Anyone here with working LDAP? pleae help
Moderator: crythias
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Anyone here with working LDAP? pleae help
spend almost a week, not working, checked DNS everything. The error says:
Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@
Please help/
Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@
Please help/
Re: Anyone here with working LDAP? pleae help
post your OTRS version and Config.pm please.
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
thank you sir!
OTRS version 3.1.5
My file
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
$Self->{'AuthModule::LDAP::GroupDN'} = 'ou=OTRS,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=dummy.user,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=dummy.user,dc=domain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
OTRS version 3.1.5
My file
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
$Self->{'AuthModule::LDAP::GroupDN'} = 'ou=OTRS,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=dummy.user,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=dummy.user,dc=domain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
Re: Anyone here with working LDAP? pleae help
is this for an Active Directory LDAP or another platform ?
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
Active Directory LDAP problem.
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
My error in apache Log says:
Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@
Traceback (2451):
Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 187
Module: Kernel::System::Auth::Auth (v1.56) Line: 189
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@
Traceback (2451):
Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 187
Module: Kernel::System::Auth::Auth (v1.56) Line: 189
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
Re: Anyone here with working LDAP? pleae help
try this:
Code: Select all
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'ou=OTRS,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=dummy.user,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=dummy.user,dc=domain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
Tried, same error
ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Fri May 18 16:57:50 2012
Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@
Traceback (2986):
Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 187
Module: Kernel::System::Auth::Auth (v1.56) Line: 189
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Fri May 18 16:57:50 2012
Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@
Traceback (2986):
Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 187
Module: Kernel::System::Auth::Auth (v1.56) Line: 189
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
Linux support 2.6.32-28-generic #55-Ubuntu SMP Mon Jan 10 21:21:01 UTC 2011 i686 GNU/Linux
Windows 2003 Active Directory
User has Domain Admin rights,
I can ping using DNS name,!!!
Windows 2003 Active Directory
User has Domain Admin rights,
I can ping using DNS name,!!!
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
anyone? ....
For customerAuth it can be modified using Sysconfig is there anything like that for Agents or users?
For customerAuth it can be modified using Sysconfig is there anything like that for Agents or users?
Re: Anyone here with working LDAP? pleae help
What is the result of executing this command?
/opt/otrs/bin/./otrs.CheckModules.pl
Also, is the Domain cntroller on the same subnet as the host you are running OTRS? If not, is it properly allowed through any firewalls you might have in between?
what is the result of executing "telnet <your domain IP> 389"
/opt/otrs/bin/./otrs.CheckModules.pl
Also, is the Domain cntroller on the same subnet as the host you are running OTRS? If not, is it properly allowed through any firewalls you might have in between?
what is the result of executing "telnet <your domain IP> 389"
Re: Anyone here with working LDAP? pleae help
Just googled for the error code, seems like you aren't specifying the correct user\Pass.ldapnotworking wrote:2
Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0x525 - user not found
DEC: 1317 - ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
o CGI..............................ok (v3.59)
o Crypt::PasswdMD5.................ok (v1.3)
o Crypt::SSLeay....................ok (v0.57)
o CSS::Minifier....................ok (v0.01)
o Date::Format.....................ok (v2.23)
o Date::Pcalc......................ok (v1.2)
o DBI..............................ok (v1.609)
o DBD::mysql.......................ok (v4.012)
o DBD::ODBC........................Not installed! (Optional - Required to connect to a MS-SQL database.)
o DBD::Oracle......................Not installed! (Optional - Required to connect to a Oracle database.)
o DBD::Pg..........................Not installed! (Optional - Required to connect to a PostgreSQL database.)
o Digest::MD5......................ok (v2.39)
o Digest::SHA::PurePerl............ok (v5.70)
o Digest::SHA......................ok (v5.47)
o Encode::HanExtra.................Not installed! (Optional - Required to handle mails with several Chinese character sets.)
