DB will not sync with AD

[HostVentura]

Hello all,

Since I am relatively new to OTRS, I hope you can forgive me for opening a topic for which the full internet is swarmed with already.
We are considering of replacing our current service management tool and one of the promising replacements would be OTRS.

The installation was relatively easy but whatever I try I am unable to sync the MySQL database with our AD. I have scoured the internet endlessly but to no avail.
OTRS is able to authenticate the user against the AD so I am fairly certain that the issues lies within the syncing part of the Config.pm. An ldap.search with the provided credentials also works flawlessly.

I was hoping that some of you would like to have an expert look at a part of the Config.pm coding and tell me what I have done wrong. As far as I can tell it is the same as working examples found on the internet.
It would be much appreciated.


Config.pm:

# ---------------------------------------- #
# LDAP authentication and synchronization #
# ---------------------------------------- #

# Connection to LDAP
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'DC1.hvmgnt.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=hvmgnt,dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in the OTRS group
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Agents,OU=OTRS,OU=Groups,OU=HostVentura,DC=hvmgnt,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS SEARCH,OU=Users,ou=HostVentura,dc=hvmgnt,dc=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '********';

# Net::LDAP new parameters
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub',
};

# Connection to LDAP
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'DC1.hvmgnt.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=hvmgnt,dc=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';

# Bind credentials to log into AD
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS SEARCH,OU=Users,ou=HostVentura,dc=hvmgnt,dc=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '********';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# Net::LDAP new parameters
$Self->{'AuthSyncModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub',
};



Now I did finally notice that in our AD no 'UID' or 'MemberUid' have been created. So I thought I had the solution, however when I manually created these it still did not work.
As a test I have given on of the users as UID 'test' and the group that user is a member of as memberUid also 'test'.


Kind regards,
HostVentura

[jojo]

what is the log telling? what OTRS version?

[HostVentura]

Apologies, my brain was sluggish from working long nights.

We have OTRS version ITSM 3.1 Beta 3. The logs state the following

last entry var/log/https/error_log:
***********************************************************************************************************************************************************************************
[Tue Feb 7 12:41:10 2012] -e: Use of uninitialized value in concatenation (.) or string at /opt/otrs//Kernel/System/Log.pm line 161, <DATA> line 558.
ERROR: OTRS-CGI-10 Perl: 5.8.8 OS: linux Time: Tue Feb 7 12:41:10 2012

Message: No UserID found for 'otrs.test'!

Traceback (15832):
Module: Kernel::System::User::UserLookup (v1.116) Line: 746
Module: Kernel::System::Auth::Auth (v1.52) Line: 274
Module: Kernel::System::Web::InterfaceAgent::Run (v1.62) Line: 204
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
Module: (eval) (v1.90) Line: 204
Module: ModPerl::RegistryCooker::run (v1.90) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.90) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31
***********************************************************************************************************************************************************************************

The OTRS system log:
***********************************************************************************************************************************************************************************
Tue Feb 7 12:41:10 2012
notice
OTRS-CGI-10
Panic! No UserData for user: 'otrs.test'!!!

Tue Feb 7 12:41:10 2012
error
OTRS-CGI-10
No UserID found for 'otrs.test'!

Tue Feb 7 12:41:10 2012
error
OTRS-CGI-10
No UserID found for 'otrs.test'!

Tue Feb 7 12:41:10 2012
notice
OTRS-CGI-10
User: otrs.test (CN=otrs test,CN=Users,DC=hvmgnt,DC=local) authentication ok (REMOTE_ADDR: 10.10.5.100).
***********************************************************************************************************************************************************************************

Is there any more logs you would like to see? If so than please let me know which ones and where I can find them.

Some additional information after fiddling some more. I found the suggestion somewhere on this forum to try and import an admin using the commandline AddUser.pl, however it returns that the command is not found.
I am far from knowledgeable when it comes to Linux OS (in fact this is my first real encounter with Linux), am I doing something obviously wrong?
The AddUser.pl file is present at the location I executed the command from.

Executed commands:
cd opt/otrs/bin
AddUser.pl -f otrs -l test -p ******* -g admin -e otrs.test@hvmgnt.local otrs.test

Output:
-bash: AddUser.pl: command not found

Many thanks in advance.

[ferrosti]

At least

Code: Select all

-bash: AddUser.pl: command not found 

should be corrected to
otrs.AddUser.pl !

[jojo]

please show the OTRS log

[HostVentura]

Can you point me to the location of that log? I have been searching but was unable to find it.

[ferrosti]

The otrs log should be somewhere in
$OTRS_HOME/var/log/
and named as configured (e.g. otrs2012-2.log)

[HostVentura]

I am afraid that there is nothing there except a ticketcounter.log. Is it something that should be manually enabled?
The installation has not been done by myself.

[jojo]

Please fill your signature with OTRS Version, OS and installed modules


On Linux systems the log should be part of the system log

[mcollis]

Having recently had troubles such as this myself, i've pasted a copy of my config for you to see below.
Hopefully that will help you along the way.

Although the users dont get created in my DB they are simply pulled directly from AD and can be seen in the customer view:

Code: Select all

	$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';

    $Self->{LogModule}          = 'Kernel::System::Log::File';
    $Self->{LogModule::LogFile} = 'C:/OTRS/OTRS/var/log/otrs.log';
    # $DIBI$
    $Self->{'DefaultCharset'} = 'utf-8';
	

  $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'DOMAIN\user.name';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Password';
  
#CustomerUser LDAP1
#(customer user database backend and settings)
    $Self->{CustomerUser1} = {
	  Name => 'Domain1',
      Module => 'Kernel::System::CustomerUser::LDAP',
	  Params => {
      Host => 'server.domain.com',
      BaseDN => 'DC=domain,DC=com',
      SSCOPE => 'sub',
      UserDN => 'DOMAIN\user.name',
      UserPw => 'Password',
	  AlwaysFilter => '(&(&(objectCategory=person)(|(objectClass=contact)(objectClass=user))(memberOf=cn=itsupport_web,ou=Groups,dc=domain,dc=COM)))',
    },
	#AlwaysFilter => '(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
# customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
      #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
      #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  };

As you can see, i'm also using the Apache sspi auth for my customers (not agents).
I've configured the sspi auth to ignore the domain part of the username when parsing it to the customer login screens.
If you want a copy of my apache auth settings let me know.