Unable to log in as Customer AD/LDAP user

Moderator: crythias

Post Reply
chetannagaonkar
OTRS wizard
Posts: 144
Joined: 25 Oct 2010, 10:02
OTRS Version?: 3.2
Location: Bangalore, India

Unable to log in as Customer AD/LDAP user

Post by chetannagaonkar »

Hello All,

I am sorry to start the thread on Active Directory again. I have searched all the threads on AD/LDAP and then initiating one again. I am able to integrate AD/LDAP with OTRS for customers and can search them in Admin module too. However, I am unable to log in customer.pl as AD user and password. It does not throw any OTRS error except that it says that login or password is invalid. It shows the login error in red as "Login failed! Your user name or password was entered incorrectly."

Has anybody faced and resolved it? Your help would be really appreciated.

Thanks.
Best Regards
Chetan
Best Regards
Chetan
OTRS 3.06
ITSM 3.1
MySQL
Windows 7 Ultimate

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: Unable to log in as Customer AD/LDAP user

Post by ferrosti »

It would help to see what your log file says.
Do you use the correct search options like

Code: Select all

    $Self->{'Customer::AuthModule::LDAP::UID'} = 'samaccountname';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

chetannagaonkar
OTRS wizard
Posts: 144
Joined: 25 Oct 2010, 10:02
OTRS Version?: 3.2
Location: Bangalore, India

Re: Unable to log in as Customer AD/LDAP user

Post by chetannagaonkar »

Thanks for the reply, ferrosti. Admin log does not show any error. I have tried different settings, but somehow am unable to log in as ldap customer. We'll be going live shortly. Really really appreciate any help to resolve this pls. Below is my config.pm file -

# CustomerUser
# (customer user ldap backend and settings)

$Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'abcd.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=abcd,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'uid=abcd,ou=users,o=ldap-services,dc=abcd,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(&(objectclass=user)(mail=*))';


#this code is added on Jan 25 to sync and allow customers to log in properly
# Sync
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'abcd.com';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=abcd,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=abcd,ou=users,o=ldap-services,dc=abcd,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
Username => 'sAMAccountName',
};


$Self->{'AuthModule::LDAP::Die'} = 0;
# ---------------------------------------------------- #
# UserSyncLDAPMap
# ---------------------------------------------------- #
# (map if agent should create/synced from LDAP to DB after login)
$Self->{UserSyncLDAPMap} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

$Self->{UserSyncLDAPGroups} = ['user',];


# $Self->{UserSyncLDAPMap} = {
# DB -> LDAP
# UserFirstname => 'givenName',
# UserLastname => 'sn',
# UserEmail => 'mail',
# };
$Self->{CustomerUser} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# # ldap host
Host => 'abcd.com',
# # ldap base dn
BaseDN => 'dc=abcd,dc=com',
# # search scope (one|sub)
SSCOPE => 'sub',
# # The following is valid but would only be necessary if the
# # anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'abcd',
UserPw => 'xxxx',
# # in case you want to add always one filter to each ldap query, use
# # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# AlwaysFilter => '',
AlwaysFilter => '(&(objectclass=user)(mail=*))';


# # if both your frontend and your LDAP are unicode, use this:
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
# # if your frontend is e. g. iso-8859-1 and the charset of your
# # ldap server is utf-8, use these options.
# SourceCharset => 'utf-8',
# DestCharset => 'iso-8859-1',

# # die if backend can't work, e. g. can't connect to server
Die => 0,
# # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 180,
version => 3,
},
},
# # customer uniq id
CustomerKey => 'sAMAccountName',
# # customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# # show now own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# # add a ldap filter for valid users (expert setting)
# # CustomerUserValidFilter => '(!(description=gesperrt))',
# # admin can't change customer preferences
AdminSetPreferences => 0,
# # cache time to live in sec. - cache any ldap queries
CacheTTL => 0,
Map => [
# # note: Login, Email and CustomerID needed!
# # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
Best Regards
Chetan
OTRS 3.06
ITSM 3.1
MySQL
Windows 7 Ultimate

crythias
Moderator
Posts: 10112
Joined: 04 May 2010, 18:38
OTRS Version?: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Unable to log in as Customer AD/LDAP user

Post by crythias »

http://doc.otrs.org/3.0/en/html/auth-backends.html
The following is for authentication. You should be receiving System Log messages why your customers aren't authenticating. but logging in Windows is different from Logging in linux, which is why you (might) not see error messages.

# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.example.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = '';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
OTRS 5.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

chetannagaonkar
OTRS wizard
Posts: 144
Joined: 25 Oct 2010, 10:02
OTRS Version?: 3.2
Location: Bangalore, India

Re: Unable to log in as Customer AD/LDAP user

Post by chetannagaonkar »

Thanks, Crythias. But it still doesn't help:-)
What I think I am unclear is we use many parameters while configuring it with AD/ldap. I don't know what does OTRS use to login as AD user. Is it user id, customerkey, customerid, username, USER DN? Then perhaps it may be clear if it is using passwords correctly to log in the first place.

Best Regards
Chetan
Best Regards
Chetan
OTRS 3.06
ITSM 3.1
MySQL
Windows 7 Ultimate

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: Unable to log in as Customer AD/LDAP user

Post by ferrosti »

Seems like you did some C&P and forgot to change it to your needs.

Code: Select all

$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
is missing.

Watch the first block of your config that you have posted! Customer and Agent Auth are different modules!
Another advice would be to try it without filter first.
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

chetannagaonkar
OTRS wizard
Posts: 144
Joined: 25 Oct 2010, 10:02
OTRS Version?: 3.2
Location: Bangalore, India

Re: Unable to log in as Customer AD/LDAP user

Post by chetannagaonkar »

That's a good catch, ferrosti. Lemme try and see if that works.

Best Regards
Chetan
Best Regards
Chetan
OTRS 3.06
ITSM 3.1
MySQL
Windows 7 Ultimate

chetannagaonkar
OTRS wizard
Posts: 144
Joined: 25 Oct 2010, 10:02
OTRS Version?: 3.2
Location: Bangalore, India

Re: Unable to log in as Customer AD/LDAP user

Post by chetannagaonkar »

Hello ferrosti,

I made the necessary change and then tested it. I was not able to log in though. I noticed the below error in admin sys log. Not sure when is that caused. Any idea?

First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Best Regards
Chetan
OTRS 3.06
ITSM 3.1
MySQL
Windows 7 Ultimate

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: Unable to log in as Customer AD/LDAP user

Post by ferrosti »

openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

chetannagaonkar
OTRS wizard
Posts: 144
Joined: 25 Oct 2010, 10:02
OTRS Version?: 3.2
Location: Bangalore, India

Re: Unable to log in as Customer AD/LDAP user

Post by chetannagaonkar »

Thanks for the reply, ferrosti. At least after going thru the link, I was able to identify that the issue is with username, DN. I'll try out different combinations and that should work. Thanks again.

Best Regards
Chetan
Best Regards
Chetan
OTRS 3.06
ITSM 3.1
MySQL
Windows 7 Ultimate

srivatsatatti
OTRS expert
Posts: 85
Joined: 25 Jan 2011, 06:54
OTRS Version?: OTRS 3
Company: eStomi Technologies Pvt Ltd
Contact:

Re: Unable to log in as Customer AD/LDAP user

Post by srivatsatatti »

I am getting the error as OTRS-CGI-10 Sizelimit exceeded .
and nothing is getting populated when i click on Customers in the admin area.

Below is my Config.pm



# CustomerUser
# (customer user ldap backend and settings)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'somedomain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=somedomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=abcd,ou=users,dc=somedomain,dc=com';
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=abcd,dc=somedomain';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxx';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 3268,
timeout => 120,
async => 0,
version => 3,
};
$Self->{CustomerUser} = {
Name => 'LDAP Datasource',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'somedomain.com',
BaseDN => 'dc=somedomain,dc=com',
SSCOPE => 'sub',
UserDN => 'cn=abcd,dc=somedomain',
UserPW => 'xxxxxx',
Params => {
port => 3268,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'uid',
CustomerID => 'mail',
CustomerUserListFields => ['sn', 'cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'sn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'cn', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
OTRS 3.2.x, Linux Ubuntu, Mysql 5.1.

srivatsatatti
OTRS expert
Posts: 85
Joined: 25 Jan 2011, 06:54
OTRS Version?: OTRS 3
Company: eStomi Technologies Pvt Ltd
Contact:

Re: Unable to log in as Customer AD/LDAP user

Post by srivatsatatti »

I could fix it, the problem was in 'uid'
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
Changed to
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
and in all occurrence of 'uid'

But now i am unable to login through customer portal
i get this error in adminlog
First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
but if search that customer, that customer exists

Any help would be much appreciated.

Thanks
Srivatsa
OTRS 3.2.x, Linux Ubuntu, Mysql 5.1.

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: Unable to log in as Customer AD/LDAP user

Post by ferrosti »

This error has already been discussed here. A search could help.

First bind is about the search user not being able to login.
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=abcd,dc=somedomain';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxx';
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

Post Reply