AD sync to Roles is not working properly

[rajiv]

Hi Everyone,
My first post here! First, keep up the good work. OTRS seems to be an excellent tool!

I am testing OTRS to be deployed in our production environment. I am running into a problem. The active directory sync to OTRS roles feature is not working properly.

Here is my situation:
OTRS 3.0.11 on Ubuntu Linux and MySQL Database
Active directory [LDAP] authentication for Agents has been successfully configured and working properly.

Relevant code from config.pm file:

Code: Select all

  $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
       # specify ldap group DN to be ...
      'CN=OPA OTRS Admin,CN=Users,DC=opadev,DC=dol,DC=local' => {
	       # ... mapped to otrs role
          'OTRS Admins' => 1,
		},
      'CN=OPA OTRS Agents,CN=Users,DC=opadev,DC=dol,DC=local' => {
		   # otrs role
          'OTRS Agents' => 1,

      }
  };

Here is what I am trying to achieve:

In AD I have two groups:
1. OPA OTRS Admin
2. OPA OTRS Agents
I want any members inside these AD groups to be automatically granted these roles in OTRS [consecutively]:
1. OTRS Admins
2. OTRS Agents

Here are the logs:
When a user “admin-rm” who belongs to the AD group “OPA OTRS Admin” logs on to OTRS:

Code: Select all

Wed Oct 26 15:53:50 2011	notice	OTRS-CGI-69	User: admin-rm not in GroupDN='CN=OPA OTRS Agents,CN=Users,DC=opadev,DC=dol,DC=local', Filter='(memberUid=CN=Rajiv Mehra \(Admin\),OU=Windows 7 Users,OU=FPB Users,OU=OPA Users,DC=opadev,DC=dol,DC=local)'! (REMOTE_ADDR: 10.187.64.103).

Wed Oct 26 15:53:50 2011	notice	OTRS-CGI-69	User: 'admin-rm' sync ldap groups CN=OPA OTRS Agents,CN=Users,DC=opadev,DC=dol,DC=local to roles!

Wed Oct 26 15:53:50 2011	notice	OTRS-CGI-69	User: admin-rm not in GroupDN='CN=OPA OTRS Admin,CN=Users,DC=opadev,DC=dol,DC=local', Filter='(memberUid=CN=Rajiv Mehra \(Admin\),OU=Windows 7 Users,OU=FPB Users,OU=OPA Users,DC=opadev,DC=dol,DC=local)'! (REMOTE_ADDR: 10.187.64.103).

Wed Oct 26 15:53:50 2011	notice	OTRS-CGI-69	User: 'admin-rm' sync ldap groups CN=OPA OTRS Admin,CN=Users,DC=opadev,DC=dol,DC=local to roles!

Wed Oct 26 15:53:50 2011	notice	OTRS-CGI-69	User: 'admin-rm' changed password successfully!

Wed Oct 26 15:53:50 2011	notice	OTRS-CGI-69	User: 'admin-rm' updated successfully (1)!

Wed Oct 26 15:53:50 2011	notice	OTRS-CGI-69	User: admin-rm (CN=Rajiv Mehra (Admin),OU=Windows 7 Users,OU=FPB Users,OU=OPA Users,DC=opadev,DC=dol,DC=local) authentication ok (REMOTE_ADDR: 10.187.64.103).

From the logs, it seems to me that the AD sync is actually working, but somehow OTRS thinks that the user - admin-rm does NOT belong to the AD group OPA OTRS Admin.

What am I doing wrong?
Please help!

[crythias]

It means the user isn't *in* the group in your LDAP.

[rajiv]

It means the user isn't *in* the group in your LDAP.

Actually, the user "admin-rm" really IS inside the AD/LDAP group called "OPA OTRS Admin". I have triple checked my AD

Strangely, OTRS sync process thinks that the user "admin-rm" is NOT in that group.

[rajiv]

judging from the lack of responses to my thread, there is not many OTRS users here??
Is there some other OTRS forum I should go to?

[Lorenzo_Marschall]

Well, the part of the logfile with

Filter = '[...]'

looks strange.

Did you verified the logic of your queries using ldapsearch?

hth, Lorenzo

[rajiv]

I dont know from where that filter is coming from. The only line which has a filter word in it in the config.pm file is this one:

Code: Select all

 #   $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

...and I have already commented it out.


About using ldapsearch....I did install ldapsearch on that Ubuntu box and ran a quick test....but What query are you talking about?
AFAIK I am not running any queries. Sorry....I'm not too familiar with OTRS here.

