Anyone here with working LDAP? pleae help

Moderator: crythias

Post Reply
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Anyone here with working LDAP? pleae help

Post by ldapnotworking »

spend almost a week, not working, checked DNS everything. The error says:

Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@

Please help/
NTSOLO
Znuny newbie
Posts: 11
Joined: 18 May 2012, 22:54
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by NTSOLO »

post your OTRS version and Config.pm please.
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

thank you sir!

OTRS version 3.1.5

My file

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
$Self->{'AuthModule::LDAP::GroupDN'} = 'ou=OTRS,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=dummy.user,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=dummy.user,dc=domain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
NTSOLO
Znuny newbie
Posts: 11
Joined: 18 May 2012, 22:54
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by NTSOLO »

is this for an Active Directory LDAP or another platform ?
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

Active Directory LDAP problem.
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

My error in apache Log says:


Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@

Traceback (2451):
Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 187
Module: Kernel::System::Auth::Auth (v1.56) Line: 189
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
NTSOLO
Znuny newbie
Posts: 11
Joined: 18 May 2012, 22:54
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by NTSOLO »

try this:

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'ou=OTRS,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=dummy.user,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=dummy.user,dc=domain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

Tried, same error


ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Fri May 18 16:57:50 2012

Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@

Traceback (2986):
Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 187
Module: Kernel::System::Auth::Auth (v1.56) Line: 189
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

Linux support 2.6.32-28-generic #55-Ubuntu SMP Mon Jan 10 21:21:01 UTC 2011 i686 GNU/Linux

Windows 2003 Active Directory

User has Domain Admin rights,

I can ping using DNS name,!!!
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

anyone? ....

For customerAuth it can be modified using Sysconfig is there anything like that for Agents or users?
NTSOLO
Znuny newbie
Posts: 11
Joined: 18 May 2012, 22:54
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by NTSOLO »

What is the result of executing this command?
/opt/otrs/bin/./otrs.CheckModules.pl

Also, is the Domain cntroller on the same subnet as the host you are running OTRS? If not, is it properly allowed through any firewalls you might have in between?


what is the result of executing "telnet <your domain IP> 389"
NTSOLO
Znuny newbie
Posts: 11
Joined: 18 May 2012, 22:54
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by NTSOLO »

ldapnotworking wrote:2

Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@
Just googled for the error code, seems like you aren't specifying the correct user\Pass.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0x525 - user not found
DEC: 1317 - ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

o CGI..............................ok (v3.59)
o Crypt::PasswdMD5.................ok (v1.3)
o Crypt::SSLeay....................ok (v0.57)
o CSS::Minifier....................ok (v0.01)
o Date::Format.....................ok (v2.23)
o Date::Pcalc......................ok (v1.2)
o DBI..............................ok (v1.609)
o DBD::mysql.......................ok (v4.012)
o DBD::ODBC........................Not installed! (Optional - Required to connect to a MS-SQL database.)
o DBD::Oracle......................Not installed! (Optional - Required to connect to a Oracle database.)
o DBD::Pg..........................Not installed! (Optional - Required to connect to a PostgreSQL database.)
o Digest::MD5......................ok (v2.39)
o Digest::SHA::PurePerl............ok (v5.70)
o Digest::SHA......................ok (v5.47)
o Encode::HanExtra.................Not installed! (Optional - Required to handle mails with several Chinese character sets.)
o Encode::Locale...................ok (v1.02)
o GD...............................ok (v2.39)
o GD::Text......................ok (v0.86)
o GD::Graph.....................ok (v1.44)
o GD::Graph::lines..............ok (v1.15)
o GD::Text::Align...............ok (v1.18)
o IO::Scalar.......................ok (v2.110)
o IO::Wrap.........................ok (v2.110)
o JavaScript::Minifier.............ok (v1.05)
o JSON.............................ok (v2.53)
o JSON::PP......................ok (v2.27200)
o JSON::XS......................Not installed! (Optional - Recommended for faster AJAX/JavaScript handling.)
o Locale::Codes....................ok (v3.18)
o LWP::UserAgent...................ok (v6.03)
o Mail::Internet...................ok (v2.08)
o Mail::POP3Client.................ok (v2.18 )
o IO::Socket::SSL...............ok (v1.31)
o Mail::IMAPClient.................Not installed! (Optional - Required for IMAP TLS connections.)
o IO::Socket::SSL...............ok (v1.31)
o MIME::Base64.....................ok (v3.08)
o MIME::Tools......................ok (v5.428)
o ModPerl::Util....................ok (v2.000004)
o Apache::DBI...................ok (v1.11)
o Apache2::Reload...............ok (v0.11)
o Net::DNS.........................ok (v0.65)
o Net::POP3........................ok (v2.29)
o Net::IMAP::Simple................ok (v1.2030)
o Net::IMAP::Simple::SSL........ok (v1.3)
o Net::SMTP........................ok (v2.31)
o Authen::SASL..................ok (v2.15)
o Net::SMTP::SSL................ok (v1.01)
o Net::SMTP::TLS::ButMaintained.ok (v0.18)
o Net::LDAP........................ok (v0.39)
o Net::SSL.........................ok (v2.84)
o PDF::API2........................ok (v0.73)
o Compress::Zlib................ok (v2.02)
o SOAP::Lite.......................ok (v0.714)
o version.......................ok (v0.77)
o Class::Inspector..............ok (v1.25)
o Text::CSV........................ok (v1.21)
o Text::CSV_PP..................ok (v1.29)
o Text::CSV_XS..................Not installed! (Optional - Recommended for faster CSV handling.)
o XML::Parser......................ok (v2.36)
o HTTP::Message....................ok (v6.02)
o HTTP::Headers.................ok (v6.00)
o URI..............................ok (v1.59)
o URI::Escape...................ok (v3.31)
o Scalar::Util.....................ok (v1.21)
NTSOLO
Znuny newbie
Posts: 11
Joined: 18 May 2012, 22:54
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by NTSOLO »