o Encode::Locale...................ok (v1.02)
o GD...............................ok (v2.39)
o GD::Text......................ok (v0.86)
o GD::Graph.....................ok (v1.44)
o GD::Graph::lines..............ok (v1.15)
o GD::Text::Align...............ok (v1.18)
o IO::Scalar.......................ok (v2.110)
o IO::Wrap.........................ok (v2.110)
o JavaScript::Minifier.............ok (v1.05)
o JSON.............................ok (v2.53)
o JSON::PP......................ok (v2.27200)
o JSON::XS......................Not installed! (Optional - Recommended for faster AJAX/JavaScript handling.)
o Locale::Codes....................ok (v3.18)
o LWP::UserAgent...................ok (v6.03)
o Mail::Internet...................ok (v2.08)
o Mail::POP3Client.................ok (v2.18 )
o IO::Socket::SSL...............ok (v1.31)
o Mail::IMAPClient.................Not installed! (Optional - Required for IMAP TLS connections.)
o IO::Socket::SSL...............ok (v1.31)
o MIME::Base64.....................ok (v3.08)
o MIME::Tools......................ok (v5.428)
o ModPerl::Util....................ok (v2.000004)
o Apache::DBI...................ok (v1.11)
o Apache2::Reload...............ok (v0.11)
o Net::DNS.........................ok (v0.65)
o Net::POP3........................ok (v2.29)
o Net::IMAP::Simple................ok (v1.2030)
o Net::IMAP::Simple::SSL........ok (v1.3)
o Net::SMTP........................ok (v2.31)
o Authen::SASL..................ok (v2.15)
o Net::SMTP::SSL................ok (v1.01)
o Net::SMTP::TLS::ButMaintained.ok (v0.18)
o Net::LDAP........................ok (v0.39)
o Net::SSL.........................ok (v2.84)
o PDF::API2........................ok (v0.73)
o Compress::Zlib................ok (v2.02)
o SOAP::Lite.......................ok (v0.714)
o version.......................ok (v0.77)
o Class::Inspector..............ok (v1.25)
o Text::CSV........................ok (v1.21)
o Text::CSV_PP..................ok (v1.29)
o Text::CSV_XS..................Not installed! (Optional - Recommended for faster CSV handling.)
o XML::Parser......................ok (v2.36)
o HTTP::Message....................ok (v6.02)
o HTTP::Headers.................ok (v6.00)
o URI..............................ok (v1.59)
o URI::Escape...................ok (v3.31)
o Scalar::Util.....................ok (v1.21)
o Crypt::PasswdMD5.................ok (v1.3)
o Crypt::SSLeay....................ok (v0.57)
o CSS::Minifier....................ok (v0.01)
o Date::Format.....................ok (v2.23)
o Date::Pcalc......................ok (v1.2)
o DBI..............................ok (v1.609)
o DBD::mysql.......................ok (v4.012)
o DBD::ODBC........................Not installed! (Optional - Required to connect to a MS-SQL database.)
o DBD::Oracle......................Not installed! (Optional - Required to connect to a Oracle database.)
o DBD::Pg..........................Not installed! (Optional - Required to connect to a PostgreSQL database.)
o Digest::MD5......................ok (v2.39)
o Digest::SHA::PurePerl............ok (v5.70)
o Digest::SHA......................ok (v5.47)
o Encode::HanExtra.................Not installed! (Optional - Required to handle mails with several Chinese character sets.)
o Encode::Locale...................ok (v1.02)
o GD...............................ok (v2.39)
o GD::Text......................ok (v0.86)
o GD::Graph.....................ok (v1.44)
o GD::Graph::lines..............ok (v1.15)
o GD::Text::Align...............ok (v1.18)
o IO::Scalar.......................ok (v2.110)
o IO::Wrap.........................ok (v2.110)
o JavaScript::Minifier.............ok (v1.05)
o JSON.............................ok (v2.53)
o JSON::PP......................ok (v2.27200)
o JSON::XS......................Not installed! (Optional - Recommended for faster AJAX/JavaScript handling.)
o Locale::Codes....................ok (v3.18)
o LWP::UserAgent...................ok (v6.03)
o Mail::Internet...................ok (v2.08)
o Mail::POP3Client.................ok (v2.18 )
o IO::Socket::SSL...............ok (v1.31)
o Mail::IMAPClient.................Not installed! (Optional - Required for IMAP TLS connections.)
