LDAP authentication customers issue

[eturconi]

Hi guys
i'm struggling with LDAP and authentication!!
First of all i would explain my AD tree
ou='script'
dc='local'

the user that is able to read the tree is "itsupport" (he belongs to another ou='User')

I've tried to use the agent authentication
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'xxx.xxx.xxx.xxx';
$Self->{'AuthModule::LDAP::BaseDN'} = 'ou=script,dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'itsupport';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'secret';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS,ou=script,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
This works perfectly for the users that belong to the groups OTRS

Now I would implement the authentication also for customers
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'xxx.xxx.xxx.xxx';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=script,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'itsupport';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'secret';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS-clienti,ou=script,dc=local';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
This doesn't work at all!!!!!!!!!!!!

In the OTRS log I see that for instance user 583 (that belongs to group OTRS-clienti) was triyng to authenticate to OTRS group instead of OTRS-clienti
Where i'm wrong? Is not that the way to differentiate the agent/customer logins?

Second question:
Is it possibile to create a group nested into another group where the group nested belongs to another ou?
Hope I've been clear and someone could help me (every comment will be appreciated)
Thanks in advance
Emanuele

PPS is there maybe a chat for real time support?

[root]

I've just finished the first release of an Active Directory Module with nested groups support, just try it out I'm using it in production:
https://github.com/rkaldung/ConnectAD

[Spuds]

I'm interested in using this-- I'm having a hard time getting things working the way I like.

How does it work?

Since I'm really new to OTRS (3 days) -- I'd rather not go in blind.

[root]

It works for me. And I've got some positive feedback - until now

[Spuds]

I'm having a hard time getting things working the way I like.

Oh, man... I'm sorry, I was completely unclear.

I've been having some trouble with the OTRS AD implementation, and was thinking about trying yours...

But I didn't know if there was anything special I needed to do since I'm a complete n00b at OTRS.

I've been having some success, however... I've spent all day (again) looking through all of the documentation... so I'm getting closer.

But if your implementation is a snap, I'd love to use it.

[root]

I've never had any trouble with the OTRS AD implementation. I created my module to get nested groups support.
Post your configuration (wo/ passwords) and we can check it out.

[Spuds]

Here's what I have right now:

Code: Select all

        # Enable LDAP Authentication Sync for Agent
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'yoda.asi-gis.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=ASI,dc=COM';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'ldapbind@ASI.COM';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'x';
    $Self->{'AuthSyncModule::LDAP::Charset'} = 'utf-8';

        # Enable Agent Mapping from LDAP to DB #
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    UserFirstname => 'givenName',
    UserLastname => 'sn',
    UserEmail => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'yoda.asi-gis.com';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=ASI, dc=COM';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRSAgents,DC=ASI,DC=COM';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapbind@ASI.COM';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'x';




# Client LDAP Backend Settings

  $Self->{CustomerUser} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
     # ldap host
      Host => 'yoda.asi-gis.com',
      # ldap base dn
      BaseDN => 'dc=ASI, dc=COM',
      # search scope (one|sub)
      SSCOPE => 'sub',
      # The following is valid but would only be necessary if the
      # anonymous user does NOT have permission to read from the LDAP tree
      UserDN => 'ldapbind@ASI.com',
      UserPw => 'x',
      AlwaysFilter => '(&(objectClass=user) (!(objectClass=Computer)) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
      SourceCharset => 'utf-8',
      CacheTTL => 0,
      DestCharset => 'iso-8859-1',
    },
    # customer uniq id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
      #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
      #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  };

Also see this viewtopic.php?f=61&t=15152.

As this code sits-- I can add a user to OTRSAgents and log in as an agent just fine. ZERO problems with that.

But even though users show up in the "Customers" section of the admin panel, and I can add users and they show up instantly-- I can't log in with any of them.

I have a couple of groups in the root container:

OTRSAgents
OTRSUsers

I'd LIKE to authenticate users out of the OTRSUsers group.

Here's what happens right now when I try to log in as a user:

Code: Select all

[Wed Apr 25 15:11:08 2012] [error] Undefined subroutine &Kernel::Config::Load called at /opt/otrs//Kernel/Config/Defaults.pm line 1770.\n
[Wed Apr 25 15:11:08 2012] [error] [client 192.168.1.60] File does not exist: /opt/otrs/var/httpd/htdocs/favicon.ico
ERROR: OTRS-CGI-10 Perl: 5.12.4 OS: linux Time: Wed Apr 25 15:11:18 2012

 Message: No UserID found for 'tuser'!

 Traceback (25604):
   Module: Kernel::System::User::UserLookup (v1.121) Line: 797
   Module: Kernel::System::Auth::Auth (v1.56) Line: 244
   Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
   Module: (eval) (v1.90) Line: 204
   Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
   Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
   Module: ModPerl::Registry::handler (v1.99) Line: 31

That's all I have to go on... and I've been running this up and down the flagpole for almost 40 hours at this point. I've made a little headway-- but I just need that final piece.

[root]

I miss the CustomerAuthModule in your config, sth. like

Code: Select all

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

Did you configured it?

[Spuds]

Here's the complete LDAP config I have in place. It's been through a lot of changes, so please be kind.

# Enable LDAP Authentication Sync for Agent
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'yoda.domain.com';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=ASI,dc=COM';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'ldapbind@ASI.COM';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxx';
$Self->{'AuthSyncModule::LDAP::Charset'} = 'utf-8';

# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'yoda.domain.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=ASI, dc=COM';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRSAgents,DC=ASI,DC=COM';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapbind@ASI.COM';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxx';


# Customer auth-- not working

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'yoda.domain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=ASI, dc=COM';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRSUsers,DC=ASI,DC=COM';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldapbind@ASI.COM';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxx';



# Client LDAP Backend Settings

$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'yoda.domain.com',
# ldap base dn
BaseDN => 'dc=ASI, dc=COM',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'ldapbind@ASI.com',
UserPw => 'xxxx',
AlwaysFilter => '(&(objectClass=user) (!(objectClass=Computer)) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
SourceCharset => 'utf-8',
CacheTTL => 0,
DestCharset => 'iso-8859-1',
},
# customer uniq id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

I had to take a break from this-- I was seeing DN, CN, OU, DC running through my head.

Thanks for your help!

[root]

I suggest two ways to check if the customer authentication works in general:

1st) Remove/Comment out the line

Code: Select all

$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRSUsers,DC=ASI,DC=COM';

to check the LDAP auth for customer works at all.
2nd) Are all customers direct(!) member of the group OTRSUsers (CN=OTRSUsers,DC=ASI,DC=COM)? The Perl Net::LDAP module doesn"t support nested groups!

hth,
Roy

[Spuds]

Hi, Roy--

The OTRSUsers group is in the root of the ASI domain-- no parent OU or anything.

Even when commenting out the GroupDN line, same problem... won't allow anyone other than OTRSAgents to log in.

It just seems odd to me that I can do agent logins with no problems at all, but then the exact same block below it except for users-- no dice.

I can break Agent auth easily and understand how it works-- so you would think I could get client auth working-- but it's not.

-Spuds

[Spuds]

I feel like I've tried everything at this point with no success.

If anyone else has any ideas, I welcome them-- but I'm afraid that I just don't know what to try anymore. No matter what I do, I seem to have no problems with agents, but can't get a regular user to log on.

If nobody else has any ideas, I'm afraid I'm going to have to throw in the towel. If I could get away without using LDAP, I would-- but it's a business requirement.

Anyone? Bribes are not out of the question.

[Jerec]

here is my working LDAP config. I actually have this working with two domains. The account that is doing the LDAP query must have Windows Authorization Access Group for Windows enviroment.

You can use this for two trusted domains. Just copy and pasted and change all the 1s to 2s etc. Fill in the appriopriate information. I recommend removing all the comments I just added.

Code: Select all

	$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP'; 
    $Self->{'AuthModule::LDAP::Host1'} = 'XXX.XXX.X.X';    'LDAP server IP address
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=domainname,dc=com';   ' Domain 
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName'; 

    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS_LDAP,DC=domainname,DC=com'; 'Path for the user name that will query LDAP. For me it sitting right under the domain in AD, not under a OU
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxxxxx';  ' Password for the account
	
	$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host1'} = XXX.XXX.X.X; 'LDAP server IP
    $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=domainname,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS_LDAP,DC=domainname,DC=com'; ' Account username again.
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'xxxxx'; 'Password for the account again 

	$Self->{CustomerUser1} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      Host => 'XXX.XXX.X.X', 'ldap server IP address again
      BaseDN => 'dc=domainname,dc=com',   'Domain name again
      SSCOPE => 'sub',
      UserDN => 'CN=OTRS_LDAP,DC=domainname,DC=com',
      UserPw => 'xxxxxxx', 'Same password again
    },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
#       [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
#       [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#       [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#       [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  }; 

[Spuds]

You can use this for two trusted domains. Just copy and pasted and change all the 1s to 2s etc. Fill in the appriopriate information. I recommend removing all the comments I just added.

I have noticed this in other places... some people have AuthModule::Ldap::Host1 etc.

I don't have 1s or 2s or anything after mine. Should I?

If so, what code has to change in order to point at the 1 or 2 settings?

If I'm only doing one domain, do I even need this?

