AD Integration and User Sync

[Rumple]

I've looked at the wiki and spent the last week on trying to get this working. Maybe I mis-understand how its supproted to work.
I have 2 AD groups..one for customers, one for Agents.
If I manually create the users in the database and then login it works just fine. If they do not exist in the DB, then I get the Userdata Panic error.
#1 - Should the LDAP by syncing my data?
#2 - I have followed all troubleshooting steps and ensured my users have email address on their account (they are all mail enabled so thats not a problem) and I've verified the LDAP atributes do look ok in AD

The only thing I am doing different is I authentication with UPN vs domain\username since its a hosted environment and UPN is the login name.

i have a whole customer section, but figure its best to concentrate on one section at a time. I also used the code directly out of the wiki.
Logs show that Authentication was successful (so my search account is working) but its the sync section that seems to be not working.
So..what am I missing...with ldap I shouldn't need to run a manual sync process...the post authentcation section should be doing the sync for me

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=local';
$Self->{'AuthModule::LDAP::UID'} = 'userPrincipalName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=services_otrs,CN=Users,DC=domain,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Aj8nmOZ72oJYwaGWilva';

# Cn case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

#Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=otrs_ldap_allow_A,OU=Hosting_Groups,OU=Hosting,DC=domain,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap.domain.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'userPrincipalName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=services_otrs,CN=Users,DC=domain,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Aj8nmOZ72oJYwaGWilva';


$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];


# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthSyncModule::LDAP::Die'} = 1;

[agcook]

Hope fully this will help you out; here is my config for Agent LDAP authentication:

# ---------------------------------------------------- #
# OTRS Active Directory Integration #
# ---------------------------------------------------- #
# Enable LDAP Authentication for Agent #
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'abc.def.net';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=abc,dc=def,dc=net';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=Agents,ou=Groups,dc=abc,dc=def,dc=net';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=LDAPSearchAccount,DC=abc,DC=def,DC=net';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Enable LDAP Authentication Sync for Agent #
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://abc.def.net:389';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=abc,dc=def,dc=net';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=LDAPSearchAccount,DC=abc,DC=def,DC=net';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

Let us know if it helped... Customer will be another story alltogether - I had the issue that if I made the change in the Config.pm it did not take but if I did it in Default.pm it took and all worked

[akincer]

AD/LDAP integration is a complete and total fail for me. My log is full of this error:

First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

I've tried just about every suggestion and config tweak I ran across to no avail.

[agcook]

AD/LDAP integration is a complete and total fail for me. My log is full of this error:

First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

I've tried just about every suggestion and config tweak I ran across to no avail.

A quick search for that error returns this: http://confluence.atlassian.com/display ... n+attempts

Check to see that the user you are using for searching your LDAP is not locked out in AD...

From there I found this link to an explanation of the errors: http://confluence.atlassian.com/display ... DAP+Errors - Your error is 525 = User Not Found

[akincer]

Went back and used one of my many configs and now I get:

Error: Need CustomerID!!!
Comment:
Traceback: ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Wed May 5 16:15:42 2010

Message: Need CustomerID!!!

Traceback (9890):
Module: Kernel::Output::HTML::Layout::CustomerError (v1.176.2.17) Line: 4158
Module: Kernel::Modules::CustomerTicketOverView::Run (v1.50) Line: 77
Module: Kernel::System::Web::InterfaceCustomer::Run (v1.41.2.1) Line: 852
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_customer_2epl::handler (unknown version) Line: 48
Module: (eval) (v1.42) Line: 204
Module: ModPerl::RegistryCooker::run (v1.42) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.42) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31

[akincer]

And just like that I got it working by adding in the email address for the user account and the auth user.

The instructions for making this work are not unambiguous.