o IO::Socket::SSL...............ok (v1.31)
o MIME::Base64.....................ok (v3.08)
o MIME::Tools......................ok (v5.428)
o ModPerl::Util....................ok (v2.000004)
o Apache::DBI...................ok (v1.11)
o Apache2::Reload...............ok (v0.11)
o Net::DNS.........................ok (v0.65)
o Net::POP3........................ok (v2.29)
o Net::IMAP::Simple................ok (v1.2030)
o Net::IMAP::Simple::SSL........ok (v1.3)
o Net::SMTP........................ok (v2.31)
o Authen::SASL..................ok (v2.15)
o Net::SMTP::SSL................ok (v1.01)
o Net::SMTP::TLS::ButMaintained.ok (v0.18)
o Net::LDAP........................ok (v0.39)
o Net::SSL.........................ok (v2.84)
o PDF::API2........................ok (v0.73)
o Compress::Zlib................ok (v2.02)
o SOAP::Lite.......................ok (v0.714)
o version.......................ok (v0.77)
o Class::Inspector..............ok (v1.25)
o Text::CSV........................ok (v1.21)
o Text::CSV_PP..................ok (v1.29)
o Text::CSV_XS..................Not installed! (Optional - Recommended for faster CSV handling.)
o XML::Parser......................ok (v2.36)
o HTTP::Message....................ok (v6.02)
o HTTP::Headers.................ok (v6.00)
o URI..............................ok (v1.59)
o URI::Escape...................ok (v3.31)
o Scalar::Util.....................ok (v1.21)
Re: Anyone here with working LDAP? pleae help
Also, is the Domain controller on the same subnet as the host you are running OTRS? If not, is it properly allowed through any firewalls you might have in between?
what is the result of executing "telnet <your domain IP> 389"
what is the result of executing "telnet <your domain IP> 389"
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
Same subnet, telnet for 389 ok. (i have other servers using it for LDAP) now here is what the errors are
[Fri May 18 19:36:18 2012] [notice] Apache/2.2.14 (Ubuntu) mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Fri May 18 19:36:31 2012
Message: No UserID found for 'xxxxxxx'!
Traceback (2615):
Module: Kernel::System::User::UserLookup (v1.121) Line: 797
Module: Kernel::System::Auth::Auth (v1.56) Line: 244
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
[Fri May 18 19:36:18 2012] [notice] Apache/2.2.14 (Ubuntu) mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Fri May 18 19:36:31 2012
Message: No UserID found for 'xxxxxxx'!
Traceback (2615):
Module: Kernel::System::User::UserLookup (v1.121) Line: 797
Module: Kernel::System::Auth::Auth (v1.56) Line: 244
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
Re: Anyone here with working LDAP? pleae help
Since you're on UBUNTU, why don't you test using ldapsearch.
It would be something like this....
ldapsearch -x -h machine.domain.com -b dc=domain,dc=com -D cn=dummy.user,dc=domain,dc=com -W
You will be prompt to enter the "dummy.user" password. If all goes well, ldapsearch will retrieve whatever your AD server allows.
One note though... since I am a linux administrator and not a windows administrator, I do not know what the difference between an AD server and a Global Catalog server. However, if you're having trouble finding your user via port 389, then you should try the global catalog port of 3268. I'd go read all about global catalog but I'm not interested. Here is the link if you'd like to read on it.
http://technet.microsoft.com/en-us/libr ... s.10).aspx
and then.... if you still can't figure it out, you can cheat by using a tool called ADSI Edit. ADSI Edit will expose your AD in such a way that you can't get it wrong. link for you:
http://technet.microsoft.com/en-us/libr ... s.10).aspx
It would be something like this....
ldapsearch -x -h machine.domain.com -b dc=domain,dc=com -D cn=dummy.user,dc=domain,dc=com -W
You will be prompt to enter the "dummy.user" password. If all goes well, ldapsearch will retrieve whatever your AD server allows.
