[Workaround] LDAP Fallback to DB -> Password failed

[catweazle]

Hi

there are two kinds of agents in use (in my OTRS): DB-Agents and LDAP-Agents

It seems LDAP-Auth and LDAP-Sync for LDAP-Agents works fine.

I tested a workaround in case of all LDAP-Servers fail: deaktivating LDAP-Auth and LDAP-Sync in the config to force OTRS to use the DB::Auth.

OTRS using the DB::Auth as fallback as i wanted but something with the password hash in the DB seems wrong

user: agentldap

Code: Select all

[Notice][Kernel::System::Auth::DB::Auth] User: agentldap authentication with wrong Pw!!!

there is a password hash for user agentldap in my DB. I think it was created while LDAP-sync in the first place. Maybe my conception is wrong at all?

[catweazle]

...maybe anyone know the function how the password for ldap-agents is written into the local DB?

my perl skills are below NULL...

[crythias]

how the password for ldap-agents is written into the local DB?

it does not

[catweazle]

how the password for ldap-agents is written into the local DB?

it does not

once again, you saved me from suffering

so my conception failed in the first place, and there is no Fallback option for those agents who have been authentificated via LDAP.

so the password hash created for "ldap agents" ist just a random fill-in?

[jojo]

no, as the user types the apassword in the login screen, this is saved in the database on succesful login

[catweazle]

no, as the user types the apassword in the login screen, this is saved in the database on succesful login

okay, i am total confused now!

If the password of a agent authentificated by LDAP is saved in the otrs DB, this agent should be able to login after deaktivating ldap authentifikation, shouldn t it?!

[crythias]

Does it work? Then the answer is yes. If not, the answer is no.

JoJo says the password that's entered at (successful) login is stored in the database. (the password isn't synced from ldap, but rather stored from user input.)

I'm not so keen on that, but it would likely mean that disabling ldap would allow the last successful stored password to be used for further authentication. If a user has never logged in, this would be useless.

[catweazle]

JoJo says the password that's entered at (successful) login is stored in the database. (the password isn't synced from ldap, but rather stored from user input.)

Yes, every time a ldap-agent logged in successful, a new password hash is written to the DB.

looks like the password written in the DB never match...
ldap::auth active:

Code: Select all

[Notice][Kernel::System::Auth::DB::Auth] User: ldapagent authentication with wrong Pw!!! 
[Notice][Kernel::System::Auth::DB::Auth] User: ldapagent authentication with wrong Pw!!! 
[Notice][Kernel::System::Auth::LDAP::Auth] User: ldapagent (xxxremovedxxx) authentication ok 
[Notice][Kernel::System::User::UserUpdate] User: ldapagent updated successfully (1)!
[Notice][Kernel::System::User::SetPassword] User: ldapagent changed password successfully!

looks like i have to set up a second auth system for fallback

[catweazle]

Found workaround...

In case of LDAP-Server fail:

Deaktivate LDAP::AUTH in config.pm

Let agent use "lost your password" function

agent gets a new password and can login