How to connect OTRS 5 with a Microsoft LDAP Server for User Authentification?

[JanG]

Hello everybody,
at the moment we are trying to connect an OTRS 5 installation (on a Fedora 22 system) with a Microsoft LDAP server.

We have edited the Config.pm file with the following content:
LDAP Connection Company

Code: Select all

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '1.1.1.1';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=company,dc=tld';

$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = ;
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} ='ou:Users,cn=user,dc=company,dc=tld';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

Customer Data

Code: Select all

$Self->{CustomerUser} = {
Name => 'LDAP Connection Company',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '1.1.1.1',
BaseDN => 'DC=company,dc=tld',
SSCOPE => 'base',
UserDN => 'ou=Users,cn=user,dc=company,dc=tld',
UserPw => 'password',
AlwaysFilter =>  '(&)',
},

CustomerKey => 'sAMAccountName',

CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],

Map => [    
#['UserSalutation', 'Title', 'title', '1', '0', 'var'], 
['UserFirstname', 'Firstname', 'givenname', '1', '1', 'var'], 
['UserLastname', 'Lastname', 'sn', '1', '1', 'var'], 
['UserLogin', 'Login', 'sAMAccountName', '1', '1', 'var'], 
['UserEmail', 'Email', 'mail', '1', '1', 'var'], 
['UserCustomerID', 'CustomerID', 'mail', '0', '1', 'var'], 
['UserPhone', 'Phone', 'telephonenumber', '1', '0', 'var'], 
#['UserAddress', 'Address', 'postaladdress', '1', '0', 'var'], 
#['UserComment', 'Comment', 'description', '1', '0', 'var'], 
],
};

When we are searching the in OTRS webfrontend as a agent, the following message appears in /var/log/messages:

Code: Select all

Nov 17 12:22:31 hostname OTRS-CGI-06[1251]: [Error][Kernel::System::CustomerUser::LDAP::_Connect][Line:197]: First bind failed! 80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580
Nov 17 12:22:31 hostname OTRS-CGI-06[1251]: [Error][Kernel::System::CustomerUser::LDAP::CustomerSearch][Line:386]: Can't contact LDAP server

But we cant find any user.
Where is the problem of our configuration? Thanks for your help.

[root]

52e says "Credentials wrong" and in this case the credentials of the Binduser

[JanG]

52e says "Credentials wrong" and in this case the credentials of the Binduser

Why do we need a Binduser?
And where is the place to configure it and which options are needed?

We are using Domain Controllers with Windows Server for the DNS, LDAP and so on.
The Fedora Server with OTRS is a member of the Windows domain.
Or is something in AD configuration wrong?

[root]

- Domain membership has nothing to do with LDAP access.
- Ask Microsoft why they want a bind user for LDAP access.
- https://github.com/OTRS/otrs/blob/rel-5 ... ts.pm#L432
- https://github.com/OTRS/otrs/blob/rel-5 ... ts.pm#L524
- https://github.com/OTRS/otrs/blob/rel-5 ... s.pm#L1542

[JanG]

The credentials of the users are correct, we have checked it at the Active Directory and in the Config.pm.
What could be the problem?

[root]

Are you kidding me? You specified a container as a bind user:

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} ='ou:Users,cn=user,dc=company,dc=tld';

and

UserDN => 'ou=Users,cn=user,dc=company,dc=tld',

This must be:

- the DN or
- the sAMAccountName or
- the UPN
of the Binduser (an OU is not allowed here).

[JanG]

This is our latest configuration:

User in Active Directory Structure:
Server -> company.tld -> otrs-ldap

LDAP Connection Company:

Code: Select all

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs-ldap';
  	$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

Customerdata:

Code: Select all

	UserDN => 'otrs-ldap',
	UserPw => 'password',

Before this we changed the location of the user to a special OU and edit the configuration to

Code: Select all

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ou=Users,cn=otrs-ldap,dc=company,dc=tld'

and

Code: Select all

UserDN => 'ou=Users,cn=otrs-ldap,dc=company,dc=tld',

but it isnt work either.

[root]

The DN of an AD object is shown via extended view -> attributes. Anyway 52e is till the error code for 'invalid credentials' and could also be mean unknown user.

[coolmf]

'ou=Users,cn=otrs-ldap,dc=company,dc=tld'

Please look at it again, its wrong.

cn = Common Name (a thing like a computer or a person)
ou = Organizational Unit (Look at it as a container or a group)
dc = Domain Component ( also a container)

So you start with a dc, inside that you have another dc. Then you have ou's with cn's in them.
like this:

Code: Select all

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrs-ldap,ou=Users,dc=company,dc=tld'

Think of it this way: You take a person (cn) that lives in a house (ou) on a street (dc) in a city (dc)
you were trying to put the house inside a person

[root]

Think of it this way: You take a person (cn) that lives in a house (ou) on a street (dc) in a city (dc)
you were trying to put the house inside a person

Awesome explanation!