One note though... since I am a linux administrator and not a windows administrator, I do not know what the difference between an AD server and a Global Catalog server. However, if you're having trouble finding your user via port 389, then you should try the global catalog port of 3268. I'd go read all about global catalog but I'm not interested. Here is the link if you'd like to read on it.
http://technet.microsoft.com/en-us/libr ... s.10).aspx
and then.... if you still can't figure it out, you can cheat by using a tool called ADSI Edit. ADSI Edit will expose your AD in such a way that you can't get it wrong. link for you:
http://technet.microsoft.com/en-us/libr ... s.10).aspx
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Re: Anyone here with working LDAP? pleae help
so, if ldapsearch doesn't work, how will otrs work? I think your DN is wrong.
According to you, your LDAP tree would look something like this...
--dc=domain,dc=com
+cn=dummy.user
But, people usually put their users in to a "user" OU. Are you sure that your user isn't in a "user" OU?
usually, it would look like this...
--dc=domain,dc=com
--ou=user
+cn=dummy
Using this example, the DN would be cn=dummy,ou=user,dc=domain,dc=com
Anyway, it would be great if you could provide a screen shot.
According to you, your LDAP tree would look something like this...
--dc=domain,dc=com
+cn=dummy.user
But, people usually put their users in to a "user" OU. Are you sure that your user isn't in a "user" OU?
usually, it would look like this...
--dc=domain,dc=com
--ou=user
+cn=dummy
Using this example, the DN would be cn=dummy,ou=user,dc=domain,dc=com
Anyway, it would be great if you could provide a screen shot.
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
Thank you for trying to help me, i tried to install some LDAP free software on windows and i can get t o LDAP on 389 and can read the LDAP.
I specifically created a dummy OU=OTRS and put the dummy.user under that OU.
not sure how i can provide u the screen shot here.
My domain is domain.com under that i have OU=OTRS and i have a user under it called dummy.user
I specifically created a dummy OU=OTRS and put the dummy.user under that OU.
not sure how i can provide u the screen shot here.
My domain is domain.com under that i have OU=OTRS and i have a user under it called dummy.user
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
OK for testing these i have moved those users under the Users OU, here is my Config.pm now,
# config file. This file will not be changed on update!
#
# --
package Kernel::Config;
#s is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=Users,DC=domain,DC=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=Users,DC=domain,DC=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'OU=Users,CN=user account name';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'pass';
$Self->{'AuthModule::LDAP::UserLowerCase'} = 0;
# $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
use utf8;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# config file. This file will not be changed on update!
#
# --
package Kernel::Config;
#s is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=Users,DC=domain,DC=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=Users,DC=domain,DC=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'OU=Users,CN=user account name';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'pass';
$Self->{'AuthModule::LDAP::UserLowerCase'} = 0;
# $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
use utf8;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
Re: Anyone here with working LDAP? pleae help
It looks like your DN is still not right. I know, LDAP is not too easy to understand and then Microsoft makes it even more complex. I'm not sure of what your LDAP level is so I will just start as if you have no LDAP experience since I hate it when people write documents assuming I have years of LDAP experience.
Let's go back to my example...
--dc=domain,dc=com (top level)
--ou=users
--cn=jane doe
When you look at this example, you construct the DN bottom up. That means, you start with cn=jane doe and then you add ou=users and then you add dc=domain,dc=com and it looks like....
cn="jane doe",ou=users,dc=domain,dc=com (the quotes are there because of the space; some software require it and some don't)
The ou stands for Organizational Unit. It's just a container to help you organize objects. "jane doe" is an object in the OU users container. The base DN on the other hand, is where you want to start your search. The search is top down.
For Posix accounts, the user attribute is UID but for Active Directory, it is what the other person said... sAMAccountName.
Ok, I think I covered the basic steps. Now, you plug all this in to your LDAP client and your LDAP client says.... I start at the base DN (which is dc=domain,dc=com) and I am going to start searching for ou=users (search is done from RIGHT to LEFT via your DN and your DN is cn="jane doe",ou=users,dc=domain,dc=com). When I find ou=users, then I am going to look aka drill down for cn=jane doe. When I find cn=jane doe, I am going to look for the user attribute UID or saAMAccountName.
