OTRS LDAP 'First bind failed' issue

Moderator: crythias

Post Reply
terrychen
OTRS newbie
Posts: 9
Joined: 07 Jan 2013, 10:49
OTRS Version?: 3.1.11
Real Name: Terry
Company: CITIC

OTRS LDAP 'First bind failed' issue

Post by terrychen »

Dear all:
need help!!! when config otrs(3.1.11) Ldap,always output this error, i don't know how to solve:

--- error start ----
First bind failed! 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece

--- error end ----



---- LDAP setup ---

## Customer config

# Basic LDAP info


$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

$Self->{'Customer::AuthModule::LDAP::Host'} = '192.xx.xxx.xxx';

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=office,DC=xxx,DC=com';

$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'terrychen@xxx.com';

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxx';


# config

$Self->{CustomerUser} = {

Name => 'terrychen',

Module => 'Kernel::System::CustomerUser::LDAP',

Params => {

Host => '192.xxx.xxx.xxx',

BaseDN => 'DC=office,DC=xxx,DC=com',

SSCOPE => 'sub',

UserDN => 'terrychen@xxx.com',

UserPW => 'xxxxx',

AlwaysFilter => '',

Params => {

port => 389,

timeout => 120,

async => 0,

version => 3,

},

},



CustomerKey => 'sAMAccountName',

CustomerID => 'mail',

#CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],

CustomerUserListFields => ['cn', 'mail'],

CustomerUserSearchFields => [ 'sAMAccountName', 'cn', 'mail'],

#CustomerUserSearchPrefix => '',

#CustomerUserSearchSuffix => '*',

CustomerUserSearchListLimit => 250,

CustomerUserPostMasterSearchFields => ['mail'],

CustomerUserNameFields => ['givenname', 'sn'],

CustomerUserExcludePrimaryCustomerID => 0,

AdminSetPreferences => 0,

Map => [

[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],

[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],

[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],

[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],

[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],

],

};

jojo
Moderator
Posts: 14677
Joined: 26 Jan 2007, 14:50
OTRS Version?: Git Master
Contact:

Re: OTRS LDAP 'First bind failed' issue

Post by jojo »

wrong username/password
"Production": OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com :: Share your ideas

terrychen
OTRS newbie
Posts: 9
Joined: 07 Jan 2013, 10:49
OTRS Version?: 3.1.11
Real Name: Terry
Company: CITIC

Re: OTRS LDAP 'First bind failed' issue

Post by terrychen »

jojo wrote:wrong username/password


Hi Jojo,
it is impossiable, cause i use this username/password login everyday!!

i also try to test :'terrychen' not ''terrychen@xxx.com', also failed.

please help.

Regards
Terry

jojo
Moderator
Posts: 14677
Joined: 26 Jan 2007, 14:50
OTRS Version?: Git Master
Contact:

Re: OTRS LDAP 'First bind failed' issue

Post by jojo »

The error is produced by your AD server. You supplied wrong username and password.

Try the username as: Domain/username instead of username@domain
"Production": OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com :: Share your ideas

terrychen
OTRS newbie
Posts: 9
Joined: 07 Jan 2013, 10:49
OTRS Version?: 3.1.11
Real Name: Terry
Company: CITIC

Re: OTRS LDAP 'First bind failed' issue

Post by terrychen »

Hi Jojo,
i have been tried, no use, still the same error.

domain/terrychen
terrrychen@domain.com


Regards
Terry

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: OTRS LDAP 'First bind failed' issue

Post by ferrosti »

Your SearchUserDN needs to be specified as a DN, not as userPrincipalName!

Code: Select all

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=terrychen,OU=Objectgroup,DC=yoursubdomain,DC=yourdomain,DC=net';
That should be all you need to change.
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

terrychen
OTRS newbie
Posts: 9
Joined: 07 Jan 2013, 10:49
OTRS Version?: 3.1.11
Real Name: Terry
Company: CITIC

Re: OTRS LDAP 'First bind failed' issue

Post by terrychen »

ferrosti wrote:Your SearchUserDN needs to be specified as a DN, not as userPrincipalName!

Code: Select all

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=terrychen,OU=Objectgroup,DC=yoursubdomain,DC=yourdomain,DC=net';
That should be all you need to change.

Hi ferrosti & Jojo,
your are right, after config, the error change to another,

"Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."


Regards
Terry

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: OTRS LDAP 'First bind failed' issue

Post by ferrosti »

Did you also change

Code: Select all

UserDN => 'terrychen@xxx.com',
to a valid DN?

You should uncomment your search pre- and suffix!

Code: Select all

Name => 'terrychen',
Is not meant to show a username. This value stores the name of the connection that will be shown in the drop down box in OTRS when selecting the customer backend. I´d rather name it 'Local LDAP' or something.

Code: Select all

AlwaysFilter => ''
Should at least be set to

Code: Select all

AlwaysFilter => '(objectclass=user)'
On larger ADs one might DoS a DC, not limiting a search.
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

terrychen
OTRS newbie
Posts: 9
Joined: 07 Jan 2013, 10:49
OTRS Version?: 3.1.11
Real Name: Terry
Company: CITIC

Re: OTRS LDAP 'First bind failed' issue

Post by terrychen »

Hi all,

after follow your solution, there is new error for this issue:

--- start error ---
CustomerUser: terrychen (CN=Terry Chen,OU=MIS,DC=office,DC=xxx,DC=com) authentication ok (REMOTE_ADDR: 192.xxx.xx.xx).
00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
No such user 'terrychen'!
--- end error ---


here is my latest setup:

# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/otrs.CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'hot';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
# $Self->{DatabasePostgresqlBefore82} = 1;


## Customer config
# Basic LDAP info

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '192.xxx.xxx.xxx';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=office,DC=xxx,DC=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=Terry Chen,OU=MIS,DC=office,DC=xxx,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Tt@321';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
# config
$Self->{CustomerUser} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '192.xxx.xxx.xxx',
BaseDN => 'DC=office,DC=xxx,DC=com',
SSCOPE => 'sub',
UserDN => 'CN=Terry Chen,OU=MIS,DC=office,DC=xxx,DC=com',
UserPW => 'Tt@321',
AlwaysFilter => '',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},

CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => [ 'sAMAccountName', 'cn', 'mail'],
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '192.xxx.xxx.xxx';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=office,DC=xxx,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=Terry Chen,OU=MIS,DC=office,DC=xxx,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Tt@321';

ferrosti
OTRS ninja
Posts: 723
Joined: 10 Oct 2007, 14:30
OTRS Version?: 3.0
Location: Hamburg, Germany

Re: OTRS LDAP 'First bind failed' issue

Post by ferrosti »

Please always place your code into 'Code' brackets.

I need to have a look at the full lines of the error code. (Private data replaced)
Reason is, I cannot see which modules give this error.

Once again: you should define a filter for your LDAP search. Take some LDAP query tools (such as 'luma') and find out, whether it works the way you enter it to OTRS config or not. You´ll most likely find out that your search parms are not configured properly.
openSuSE on ESX
IT-Helpdesk: OTRS 3.0
Customer Service: OTRS 3.0 (upgraded from 2.3)
Customer Service (subsidiary): OTRS 3.0
+additional test and development systems

crythias
Moderator
Posts: 10112
Joined: 04 May 2010, 18:38
OTRS Version?: 5.0.x
Location: SouthWest Florida, USA
Contact:

Re: OTRS LDAP 'First bind failed' issue

Post by crythias »

OTRS 5.0.x (private/testing/public) on Linux with MySQL database. Also on github.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask

terrychen
OTRS newbie
Posts: 9
Joined: 07 Jan 2013, 10:49
OTRS Version?: 3.1.11
Real Name: Terry
Company: CITIC

Re: OTRS LDAP 'First bind failed' issue

Post by terrychen »

Hi all,
thanks for your reply, here is the error message:

Code: Select all

CustomerUser: terrychen (CN=Terry Chen,OU=MIS,DC=office,DC=xxx,DC=com) authentication ok (REMOTE_ADDR: 192.xxx.xx.xx).
00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
No such user 'terrychen'!
and my config is like below:

Code: Select all

# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/otrs.CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'hot';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
# $Self->{DatabasePostgresqlBefore82} = 1;


## Customer config
# Basic LDAP info

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '192.xxx.xxx.xxx';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=office,DC=xxx,DC=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=Terry Chen,OU=MIS,DC=office,DC=xxx,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Tt@321';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
# config
$Self->{CustomerUser} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '192.xxx.xxx.xxx',
BaseDN => 'DC=office,DC=xxx,DC=com',
SSCOPE => 'sub',
UserDN => 'CN=Terry Chen,OU=MIS,DC=office,DC=xxx,DC=com',
UserPW => 'Tt@321',
AlwaysFilter => '',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},

CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => [ 'sAMAccountName', 'cn', 'mail'],
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '192.xxx.xxx.xxx';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=office,DC=xxx,DC=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=Terry Chen,OU=MIS,DC=office,DC=xxx,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Tt@321';

Post Reply