Well, the part of the logfile with

Filter = '[...]'

looks strange.

Did you verified the logic of your queries using ldapsearch?

hth, Lorenzo

[rajiv]

I am wondering when we change the config.pm....do we need to restart something [like the whole server or Apache] for the changes to take effect?

[rajiv]

I am wondering when we change the config.pm....do we need to restart something [like the whole server or Apache] for the changes to take effect?

I found out that ....yes that is required

[rajiv]

and I also got it working ! ya!
Thanks a million to this thread:
http://forums.otrs.org/viewtopic.php?f=53&t=11447

jojo basically nailed it here:

So it should be:

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

These are the right parameters.

To help others I am going to post the full, working config.pm file here ASAP

[rajiv]

For others' reference in the future....here is a fully working config.pm file:

WAIT >>>> I found out that this config works ONLY for uses who already exist in OTRS. for new AD users it gives this error:

Panic, user authenticated but no user data can be found in OTRS DB!! Perhaps the user is invalid.

Code: Select all

# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2010 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.23 2010/01/13 22:25:00 martin Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> OTRS does have a lot of config settings. For more settings
#       (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
#       LDAP, PostMaster, Session, Preferences, ...) see
#       Kernel/Config/Defaults.pm and copy your wanted lines into "this"
#       config file. This file will not be changed on update!
#
# --

package Kernel::Config;

sub Load {
    my $Self = shift;
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #         Start of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #
    # DatabaseHost
    # (The database host.)
    $Self->{'DatabaseHost'} = 'localhost';
    # Database
    # (The database name.)
    $Self->{'Database'} = 'otrs';
    # DatabaseUser
    # (The database user.)
    $Self->{'DatabaseUser'} = 'otrs';
    # DatabasePw
    # (The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords.)
    $Self->{'DatabasePw'} = 'xxxxxxxxxxxxxxxx';
    # DatabaseDSN
    # (The database DSN for MySQL ==> more: "man DBD::mysql")
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

    # (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a tcpip connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';



    # --------------------------------------------------- #
    # authentication settings                             #
    # (enable what you need, auth against otrs db,        #
    # against LDAP directory, agains HTTP basic auth      #
    # or against Radius server)                           #
    # --------------------------------------------------- #


    # This is the auth. module againt the >>> otrs db <<<<

    # <<<<<<<<comment out these two lines to enable AD authentication >>>>>>

#    $Self->{AuthModule} = 'Kernel::System::Auth::DB';
    # password crypt type (sha2|sha1|md5|crypt|plain)
#    $Self->{'AuthModule::DB::CryptType'} = 'md5';


#---------------------------------------------------------

    # This is an example configuration for >>>>AD authentication <<< backend.
    $Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'opadev.dol.gov';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=opadev,dc=dol,dc=gov';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # user needs to be in a group OPA OTRS Agents to use OTRS
#    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OPA OTRS Agents,CN=Users,DC=opadev,DC=dol,DC=gov';
#    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
#    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=Rajiv Test,OU=Windows 7 Users,OU=FPB Users,OU=OPA Users,DC=opadev,DC=dol,DC=gov';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxxxxxxxxxxxxxxxx';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#	$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
     };


#---------------------------------------------------------
  # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'opadev.dol.gov';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=opadev,dc=dol,dc=gov';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=Rajiv Test,OU=Windows 7 Users,OU=FPB Users,OU=OPA Users,DC=opadev,DC=dol,DC=gov';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxxxxxxxxxxxxxxxx';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

#-------------------------------------------------------------------------
	# This section tries to sync groups to AD
 
    # Attributes needed for group syncs
    # (attribute name for group value key)
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
    # (attribute for type of group content UID/DN for full ldap name)
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
    

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
#    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
#        'users',
#    ]; 
 


    # AuthSyncModule::LDAP::UserSyncRolesDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs roles, define the following.)
 
  $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
       # specify ldap group DN to be ...
      'CN=OPA OTRS Admin,CN=Users,DC=opadev,DC=dol,DC=gov' => {
	       # ... mapped to otrs role
          'OTRS Admins' => 1,
		},
      'CN=OPA OTRS Agents,CN=Users,DC=opadev,DC=dol,DC=gov' => {
		   # otrs role
          'OTRS Agents' => 1,

      }
  };
    
#-----------------------------------------------------------





    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$
    $Self->{'DefaultCharset'} = 'utf-8';

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #           End of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.23 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

[rajiv]

update:

The config file is correct.
The error I mentioned above I caused by NOT having the user's e-mail ID specified in AD.