NOTE: To do this search, you can do it anonymously (if your server allows) or you have to authenticate. Most LDAP servers will require authentication to see the password attribute. This is why OTRS has SearchUserDN and SearchUserPw. These two are used to authenticate. It is after authentication that you are allowed to search(like above). If the SearchUserDN does not permission to traverse the LDAP tree, it won't work either.
last thing.... take a look at this guy's ldapsearch syntax. (technically, administer isn't even a valid DN but I guess windows knows what to do with it)
ldapsearch -x -H ldap://10.11.12.13:389 -D adminuser -w adminpassword -b "dc=domain,dc=internal" "(cn=administrator)"
I got it from:
http://www.linuxquestions.org/questions ... le-761780/
Let's go back to my example...
--dc=domain,dc=com (top level)
--ou=users
--cn=jane doe
When you look at this example, you construct the DN bottom up. That means, you start with cn=jane doe and then you add ou=users and then you add dc=domain,dc=com and it looks like....
cn="jane doe",ou=users,dc=domain,dc=com (the quotes are there because of the space; some software require it and some don't)
The ou stands for Organizational Unit. It's just a container to help you organize objects. "jane doe" is an object in the OU users container. The base DN on the other hand, is where you want to start your search. The search is top down.
For Posix accounts, the user attribute is UID but for Active Directory, it is what the other person said... sAMAccountName.
Ok, I think I covered the basic steps. Now, you plug all this in to your LDAP client and your LDAP client says.... I start at the base DN (which is dc=domain,dc=com) and I am going to start searching for ou=users (search is done from RIGHT to LEFT via your DN and your DN is cn="jane doe",ou=users,dc=domain,dc=com). When I find ou=users, then I am going to look aka drill down for cn=jane doe. When I find cn=jane doe, I am going to look for the user attribute UID or saAMAccountName.
NOTE: To do this search, you can do it anonymously (if your server allows) or you have to authenticate. Most LDAP servers will require authentication to see the password attribute. This is why OTRS has SearchUserDN and SearchUserPw. These two are used to authenticate. It is after authentication that you are allowed to search(like above). If the SearchUserDN does not permission to traverse the LDAP tree, it won't work either.
last thing.... take a look at this guy's ldapsearch syntax. (technically, administer isn't even a valid DN but I guess windows knows what to do with it)
ldapsearch -x -H ldap://10.11.12.13:389 -D adminuser -w adminpassword -b "dc=domain,dc=internal" "(cn=administrator)"
I got it from:
http://www.linuxquestions.org/questions ... le-761780/
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
Thank you very much, yes i am not expert in LDAP mainly DN/CN and OU's trying to understand where i am not right. Let me go back and do some reading and understand and i will let you know where i ended up. So you dont think its a ubuntu issue?
Re: Anyone here with working LDAP? pleae help
It's not ubuntu.
Don't look too hard. Just go to the Microsoft site and download adsi edit.
Don't look too hard. Just go to the Microsoft site and download adsi edit.
Re: Anyone here with working LDAP? pleae help
ldapnotworking, you seem to be switching options around in hopes of nailing it by luck. Don't do that. I see you switched your configuration again to wrong values. Look at what Dylan650 stated about your UID attribute.
Use this config:
Everything on it should be correct except for the BaseDN which you should update, the only thing you need to make absolutely sure is that the user's distinguishedName is "cn=dummy.user,cn=users,dc=domain,dc=com"
Also, the Object "Users" in the AD is nominated as "CN" and not "OU". Yes its confusing but just use Active Directory Explorer and you'll see all of that in detail. Just make sure you dont start EDITING anything on it.
I advice you to stay away from Domain Admin accounts while doing all of this.