Also, is the Domain controller on the same subnet as the host you are running OTRS? If not, is it properly allowed through any firewalls you might have in between?


what is the result of executing "telnet <your domain IP> 389"
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

Same subnet, telnet for 389 ok. (i have other servers using it for LDAP) now here is what the errors are


[Fri May 18 19:36:18 2012] [notice] Apache/2.2.14 (Ubuntu) mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
ERROR: OTRS-CGI-10 Perl: 5.10.1 OS: linux Time: Fri May 18 19:36:31 2012

Message: No UserID found for 'xxxxxxx'!

Traceback (2615):
Module: Kernel::System::User::UserLookup (v1.121) Line: 797
Module: Kernel::System::Auth::Auth (v1.56) Line: 244
Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
dylan650
Znuny newbie
Posts: 29
Joined: 18 May 2012, 19:48
Znuny Version: 3.1.2

Re: Anyone here with working LDAP? pleae help

Post by dylan650 »

Since you're on UBUNTU, why don't you test using ldapsearch.

It would be something like this....

ldapsearch -x -h machine.domain.com -b dc=domain,dc=com -D cn=dummy.user,dc=domain,dc=com -W

You will be prompt to enter the "dummy.user" password. If all goes well, ldapsearch will retrieve whatever your AD server allows.

One note though... since I am a linux administrator and not a windows administrator, I do not know what the difference between an AD server and a Global Catalog server. However, if you're having trouble finding your user via port 389, then you should try the global catalog port of 3268. I'd go read all about global catalog but I'm not interested. Here is the link if you'd like to read on it.

http://technet.microsoft.com/en-us/libr ... s.10).aspx

and then.... if you still can't figure it out, you can cheat by using a tool called ADSI Edit. ADSI Edit will expose your AD in such a way that you can't get it wrong. link for you:
http://technet.microsoft.com/en-us/libr ... s.10).aspx
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
dylan650
Znuny newbie
Posts: 29
Joined: 18 May 2012, 19:48
Znuny Version: 3.1.2

Re: Anyone here with working LDAP? pleae help

Post by dylan650 »

so, if ldapsearch doesn't work, how will otrs work? I think your DN is wrong.

According to you, your LDAP tree would look something like this...

--dc=domain,dc=com
+cn=dummy.user

But, people usually put their users in to a "user" OU. Are you sure that your user isn't in a "user" OU?
usually, it would look like this...

--dc=domain,dc=com
--ou=user
+cn=dummy

Using this example, the DN would be cn=dummy,ou=user,dc=domain,dc=com

Anyway, it would be great if you could provide a screen shot.
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

Thank you for trying to help me, i tried to install some LDAP free software on windows and i can get t o LDAP on 389 and can read the LDAP.

I specifically created a dummy OU=OTRS and put the dummy.user under that OU.

not sure how i can provide u the screen shot here.

My domain is domain.com under that i have OU=OTRS and i have a user under it called dummy.user
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

OK for testing these i have moved those users under the Users OU, here is my Config.pm now,


# config file. This file will not be changed on update!
#
# --
package Kernel::Config;

#s is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.169.1';
$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=Users,DC=domain,DC=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=Users,DC=domain,DC=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'OU=Users,CN=user account name';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'pass';
$Self->{'AuthModule::LDAP::UserLowerCase'} = 0;
# $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Enable Agent Mapping from LDAP to DB #
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
use utf8;
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
dylan650
Znuny newbie
Posts: 29
Joined: 18 May 2012, 19:48
Znuny Version: 3.1.2

Re: Anyone here with working LDAP? pleae help

Post by dylan650 »

It looks like your DN is still not right. I know, LDAP is not too easy to understand and then Microsoft makes it even more complex. I'm not sure of what your LDAP level is so I will just start as if you have no LDAP experience since I hate it when people write documents assuming I have years of LDAP experience.

