[SOLVED]LDAP Agent Sync

Moderator: crythias

Post Reply
marcosaurelio
Znuny expert
Posts: 185
Joined: 08 May 2014, 16:05
Znuny Version: 6.0.10
Real Name: Marcos Aurelio Silverio
Company: Infracerta
Location: Brazil
Contact:

[SOLVED]LDAP Agent Sync

Post by marcosaurelio »

Hi eveybody,

I'm trying to sync LDAP Agents (Adctive Directory in Windows 2012) with OTRS but no success. My Config.pm file:

Code: Select all

    # This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'ldap.example.com';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=users,dc=ldap,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'mail';

    # Check if the user is allowed to auth in a posixGroup
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs_agents,ou=OTRS,ou=Groups,dc=ldap,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';

    # The following is valid but would only be necessary if the
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrsbinduser';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'otrsbindpass';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(&(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

    # --------------------------------------------------- #
    # (enable agent data sync. after succsessful          #
    # authentication)                                     #
    # --------------------------------------------------- #
    # This is an example configuration for an LDAP auth sync. backend.
    $Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap.example.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'ou=users,dc=ldap,dc=example,dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'mail';

    # The following is valid but would only be necessary if the
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otrbinduser';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'otrsbindpass';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

    # AuthSyncModule::LDAP::UserSyncMap
    # (map if agent should create/synced from LDAP to DB after successful login)
    # you may specify LDAP-Fields as either
    #  * list, which will check each field. first existing will be picked ( ["givenName","cn","_empty"] )
    #  * name of an LDAP-Field (may return empty strings) ("givenName")
    #  * fixed strings, prefixed with an underscore: "_test", which will always return this fixed string
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthSyncModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
And here is the error message:

Code: Select all

No UserID found for 'user@example.com'!
User: user@example.com authentication failed, no LDAP entry found!BaseDN='ou=users,dc=ldap,dc=com', Filter='(mail=user@example.com)
Am I missing something? If I manually register an Agent in OTRS I can login successfully(if he exists in AD).

I appreciate your help.
Last edited by marcosaurelio on 14 Jan 2016, 21:45, edited 1 time in total.
OTRS 6.0.10 Centos 7 Mysql 5.6
Videos de OTRS no Youtube: https://www.youtube.com/channel/UCscGon ... 7hADe3AalA
http://infracerta.com.br
EXG133
Znuny expert
Posts: 217
Joined: 06 Aug 2012, 18:12
Znuny Version: 3.1.7 & 4.04

Re: LDAP Agent Sync

Post by EXG133 »

I suppose you changed the settings to match your LDAP server instead of using the default values? Your error message literally says the user cannot be found.
coolmf
Znuny newbie
Posts: 37
Joined: 02 Nov 2015, 16:29
Znuny Version: 5.0.26

Re: LDAP Agent Sync

Post by coolmf »

Some problems in your config.


Here is my working config for Novel E-Directory, a few changes (look at the comments in my config) and you should have it working.

Code: Select all

 

# This is a configuration Modified for Novel E-Directory
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'ldaps://192.168.1.2'; # we use secure LDAP, so ldaps: instead of ldap:
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'UID'; # Im guessing that Microsoft AD uses 'sAMAccountName'
 
    # Check if the user is allowed to auth in a posixGroup
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Agents,cn=Users,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS,CN=users,DC=example,DC=com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'OTSR_ldap_PW';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';	# No filter until you get it to work
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 636,	# Secure LDAP uses 636, normal LDAP uses 389
        timeout => 120,
        async => 0,
        version => 3,
    };
 
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldaps://192.168.1.2';		# we use secure LDAP, so ldaps: instead of ldap:
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=example, dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'UID';	# Im guessing that Microsoft AD uses 'sAMAccountName'
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS,CN=users,DC=example,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'OTRS_ldap_PW';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
OTRS 5.0.26 with ITSM, and FAQ module on CentOS 7 with MariaDB and Apache
Using LDAPS for customers and agents against Azure AD
marcosaurelio
Znuny expert
Posts: 185
Joined: 08 May 2014, 16:05
Znuny Version: 6.0.10
Real Name: Marcos Aurelio Silverio
Company: Infracerta
Location: Brazil
Contact:

Re: LDAP Agent Sync

Post by marcosaurelio »

EXG133 wrote:I suppose you changed the settings to match your LDAP server instead of using the default values? Your error message literally says the user cannot be found.
I'm not using default values, just changed to not show my company details. But the configuration structure is the same, but is not working for me. In fact the user doesnt exist in OTRS database, only in AD, but the idea is sync data between AD and OTRS.
coolmf wrote:Some problems in your config.


Here is my working config for Novel E-Directory, a few changes (look at the comments in my config) and you should have it working.

Code: Select all

 

# This is a configuration Modified for Novel E-Directory
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'ldaps://192.168.1.2'; # we use secure LDAP, so ldaps: instead of ldap:
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'UID'; # Im guessing that Microsoft AD uses 'sAMAccountName'
 
    # Check if the user is allowed to auth in a posixGroup
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Agents,cn=Users,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS,CN=users,DC=example,DC=com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'OTSR_ldap_PW';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';	# No filter until you get it to work
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 636,	# Secure LDAP uses 636, normal LDAP uses 389
        timeout => 120,
        async => 0,
        version => 3,
    };
 
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldaps://192.168.1.2';		# we use secure LDAP, so ldaps: instead of ldap:
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=example, dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'UID';	# Im guessing that Microsoft AD uses 'sAMAccountName'
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS,CN=users,DC=example,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'OTRS_ldap_PW';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
Iwill try your config, thanks for help.
OTRS 6.0.10 Centos 7 Mysql 5.6
Videos de OTRS no Youtube: https://www.youtube.com/channel/UCscGon ... 7hADe3AalA
http://infracerta.com.br
marcosaurelio
Znuny expert
Posts: 185
Joined: 08 May 2014, 16:05
Znuny Version: 6.0.10
Real Name: Marcos Aurelio Silverio
Company: Infracerta
Location: Brazil
Contact:

Re: LDAP Agent Sync

Post by marcosaurelio »

Now it's working, thanks.
OTRS 6.0.10 Centos 7 Mysql 5.6
Videos de OTRS no Youtube: https://www.youtube.com/channel/UCscGon ... 7hADe3AalA
http://infracerta.com.br
Post Reply