAccountName' , not sn (lastname) attribute.

[root]

For AD you usually need to set UID to 'sAMAccountName' , not sn (lastname) attribute.

The attribute name does not reall matter. Of course with sn he will run into trouble as soon as this is not an unique attribute

No UserID means the AuthSync does not work proper. I would increase logging (SysConfig => Framework => Core::Log) to get more details.

-Roy

[Rbx774]

For AD you usually need to set UID to 'sAMAccountName' , not sn (lastname) attribute.

The attribute name does not reall matter. Of course with sn he will run into trouble as soon as this is not an unique attribute

No UserID means the AuthSync does not work proper. I would increase logging (SysConfig => Framework => Core::Log) to get more details.

-Roy

Can't find Framework. How i can increase logging&

[root]

Hi,

It's the Group Framework in the SysConfig. Or just search for Log.

- Roy

[Rbx774]

Hi,

It's the Group Framework in the SysConfig. Or just search for Log.

- Roy

Hi, Roy
I am newbie in Linux. It's hardcore for me
Maybe in CentOS other hierarchy or structure files and setting. I see only directory /etc/sysconfig/

[root@OTRS sysconfig]# ls
authconfig crond htcacheclean iptables-config man-db network-scripts run-parts
cbq ebtables-config httpd irqbalance modules rdisc selinux
console firewalld init kdump netconsole readonly-root sshd
cpupower grub ip6tables-config kernel network rsyslog wpa_supplicant

[root]

HI,

and you're an OTRS newboo too, right?

When anyone talks here in the forum about the SysConfig which is available via the admin menu entry :

SysConfig_2017-10-02 at 11.10 AM.png

[Rbx774]

HI,

and you're an OTRS newboo too, right?

When anyone talks here in the forum about the SysConfig which is available via the admin menu entry :

SysConfig_2017-10-02 at 11.10 AM.png

WOW! Understand

[Rbx774]

HI,

and you're an OTRS newboo too, right?

When anyone talks here in the forum about the SysConfig which is available via the admin menu entry :

SysConfig_2017-10-02 at 11.10 AM.png

WOW! Understand

Well, in SysConfig all checkboxes was checked. But no more useful info in log.
I replace 'sn' with 'sAMAccountName' and i can login with customers in Customer.pl, in Admin Panel i saw my domain users.
But login by Agent still not working, get error "Authentication succeeded, but no user record is found in the customer backend. Please contact your administrator."

I keep on played with setting, and got result!

Now its Solved

Thanks a lot Roy and EXG133


Below my Config.pm

# --------------- Start LDAP Auth. Config ---------------#

# LDAP Agent Auth Backend
$Self->{'DefaultCharset'} = 'utf-8';
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'co-dc-02.mycompany.ru';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=mycompany,DC=ru';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRSagents,OU=OTRS,DC=mycompany,DC=ru';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrs-admin,ou=otrs,dc=mycompany,dc=ru';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '123456';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
$Self->{'AuthModule::LDAP::Charset'} = 'utf-8';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub'
};

# Sync LDAP and local DB
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '10.110.2.2';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=mycompany,DC=ru';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrs-admin,ou=otrs,dc=mycompany,dc=ru';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '123456';
$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
#BD>LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::Charset'} = 'utf-8';
$Self->{'AuthSyncModule::LDAP::Params'} = {
port => 389,
async => 0,
version => 3,
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users', 'admin',
];

$Self->{CustomerUser} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'co-dc-02.mycompany.ru',
BaseDN => 'DC=mycompany,DC=ru',
SSCOPE => 'sub',
UserDN =>'CN=otrs-admin,OU=OTRS,DC=mycompany,DC=RU',
UserPw => '123456',
# Below string means that All Users and not disabled users
AlwaysFilter => '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 10000,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

# Customer Auth LDAP
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'co-dc-02.mycompany.ru';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=mycompany,dc=ru';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Domain Users,OU=Users,dc=mycompany,dc=ru';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs-admin,OU=OTRS,DC=mycompany,DC=RU';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '123456';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};



#--------------- End LDAP Auth. Config ---------------#