[JanG]

Now we have corrected the field of the SearchUserDN, the parameters are in the correct order.

But still the same error (AcceptSecurityContext error, data 52e) appears. The username and password are correct and the account is available in the Active Directory. We have tested it.

[coolmf]

Ok, next problem:

SSCOPE => 'base',

SearchScope should be either 'one' or 'sub'
In your case it should be 'sub'

Code: Select all

SSCOPE => 'sub',

EDIT:

Oh and you might want to change:

AlwaysFilter => '(&)',

to

Code: Select all

AlwaysFilter =>  '(objectclass=user)',

(we only want users from AD)

[JanG]

Thanks a lot for your professional help!
Now the connection to the LDAP server to our OTRS installation works perfect.

We have fixed and added the following:
- wrong structure of the username for special OTRS user ( username without the domain structure, like "otrs-ldap")
- wrong charset of the imported ldap users and OTRS installation (UTF8 because of German umlauts)
- more parameters for the listing and searching fields (firstname of ldap users)

Now we are going to install OTRS on a production system to use it in everyday business.

Here you can see our latest configuration (Config.pm) with comments for you and maybe other people who want to connect both system with each other:

Code: Select all

################################################################################################################################
#													LDAP Connection Company                                                  #
#------------------------------------------------------------------------------------------------------------------------------#

#
#	Connection to LDAP server with special user for OTRS
#
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = '1.1.1.1';	# 1.1.1.1 (servername)
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} ='DC=domain,DC=tld'; # Domain domain.tld
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName'; # sAMAccountName (username)
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'otrs-ldap'; # special user for OTRS
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'password';
$Self->{'Customer::AuthModule::LDAP::Params1'} = {	# configuration of LDAP server
	port => 389,	# Port LDAP
	timeout => 120,	# Timeout in sec
	async => 0,
	version => 3,
};

#
#	Request and connection with special user for OTRS
#

$Self->{'UserSyncLDAPMap1'} =  {
	'UserEmail' => 'mail',	# mail address
	'UserFirstname' => 'givenName',	# first name
	'UserLastname' => 'sn',	# last name
	'UserLogin' => 'sAMAccountName',	# sAMAccountName (username)
};

$Self->{'CustomerUser1'} = {	#
	Name => 'LDAP users company',	# Name of connection
    Module => 'Kernel::System::CustomerUser::LDAP',
	Params => {
		Host => '1.1.1.1',	# 1.1.1.1 (servername)
		BaseDN => 'DC=domain,DC=tld', # Domain domain.tld
		SSCOPE => 'sub',
		UserDN => 'otrs-ldap',	# special user for OTRS
		UserPw => 'password',
		SourceCharset => 'utf-8',	# Source charset UTF8
		DestCharset => 'utf-8',	# Destination charset UTF8
		AlwaysFilter => '(objectclass=user)'
		},
    CustomerKey => 'sAMAccountName',	# sAMAccountName (username)
    CustomerID => 'mail',	# mail address to CustomerID
	CustomerUserListFields => ['sAMAccountName', 'cn', 'mail', 'givenname', 'firstname'], # Visible fields
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail', 'givenname', 'firstname'], # Searching fields
	CustomerUserPostMasterSearchFields => ['mail'],	# mail address
	CustomerUserNameFields => ['givenname', 'firstname', 'sn'], # name
	CustomerUserSearchListLimit => 9999,  # visible users in list

    Map => [	# transmitted parameters
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],	# first name
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],	# last name
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],	# sAMAccountName (username)
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],	# mail address
    [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],	# CustomerID
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],	# telephone number
    ],
    };

#
#	Default charset
#

$Self->{'DefaultCharset'} = 'utf-8'; # charset UTF8
	
#------------------------------------------------------------------------------------------------------------------------------#
#	LDAP connection company end
################################################################################################################################

[JanG]

The connection with LDAP works (nearly) perfect.
Now we can use the users from the ActiveDirectory as customer users for the tickets.
The user parameters are transmitted correctly.

But now we have the following problem:
The mail address of a customer user isn't correct when we create a new ticket.
The system put the First Name of the customer user direct behind the correct mail address.
Because of this, it isn't possible to send a mail to the user.

It looks like this:

Code: Select all

From:		Ticketsystem <otrs@domain.tld>
To: 			<login@domain.tldFirstName>
Cc:			<login@domain.tld>

Do you know a solution for this little problem?