LDAPS authentication

[Ballzer0]

how would you go about configuring a Backend that would authenticate against an AD over LDAPS, is it even possible? I have been looking for days for a solution to this problem. i find plenty of documentation on how to connect with LDAP but can only find LDAPS mentioned in a few posts.

I am pretty new to OTRS and im currently just testing if its a viable tool for my company.

[Ballzer0]

this is my config.pm

otrs doesnt crash or anything but if i try to load the customer administration panel, it only shows the default DatabaseBackend
when i check the system log all it says is: Can't connect to ldaps://activedirectory.host.com:

Code: Select all

$Self->{CustomerUser2} = {
    Name => 'LDAP Data Source',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => 'ldaps://activedirectory.host.com',
        # ldap base dn
        BaseDN => 'base..dn..goes..here',
        # search scope (one|sub)
        SSCOPE => 'sub',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => 'user..dn..goes..here',
        UserPw => 'password',
        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '',
            # if the charset of your ldap server is iso-8859-1, use this:
#            SourceCharset => 'iso-8859-1',

            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
		verify => 'require',
                port => 636,
                timeout => 30,
                async => 0,
                version => 3,
		cafile => '/usr/local/cacerts/certificate.pem',
            },
    },
    # customer unique id
    CustomerKey => 'uid',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['uid', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add an ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # administrator can't change customer preferences
    AdminSetPreferences => 0,
#    # cache time to live in sec. - cache any database queries
#    CacheTTL => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly, http-link-target, link class(es)
        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
#        [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
        [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
        [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
        [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
    ],
};

[root]

Hi,

Did you tried to connect to the ldap server by using telnet/openssl s_client to the server?

- Roy

[Ballzer0]

i have tried connecting to the server with apache directory studio with all the same credentials and it works with no flaw.

[root]

Hi,

Please replace the last to in my post with an from.

TLDR; Did you checked if the LDAP server is reachable from the OTRS server?

- Roy

[Ballzer0]

HI there, thanks for the help, it seems to be that i was blocked by a firewall and i can finally establish a connection.

Now im getting 2 errors when i try to connect.

First bind failed! I/O Error Connection reset by peer
Search failed! Can't contact LDAP server

[root]

Hi,

"First bind failed" is always a hint that the UserDN/UserPw combination is wrong. If it's an Active Directory I always recommend using the userPrincipalName of the bind user instead of the DN.

- Roy

[Ballzer0]

should it work to fill in the user principal name directly in the userDN line or should i create a separate line for it?