[SOLVED]LDAP Agent Sync

Moderator: crythias

Post Reply
User avatar
marcosaurelio
OTRS wizard
Posts: 183
Joined: 08 May 2014, 16:05
OTRS Version?: 6.0.10
Real Name: Marcos Aurelio Silverio
Company: Infracerta
Location: Brazil
Contact:

[SOLVED]LDAP Agent Sync

Post by marcosaurelio » 13 Jan 2016, 05:38

Hi eveybody,

I'm trying to sync LDAP Agents (Adctive Directory in Windows 2012) with OTRS but no success. My Config.pm file:

Code: Select all

    # This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'ldap.example.com';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=users,dc=ldap,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'mail';

    # Check if the user is allowed to auth in a posixGroup
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs_agents,ou=OTRS,ou=Groups,dc=ldap,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';

    # The following is valid but would only be necessary if the
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrsbinduser';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'otrsbindpass';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(&(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

    # --------------------------------------------------- #
    # (enable agent data sync. after succsessful          #
    # authentication)                                     #
    # --------------------------------------------------- #
    # This is an example configuration for an LDAP auth sync. backend.
    $Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap.example.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'ou=users,dc=ldap,dc=example,dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'mail';

    # The following is valid but would only be necessary if the
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otrbinduser';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'otrsbindpass';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

    # AuthSyncModule::LDAP::UserSyncMap
    # (map if agent should create/synced from LDAP to DB after successful login)
    # you may specify LDAP-Fields as either
    #  * list, which will check each field. first existing will be picked ( ["givenName","cn","_empty"] )
    #  * name of an LDAP-Field (may return empty strings) ("givenName")
    #  * fixed strings, prefixed with an underscore: "_test", which will always return this fixed string
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthSyncModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
And here is the error message:

Code: Select all

No UserID found for 'user@example.com'!
User: user@example.com authentication failed, no LDAP entry found!BaseDN='ou=users,dc=ldap,dc=com', Filter='(mail=user@example.com)
Am I missing something? If I manually register an Agent in OTRS I can login successfully(if he exists in AD).

I appreciate your help.
Last edited by marcosaurelio on 14 Jan 2016, 21:45, edited 1 time in total.
OTRS 6.0.10 Centos 7 Mysql 5.6
Videos de OTRS no Youtube: https://www.youtube.com/channel/UCscGon ... 7hADe3AalA
http://infracerta.com.br

EXG133
OTRS superhero
Posts: 217
Joined: 06 Aug 2012, 18:12
OTRS Version?: 3.1.7 & 4.04

Re: LDAP Agent Sync

Post by EXG133 » 13 Jan 2016, 10:24

I suppose you changed the settings to match your LDAP server instead of using the default values? Your error message literally says the user cannot be found.

coolmf
OTRS newbie
Posts: 37
Joined: 02 Nov 2015, 16:29
OTRS Version?: 5.0.26

Re: LDAP Agent Sync

Post by coolmf » 13 Jan 2016, 15:57

Some problems in your config.


Here is my working config for Novel E-Directory, a few changes (look at the comments in my config) and you should have it working.

Code: Select all

 

# This is a configuration Modified for Novel E-Directory
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'ldaps://192.168.1.2'; # we use secure LDAP, so ldaps: instead of ldap:
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'UID'; # Im guessing that Microsoft AD uses 'sAMAccountName'
 
    # Check if the user is allowed to auth in a posixGroup
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Agents,cn=Users,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS,CN=users,DC=example,DC=com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'OTSR_ldap_PW';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';	# No filter until you get it to work
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 636,	# Secure LDAP uses 636, normal LDAP uses 389
        timeout => 120,
        async => 0,
        version => 3,
    };
 
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldaps://192.168.1.2';		# we use secure LDAP, so ldaps: instead of ldap:
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=example, dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'UID';	# Im guessing that Microsoft AD uses 'sAMAccountName'
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS,CN=users,DC=example,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'OTRS_ldap_PW';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
OTRS 5.0.26 with ITSM, and FAQ module on CentOS 7 with MariaDB and Apache
Using LDAPS for customers and agents against Azure AD

User avatar
marcosaurelio
OTRS wizard
Posts: 183
Joined: 08 May 2014, 16:05
OTRS Version?: 6.0.10
Real Name: Marcos Aurelio Silverio
Company: Infracerta
Location: Brazil
Contact:

Re: LDAP Agent Sync

Post by marcosaurelio » 13 Jan 2016, 17:14

EXG133 wrote:I suppose you changed the settings to match your LDAP server instead of using the default values? Your error message literally says the user cannot be found.
I'm not using default values, just changed to not show my company details. But the configuration structure is the same, but is not working for me. In fact the user doesnt exist in OTRS database, only in AD, but the idea is sync data between AD and OTRS.
coolmf wrote:Some problems in your config.


Here is my working config for Novel E-Directory, a few changes (look at the comments in my config) and you should have it working.

Code: Select all

 

# This is a configuration Modified for Novel E-Directory
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'ldaps://192.168.1.2'; # we use secure LDAP, so ldaps: instead of ldap:
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'UID'; # Im guessing that Microsoft AD uses 'sAMAccountName'
 
    # Check if the user is allowed to auth in a posixGroup
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Agents,cn=Users,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS,CN=users,DC=example,DC=com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'OTSR_ldap_PW';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';	# No filter until you get it to work
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 636,	# Secure LDAP uses 636, normal LDAP uses 389
        timeout => 120,
        async => 0,
        version => 3,
    };
 
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldaps://192.168.1.2';		# we use secure LDAP, so ldaps: instead of ldap:
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=example, dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'UID';	# Im guessing that Microsoft AD uses 'sAMAccountName'
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS,CN=users,DC=example,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'OTRS_ldap_PW';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
Iwill try your config, thanks for help.
OTRS 6.0.10 Centos 7 Mysql 5.6
Videos de OTRS no Youtube: https://www.youtube.com/channel/UCscGon ... 7hADe3AalA
http://infracerta.com.br

User avatar
marcosaurelio
OTRS wizard
Posts: 183
Joined: 08 May 2014, 16:05
OTRS Version?: 6.0.10
Real Name: Marcos Aurelio Silverio
Company: Infracerta
Location: Brazil
Contact:

Re: LDAP Agent Sync

Post by marcosaurelio » 14 Jan 2016, 21:44

Now it's working, thanks.
OTRS 6.0.10 Centos 7 Mysql 5.6
Videos de OTRS no Youtube: https://www.youtube.com/channel/UCscGon ... 7hADe3AalA
http://infracerta.com.br

Post Reply