Let's go back to my example...

--dc=domain,dc=com (top level)
--ou=users
--cn=jane doe

When you look at this example, you construct the DN bottom up. That means, you start with cn=jane doe and then you add ou=users and then you add dc=domain,dc=com and it looks like....
cn="jane doe",ou=users,dc=domain,dc=com (the quotes are there because of the space; some software require it and some don't)

The ou stands for Organizational Unit. It's just a container to help you organize objects. "jane doe" is an object in the OU users container. The base DN on the other hand, is where you want to start your search. The search is top down.

For Posix accounts, the user attribute is UID but for Active Directory, it is what the other person said... sAMAccountName.

Ok, I think I covered the basic steps. Now, you plug all this in to your LDAP client and your LDAP client says.... I start at the base DN (which is dc=domain,dc=com) and I am going to start searching for ou=users (search is done from RIGHT to LEFT via your DN and your DN is cn="jane doe",ou=users,dc=domain,dc=com). When I find ou=users, then I am going to look aka drill down for cn=jane doe. When I find cn=jane doe, I am going to look for the user attribute UID or saAMAccountName.

NOTE: To do this search, you can do it anonymously (if your server allows) or you have to authenticate. Most LDAP servers will require authentication to see the password attribute. This is why OTRS has SearchUserDN and SearchUserPw. These two are used to authenticate. It is after authentication that you are allowed to search(like above). If the SearchUserDN does not permission to traverse the LDAP tree, it won't work either.

last thing.... take a look at this guy's ldapsearch syntax. (technically, administer isn't even a valid DN but I guess windows knows what to do with it)
ldapsearch -x -H ldap://10.11.12.13:389 -D adminuser -w adminpassword -b "dc=domain,dc=internal" "(cn=administrator)"
I got it from:
http://www.linuxquestions.org/questions ... le-761780/
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

Thank you very much, yes i am not expert in LDAP mainly DN/CN and OU's trying to understand where i am not right. Let me go back and do some reading and understand and i will let you know where i ended up. So you dont think its a ubuntu issue?
dylan650
Znuny newbie
Posts: 29
Joined: 18 May 2012, 19:48
Znuny Version: 3.1.2

Re: Anyone here with working LDAP? pleae help

Post by dylan650 »

It's not ubuntu.

Don't look too hard. Just go to the Microsoft site and download adsi edit.
NTSOLO
Znuny newbie
Posts: 11
Joined: 18 May 2012, 22:54
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by NTSOLO »

ldapnotworking, you seem to be switching options around in hopes of nailing it by luck. Don't do that. I see you switched your configuration again to wrong values. Look at what Dylan650 stated about your UID attribute.

Use this config:

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '172.16.169.1';

## Keep the BaseDN as it is unless you really want
## to restrict the available area for OTRS to search on
## Don’t worry, it will search the entire domain for your user.
# Change to correct BaseDN
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';

##
## Don't change this, Active Directory's UID Attribute is
## sAMAccountName
##
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

### This is the group that controls who accesses OTRS, 
### Where is it located in your domain ?
### Don't know? Download Active Directory Explorer ( its free)
### And find out. Each object on the domain has a 
### "distinguishedName" attribute, thats its full path on the domain.
$Self->{'AuthModule::LDAP::GroupDN'} = 'ou=OTRS,dc=domain,dc=com';
#Don't change this
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
#Don't change this
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

### Make sure this is the actual location for your user
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=dummy.user,cn=users,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
# Active Directory uses Ver.2 LDAP but OTRS goes nuts if you set it to 2 and specify your domain's root as BaseDN.
version => 3,
#
# This option tells OTRS to search everything under your BaseDN
# But it seems to do this by default, so dont activate it unless
# you notice its not searching as you hoped.
#
#SSCOPE => 'sub',

};


$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.169.1';
# Change to correct BaseDN
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';
# dont touch this
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
#Make sure this user is correctly stated
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=dummy.user,cn=users,dc=domain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {

#dont touch this unless you really know what you are doing, this
#config will work
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# This is the group OTRS will add your AD users to once they login
# for the first time.
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];

Everything on it should be correct except for the BaseDN which you should update, the only thing you need to make absolutely sure is that the user's distinguishedName is "cn=dummy.user,cn=users,dc=domain,dc=com"
Also, the Object "Users" in the AD is nominated as "CN" and not "OU". Yes its confusing but just use Active Directory Explorer and you'll see all of that in detail. Just make sure you dont start EDITING anything on it.
I advice you to stay away from Domain Admin accounts while doing all of this.
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

Thank you for trying to help me, i really appreciate your help. Let me read about AD ADSI-Edit

Also now i am not getting Bind error, i now getting User not found.

[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] ERROR: OTRS-CGI-10 Perl: 5.10.0 OS: linux Time: Mon May 21 09:28:33 2012, referer: http://172.16.34.219/otrs/index.pl

[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] Message: No UserID found for 'userid'!, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 09:28:33 2012] [error] [client 172.16.37.68] Traceback (5727): , referer: http://172.16.34.219/otrs/index.pl

That use exist in AD, but not exist in OTRS
NTSOLO
Znuny newbie
Posts: 11
Joined: 18 May 2012, 22:54
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by NTSOLO »

careful with ADSI-Edit ... Stick with ACtive directory Explorer.

Your configuration currently demands that the user be a member of a group and it looks like we made a mistake on that part.

Please consider doing the following:

Add an Organizational Unit ( OU) in your domain's root branch, name it something like "OTRS", then create a global security group inside of OTRS and add your dummy user to it. This will fix the mistake we did in:

$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=<NAME OF GROUP>,ou=OTRS,dc=domain,dc=com';

BTW, remember that OTRS logs errors to both /var/log/syslog /var/log/httpd/error.log or /var/log/apache2/error.log
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

No luck yet, same error popping up

First bind failed! 80090308: LdapErr: DSID-0C090334
NTSOLO
Znuny newbie
Posts: 11
Joined: 18 May 2012, 22:54
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by NTSOLO »

What happened, you used to get the user error instead. what did you change ? post your config again plz
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'host';

## Keep the BaseDN as it is unless you really want
## to restrict the available area for OTRS to search on
## Don.t worry, it will search the entire domain for your user.
# Change to correct BaseDN
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com';

##
## Don't change this, Active Directory's UID Attribute is
## sAMAccountName
##
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
### And find out. Each object on the domain has a
### "distinguishedName" attribute, thats its full path on the domain.
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=OTRS,DC=xxxxx,DC=com';
#Don't change this
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
#Don't change this
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

### Make sure this is the actual location for your user
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxx,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'qxxxt';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
# Active Directory uses Ver.2 LDAP but OTRS goes nuts if you set it to 2 and specify your domain's root as BaseDN.
version => 3,
#SSCOPE => 'sub',
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'host';
# Change to correct BaseDN
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com';
# dont touch this
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
#Make sure this user is correctly stated
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxxx,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
ldapnotworking
Znuny newbie
Posts: 17
Joined: 19 May 2012, 00:39
Znuny Version: 3.1.5

Re: Anyone here with working LDAP? pleae help

Post by ldapnotworking »

[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Message: First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Traceback (929): , referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: Kernel::System::Auth::LDAP::Auth (v1.60) Line: 187, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: Kernel::System::Auth::Auth (v1.56) Line: 189, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: Kernel::System::Web::InterfaceAgent::Run (v1.64) Line: 204, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] Module: /opt/otrs/bin/cgi-bin/index.pl (v1.90) Line: 46, referer: http://172.16.34.219/otrs/index.pl
[Mon May 21 14:08:06 2012] [error] [client 172.16.37.68] , referer: http://172.16.34.219/otrs/index.pl
jojo
Znuny guru
Posts: 15019
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:

Re: Anyone here with working LDAP? pleae help

Post by jojo »

check all your

SearchUserDN and SearchUserPw if they are correct
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
Asmineing
Znuny newbie
Posts: 1
Joined: 25 May 2012, 10:35
Znuny Version: asasasa
Contact:

Re: Anyone here with working LDAP? pleae help

Post by Asmineing »

For customerAuth it can be modified using Sysconfig is there anything like that for Agents or users?
crythias
Moderator
Posts: 10169
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: Anyone here with working LDAP? pleae help

Post by crythias »

First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece, referer
This is credentials. Username/Password.

Users (agents) *must* (or used to must) be specified in OTRS before they'll match. May be different in 3.1, but 3.0 required users to be added before they'll be able to be assigned. (or, if they're assigned to the group OTRS_Agents in active directory, you don't have to...
--
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; ## auth for agents
$Self->{'AuthModule::LDAP::Host'} = 'host'; ##fqdn, likely xxxxx.com
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com'; ###so you don't have to put in user@...
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; ### unique user id.
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=OTRS,DC=xxxxx,DC=com'; ###make sure this makes sense
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; ###don't change
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; ### sdon't change
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxx,DC=com'; ### <-- this is the username allowed to do the search. (likely it won't have OU=OTRS)
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'qxxxt'; ### <-- this is the password for the user allowed to search. This and the previous cause the Accept Security Context error.
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)'; ### only look up users
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';

### the following should match the above information ###
$Self->{'AuthSyncModule::LDAP::Host'} = 'host';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=xxxxxxx,OU=OTRS,DC=xxxxx,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxx';
### make sure the above matches ###
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Post Reply