Use this config:
Code: Select all
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.169.1';
## Keep the BaseDN as it is unless you really want
## to restrict the available area for OTRS to search on
## Don’t worry, it will search the entire domain for your user.
# Change to correct BaseDN
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';
##
## Don't change this, Active Directory's UID Attribute is
## sAMAccountName
##
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
### This is the group that controls who accesses OTRS,
### Where is it located in your domain ?
### Don't know? Download Active Directory Explorer ( its free)
### And find out. Each object on the domain has a
### "distinguishedName" attribute, thats its full path on the domain.
$Self->{'AuthModule::LDAP::GroupDN'} = 'ou=OTRS,dc=domain,dc=com';
#Don't change this
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
#Don't change this
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
### Make sure this is the actual location for your user
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=dummy.user,cn=users,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
# Active Directory uses Ver.2 LDAP but OTRS goes nuts if you set it to 2 and specify your domain's root as BaseDN.
version => 3,
#
# This option tells OTRS to search everything under your BaseDN
# But it seems to do this by default, so dont activate it unless
# you notice its not searching as you hoped.
#
#SSCOPE => 'sub',
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.169.1';
# Change to correct BaseDN
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';
# dont touch this
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
#Make sure this user is correctly stated
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=dummy.user,cn=users,dc=domain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
#dont touch this unless you really know what you are doing, this
#config will work
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# This is the group OTRS will add your AD users to once they login
# for the first time.
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
Also, the Object "Users" in the AD is nominated as "CN" and not "OU". Yes its confusing but just use Active Directory Explorer and you'll see all of that in detail. Just make sure you dont start EDITING anything on it.
I advice you to stay away from Domain Admin accounts while doing all of this.
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
Thank you for trying to help me, i really appreciate your help. Let me read about AD ADSI-Edit
Also now i am not getting Bind error, i now getting User not found.
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] ERROR: OTRS-CGI-10 Perl: 5.10.0 OS: linux Time: Mon May 21 09:28:33 2012, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] Message: No UserID found for 'userid'!, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] Traceback (5727): , referer: http://172.16.34.219/otrs/index.pl
That use exist in AD, but not exist in OTRS
Also now i am not getting Bind error, i now getting User not found.
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] ERROR: OTRS-CGI-10 Perl: 5.10.0 OS: linux Time: Mon May 21 09:28:33 2012, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] Message: No UserID found for 'userid'!, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] Traceback (5727): , referer: http://172.16.34.219/otrs/index.pl
That use exist in AD, but not exist in OTRS
Re: Anyone here with working LDAP? pleae help
careful with ADSI-Edit ... Stick with ACtive directory Explorer.
Your configuration currently demands that the user be a member of a group and it looks like we made a mistake on that part.
Please consider doing the following:
Add an Organizational Unit ( OU) in your domain's root branch, name it something like "OTRS", then create a global security group inside of OTRS and add your dummy user to it. This will fix the mistake we did in:
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=<NAME OF GROUP>,ou=OTRS,dc=domain,dc=com';
BTW, remember that OTRS logs errors to both /var/log/syslog /var/log/httpd/error.log or /var/log/apache2/error.log
Your configuration currently demands that the user be a member of a group and it looks like we made a mistake on that part.
Please consider doing the following:
Add an Organizational Unit ( OU) in your domain's root branch, name it something like "OTRS", then create a global security group inside of OTRS and add your dummy user to it. This will fix the mistake we did in:
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=<NAME OF GROUP>,ou=OTRS,dc=domain,dc=com';
BTW, remember that OTRS logs errors to both /var/log/syslog /var/log/httpd/error.log or /var/log/apache2/error.log
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
No luck yet, same error popping up
First bind failed! 80090308: LdapErr: DSID-0C090334
First bind failed! 80090308: LdapErr: DSID-0C090334
Re: Anyone here with working LDAP? pleae help
What happened, you used to get the user error instead. what did you change ? post your config again plz
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'host';
## Keep the BaseDN as it is unless you really want
## to restrict the available area for OTRS to search on
## Don.t worry, it will search the entire domain for your user.
# Change to correct BaseDN
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com';