-Spuds

[Jerec]

You can use this for two trusted domains. Just copy and pasted and change all the 1s to 2s etc. Fill in the appriopriate information. I recommend removing all the comments I just added.

I have noticed this in other places... some people have AuthModule::Ldap::Host1 etc.

I don't have 1s or 2s or anything after mine. Should I?

If so, what code has to change in order to point at the 1 or 2 settings?

If I'm only doing one domain, do I even need this?

-Spuds

You don't need them if you're doing just 1 domain. In my case I have multiple domains I pull LDAP from. I basically manage 4 companies with 4 different domains. the 1, 2 etc are for multiple Ldap queries.

[Spuds]

So with this code-- how do you differentiate between Agents and Users?

My code looked in specific groups, I don't see that in your code.

Am I missing something about OTRS?

I could get the OTRSAgents group to work but not OTRSUsers.

Your code works for me as an Agent that's already in the database, but now I cannot authenticate new agents, and customers still do not work at all.

I feel like maybe I'm missing some understanding of OTRS that I should have, but do not.

[Spuds]

This is now the entirety of my LDAP code:

Code: Select all

    
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = '192.168.1.37';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=ASI,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapbind@ASI.COM';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxx';

    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = '192.168.1.37';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=ASI,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldapbind@ASI.COM';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxx';

   $Self->{CustomerUser} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Name => 'ASI AD LDAP',
    Params => {
      Host => '192.168.1.37',
      BaseDN => 'dc=ASI,dc=com',
      SSCOPE => 'sub',
      UserDN => 'ldapbind@ASI.COM',
      UserPw => 'xxx',
    },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
    ],
  };

[Jerec]

So with this code-- how do you differentiate between Agents and Users?

My code looked in specific groups, I don't see that in your code.

Am I missing something about OTRS?

I could get the OTRSAgents group to work but not OTRSUsers.

Your code works for me as an Agent that's already in the database, but now I cannot authenticate new agents, and customers still do not work at all.

I feel like maybe I'm missing some understanding of OTRS that I should have, but do not.

Mine looks through the whole tree. I have multiple OUs with users in it based on Job type. If I wanted to query just that OU I would have to create two query for each domain. Instead I put it at the Root and it checks all OUs.

basically at BaseDN you'd add the specific OU you want.

[Spuds]

I cleared the database and started over from scratch.

I really didn't want to do it because I've spent hours customizing things, but I figured I needed to give it a shot.

Completely clean database, inserted the schema and initial insert and dropped in the LDAP config from my most recent reply.

Can't authenticate any users now (of course my account was removed).

I think I'm going to admit defeat on this. It's supposed to be "easy" but I haven't had any luck with it.

To those of you that were following my posts to get a solution, I apologize.

Thanks to everyone that tried to help.

[Jerec]

I cleared the database and started over from scratch.

I really didn't want to do it because I've spent hours customizing things, but I figured I needed to give it a shot.

Completely clean database, inserted the schema and initial insert and dropped in the LDAP config from my most recent reply.

Can't authenticate any users now (of course my account was removed).

I think I'm going to admit defeat on this. It's supposed to be "easy" but I haven't had any luck with it.

To those of you that were following my posts to get a solution, I apologize.

Thanks to everyone that tried to help.

Maybe this will help: http://www.youtube.com/watch?v=ZwODnB5L5lM

[Spuds]

I looked at this video a couple of weeks ago.

To me, it seemed to obfuscate the issue more than clarify it.

[Jerec]

I looked at this video a couple of weeks ago.

To me, it seemed to obfuscate the issue more than clarify it.

I was just looking at your code. Did you try it without the @ASN for the user ID? you shouldn't need this because all the information above specifies the domain.

normally a user on my domain logs in either domain\ or user@domain, but for the LDAP I didn't need this..

[root]

I looked at this video a couple of weeks ago.

To me, it seemed to obfuscate the issue more than clarify it.

I was just looking at your code. Did you try it without the @ASN for the user ID? you shouldn't need this because all the information above specifies the domain.

normally a user on my domain logs in either domain\ or user@domain, but for the LDAP I didn't need this..

For a LDAP bind against an AD you can use the DN, the sAMAccountname or the userPrincipalName. Feel free yo choose the one you prefer.

[Jerec]

I looked at this video a couple of weeks ago.

To me, it seemed to obfuscate the issue more than clarify it.

I was just looking at your code. Did you try it without the @ASN for the user ID? you shouldn't need this because all the information above specifies the domain.

normally a user on my domain logs in either domain\ or user@domain, but for the LDAP I didn't need this..

For a LDAP bind against an AD you can use the DN, the sAMAccountname or the userPrincipalName. Feel free yo choose the one you prefer.

Everything I've read for OTRS/LDAP says use the distinguished name. Don't use the sAMAaccountname or UserprincipalName...