[otrs] OTRS 6 LDAP Auth

230 views
Skip to first unread message

Nick Bright

unread,
Aug 20, 2019, 6:31:16 PM8/20/19
to ot...@lists.otrs.org
Greetings,

I'm setting up an OTRS 6 installation on CentOS 7, with the latest
version of OTRS (installed today). OS is fully updated.

Following the documentation at
https://doc.otrs.com/doc/manual/admin/6.0/en/html/external-backends.html#agent-auth-backend-ldap
I was able to configure OTRS to authenticate and successfully log in on
the primary domain that I want to use (Windows AD back ends).

I added a second domain by adding "1" to the end of the AuthModule and
AuthSyncModule clauses, but I'm getting an error when trying to log in
with a user on that domain stating "Authentication succeeded, but no
user data record is found in the database." In /var/log/messages the
error is OTRS-CGI-99[14435]:
[Error][Kernel::System::User::UserLookup][Line:969]: No UserID found for
'username'!

I suspect (hope) there's just some silly configuration error I'm not seeing.

    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = '10.0.0.2';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=DOMAIN01,DC=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'ot...@DOMAIN01.local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} ='PASSWORD';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
    $Self->{'AuthModule::Radius::Die'} = 1;
    $Self->{'AuthModule::LDAP::Params'} = {port => 389, timeout => 120,
async => 0, version => 3,};
    $Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://10.0.0.2/';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=DOMAIN01,DC=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} =
'otrs...@DOMAIN01.local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'PASSWORD';
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {UserFirstname =>
'givenName', UserLastname  => 'sn', UserEmail => 'mail',};
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = ['users',];
    # ---- SECONDARY SERVER
    $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = '192.168.0.2';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=DOMAIN02,DC=local';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'ot...@DOMAIN02.local';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} ='PASSWORD';
    $Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';
    $Self->{'AuthModule::LDAP::Params1'} = {port => 389, timeout =>
120, async => 0, version => 3,};
    $Self->{'AuthModule::UseSyncBackend1'} = 'AuthSyncBackend';
    $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'ldap://192.168.0.2/';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'DC=DOMAIN02,DC=local';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} =
'otrs...@DOMAIN02.local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'PASSWORD';
    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {UserFirstname =>
'givenName', UserLastname  => 'sn', UserEmail => 'mail',};
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = ['users',];

--
-----------------------------------------------
- Nick Bright -
- Vice President of Technology -
- Valnet -=- We Connect You -=- -
- Tel 888-332-1616 x 315 / Fax 620-331-0789 -
- Web http://www.valnet.net/ -
-----------------------------------------------
- Are your files safe? -
- Valnet Vault - Secure Cloud Backup -
- More information & 30 day free trial at -
- http://www.valnet.net/services/valnet-vault -
-----------------------------------------------

---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs

Alvaro Cordero

unread,
Aug 20, 2019, 7:02:05 PM8/20/19
to User questions and discussions about OTRS.
Hello Nick, for each backend you configure, it is needed to also configure the maping section for the agents to be created in the OTRS Database. 

It seems you did not create the mapping part. 

Regards
--
Alvaro Cordero Retana
Consultor de Tecnologias
Tel: 22585757 ext 123

Gustavo Antonio Lutz de Matos

unread,
Aug 20, 2019, 9:21:38 PM8/20/19
to User questions and discussions about OTRS.
Hey Nick,

Did the user from the second domain get registered in the OTRS Database?
Check it on Administration > Agent.
If so, are your second domain registered with capital letters?

Juan Manuel Clavero Almirón

unread,
Aug 21, 2019, 2:34:21 AM8/21/19
to User questions and discussions about OTRS.
Morning!
I think the issue is with the 1 you added. It has to be just after the AuthModule but not after the ::
Let me explain: The LDAP modules expects some parameters: Host, BaseDN, etc. These names cannot change. What can change is the identifier of the auth module you're configuring. I think it should be something as:

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.0.0.2';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=DOMAIN01,DC=local';
[...]

$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule1::LDAP::Host'} = '192.168.0.2';
$Self->{'AuthModule1::LDAP::BaseDN'} = 'DC=DOMAIN02,DC=local';
[...]


Best,
Juanma

Gustavo Antonio Lutz de Matos

unread,
Aug 21, 2019, 9:02:46 AM8/21/19
to User questions and discussions about OTRS.
Hello everyone!

Sorry Juan, but it's not that. I use this feature and Nick's configuration is ok.
What happened was that the user authentication passed, but was not found in the OTRS database.
Somehow the user was not imported, or it can not be validated due some failure.

Nick Bright

unread,
Aug 21, 2019, 3:38:45 PM8/21/19
to ot...@lists.otrs.org
No, the users were not registered.

Both the primary and secondary domain have mixed case in the configuration.

Nick Bright

unread,
Aug 21, 2019, 3:40:05 PM8/21/19
to ot...@lists.otrs.org
It seems to not be importing the user. I have seen this happen if "mail" is blank in the LDAP (AD). However, I've verified that 'mail' is present. I use this secondary domain with another OTRS instance as the primary domain, and it does work correctly there.

Nick Bright

unread,
Aug 21, 2019, 3:43:43 PM8/21/19
to ot...@lists.otrs.org
I was able to resolve the issue by changing 
$Self->{'AuthModule::UseSyncBackend1'} = 'AuthSyncBackend';
to
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend1';
Reply all
Reply to author
Forward
0 new messages