##
## Don't change this, Active Directory's UID Attribute is
## sAMAccountName
##
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
### And find out. Each object on the domain has a
### "distinguishedName" attribute, thats its full path on the domain.
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=OTRS,DC=xxxxx,DC=com';
#Don't change this
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
#Don't change this
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
### Make sure this is the actual location for your user
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxx,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'qxxxt';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
# Active Directory uses Ver.2 LDAP but OTRS goes nuts if you set it to 2 and specify your domain's root as BaseDN.
version => 3,
#SSCOPE => 'sub',
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'host';
# Change to correct BaseDN
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com';
# dont touch this
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
#Make sure this user is correctly stated
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxxx,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthModule::LDAP::Host'} = 'host';
## Keep the BaseDN as it is unless you really want
## to restrict the available area for OTRS to search on
## Don.t worry, it will search the entire domain for your user.
# Change to correct BaseDN
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com';
##
## Don't change this, Active Directory's UID Attribute is
## sAMAccountName
##
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
### And find out. Each object on the domain has a
### "distinguishedName" attribute, thats its full path on the domain.
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=OTRS,DC=xxxxx,DC=com';
#Don't change this
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
#Don't change this
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
### Make sure this is the actual location for your user
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxx,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'qxxxt';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
# Active Directory uses Ver.2 LDAP but OTRS goes nuts if you set it to 2 and specify your domain's root as BaseDN.
version => 3,
#SSCOPE => 'sub',
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'host';
# Change to correct BaseDN
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com';
# dont touch this
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
#Make sure this user is correctly stated
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxxx,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
-
- Znuny newbie
- Posts: 17
- Joined: 19 May 2012, 00:39
- Znuny Version: 3.1.5
Re: Anyone here with working LDAP? pleae help
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Traceback (929): , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 187, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: Kernel::System::Auth::Auth (v1.56) Line: 189, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: /opt/otrs/bin/cgi-bin/index.pl (v1.90) Line: 46, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Traceback (929): , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 187, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: Kernel::System::Auth::Auth (v1.56) Line: 189, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: /opt/otrs/bin/cgi-bin/index.pl (v1.90) Line: 46, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
Re: Anyone here with working LDAP? pleae help
check all your
SearchUserDN and SearchUserPw if they are correct
SearchUserDN and SearchUserPw if they are correct
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
Re: Anyone here with working LDAP? pleae help
For customerAuth it can be modified using Sysconfig is there anything like that for Agents or users?
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: Anyone here with working LDAP? pleae help
First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece, referer
This is credentials. Username/Password.
Users (agents) *must* (or used to must) be specified in OTRS before they'll match. May be different in 3.1, but 3.0 required users to be added before they'll be able to be assigned. (or, if they're assigned to the group OTRS_Agents in active directory, you don't have to...
--
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; ## auth for agents
$Self->{'AuthModule::LDAP::Host'} = 'host'; ##fqdn, likely xxxxx.com
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com'; ###so you don't have to put in user@...
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; ### unique user id.
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=OTRS,DC=xxxxx,DC=com'; ###make sure this makes sense
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; ###don't change
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; ### sdon't change
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxx,DC=com'; ### <-- this is the username allowed to do the search. (likely it won't have OU=OTRS)
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'qxxxt'; ### <-- this is the password for the user allowed to search. This and the previous cause the Accept Security Context error.
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)'; ### only look up users
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
### the following should match the above information ###
$Self->{'AuthSyncModule::LDAP::Host'} = 'host';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxxx,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxx';
### make sure the above matches ###
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
This is credentials. Username/Password.
Users (agents) *must* (or used to must) be specified in OTRS before they'll match. May be different in 3.1, but 3.0 required users to be added before they'll be able to be assigned. (or, if they're assigned to the group OTRS_Agents in active directory, you don't have to...
--
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; ## auth for agents
$Self->{'AuthModule::LDAP::Host'} = 'host'; ##fqdn, likely xxxxx.com
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com'; ###so you don't have to put in user@...
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; ### unique user id.
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=OTRS,DC=xxxxx,DC=com'; ###make sure this makes sense
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; ###don't change
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; ### sdon't change
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxx,DC=com'; ### <-- this is the username allowed to do the search. (likely it won't have OU=OTRS)
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'qxxxt'; ### <-- this is the password for the user allowed to search. This and the previous cause the Accept Security Context error.
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)'; ### only look up users
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
### the following should match the above information ###
$Self->{'AuthSyncModule::LDAP::Host'} = 'host';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxxx,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxx';
### make sure the above matches ###
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask