Unable to log in as Customer AD/LDAP user

[chetannagaonkar]

Hello All,

I am sorry to start the thread on Active Directory again. I have searched all the threads on AD/LDAP and then initiating one again. I am able to integrate AD/LDAP with OTRS for customers and can search them in Admin module too. However, I am unable to log in customer.pl as AD user and password. It does not throw any OTRS error except that it says that login or password is invalid. It shows the login error in red as "Login failed! Your user name or password was entered incorrectly."

Has anybody faced and resolved it? Your help would be really appreciated.

Thanks.
Best Regards
Chetan

[ferrosti]

It would help to see what your log file says.
Do you use the correct search options like

Code: Select all

    $Self->{'Customer::AuthModule::LDAP::UID'} = 'samaccountname';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';

[chetannagaonkar]

Thanks for the reply, ferrosti. Admin log does not show any error. I have tried different settings, but somehow am unable to log in as ldap customer. We'll be going live shortly. Really really appreciate any help to resolve this pls. Below is my config.pm file -

# CustomerUser
# (customer user ldap backend and settings)

$Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'abcd.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=abcd,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'uid=abcd,ou=users,o=ldap-services,dc=abcd,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxx';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(&(objectclass=user)(mail=*))';


#this code is added on Jan 25 to sync and allow customers to log in properly
# Sync
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'abcd.com';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=abcd,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=abcd,ou=users,o=ldap-services,dc=abcd,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
Username => 'sAMAccountName',
};


$Self->{'AuthModule::LDAP::Die'} = 0;
# ---------------------------------------------------- #
# UserSyncLDAPMap
# ---------------------------------------------------- #
# (map if agent should create/synced from LDAP to DB after login)
$Self->{UserSyncLDAPMap} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

$Self->{UserSyncLDAPGroups} = ['user',];


# $Self->{UserSyncLDAPMap} = {
# DB -> LDAP
# UserFirstname => 'givenName',
# UserLastname => 'sn',
# UserEmail => 'mail',
# };
$Self->{CustomerUser} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# # ldap host
Host => 'abcd.com',
# # ldap base dn
BaseDN => 'dc=abcd,dc=com',
# # search scope (one|sub)
SSCOPE => 'sub',
# # The following is valid but would only be necessary if the
# # anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'abcd',
UserPw => 'xxxx',
# # in case you want to add always one filter to each ldap query, use
# # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# AlwaysFilter => '',
AlwaysFilter => '(&(objectclass=user)(mail=*))';


# # if both your frontend and your LDAP are unicode, use this:
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
# # if your frontend is e. g. iso-8859-1 and the charset of your
# # ldap server is utf-8, use these options.
# SourceCharset => 'utf-8',
# DestCharset => 'iso-8859-1',

# # die if backend can't work, e. g. can't connect to server
Die => 0,
# # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 180,
version => 3,
},
},
# # customer uniq id
CustomerKey => 'sAMAccountName',
# # customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# # show now own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# # add a ldap filter for valid users (expert setting)
# # CustomerUserValidFilter => '(!(description=gesperrt))',
# # admin can't change customer preferences
AdminSetPreferences => 0,
# # cache time to live in sec. - cache any ldap queries
CacheTTL => 0,
Map => [
# # note: Login, Email and CustomerID needed!
# # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};

[crythias]

http://doc.otrs.org/3.0/en/html/auth-backends.html
The following is for authentication. You should be receiving System Log messages why your customers aren't authenticating. but logging in Windows is different from Logging in linux, which is why you (might) not see error messages.

# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.example.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = '';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

[chetannagaonkar]

Thanks, Crythias. But it still doesn't help:-)
What I think I am unclear is we use many parameters while configuring it with AD/ldap. I don't know what does OTRS use to login as AD user. Is it user id, customerkey, customerid, username, USER DN? Then perhaps it may be clear if it is using passwords correctly to log in the first place.

Best Regards
Chetan

[ferrosti]

Seems like you did some C&P and forgot to change it to your needs.

Code: Select all

$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';

is missing.

Watch the first block of your config that you have posted! Customer and Agent Auth are different modules!
Another advice would be to try it without filter first.

[chetannagaonkar]

That's a good catch, ferrosti. Lemme try and see if that works.

Best Regards
Chetan

[chetannagaonkar]

Hello ferrosti,

I made the necessary change and then tested it. I was not able to log in though. I noticed the below error in admin sys log. Not sure when is that caused. Any idea?

First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

[ferrosti]

http://www.lmgtfy.com/?q=%22AcceptSecur ... 2C+vece%22

[chetannagaonkar]

Thanks for the reply, ferrosti. At least after going thru the link, I was able to identify that the issue is with username, DN. I'll try out different combinations and that should work. Thanks again.

Best Regards
Chetan

[srivatsatatti]

I am getting the error as OTRS-CGI-10 Sizelimit exceeded .
and nothing is getting populated when i click on Customers in the admin area.

Below is my Config.pm



# CustomerUser
# (customer user ldap backend and settings)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'somedomain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=somedomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=abcd,ou=users,dc=somedomain,dc=com';
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=abcd,dc=somedomain';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxx';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 3268,
timeout => 120,
async => 0,
version => 3,
};
$Self->{CustomerUser} = {
Name => 'LDAP Datasource',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'somedomain.com',
BaseDN => 'dc=somedomain,dc=com',
SSCOPE => 'sub',
UserDN => 'cn=abcd,dc=somedomain',
UserPW => 'xxxxxx',
Params => {
port => 3268,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'uid',
CustomerID => 'mail',
CustomerUserListFields => ['sn', 'cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'sn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'cn', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};

[srivatsatatti]

I could fix it, the problem was in 'uid'
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
Changed to
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
and in all occurrence of 'uid'

But now i am unable to login through customer portal
i get this error in adminlog
First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
but if search that customer, that customer exists

Any help would be much appreciated.

Thanks
Srivatsa

[ferrosti]

This error has already been discussed here. A search could help.

First bind is about the search user not being able to login.
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=abcd,dc=somedomain';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxx';