otrs  

Re: [otrs] OpenLDAP and Agent UserSyncLDAPMap issues. Not feeling the love.

Jeff Davis
Thu, 12 Jun 2008 10:46:41 -0700


Hi Jeff,
If you do an ldapsearch, does the attribute givenName exists? C. 

Yes.
(BTW thanks for responding - I appreciate your willingness to give me a hand on this - I'm about at the end of my rope in identifying my configuration error).
If you have additional ideas for testing/debugging this I would very much like to hear them...
Fields asked for in Config.pm are present using AuthModule::LDAP::SearchUserDN account, so I don't think ACLs are the issue. Even tried with root dn account to be sure. If I had to guess I'd say it's unable to pull something from LDAP. Just don't know why as ldapsearch has no issues with it. 

Here's an LDIF:

dn: uid=tstaff,ou=Users,dc=example,dc=com
uidNumber: 2306
*givenName: Test*
ssdSiteName: ESC
uid: tstaff
cn: Test Staff
homeDirectory: /u/tstaff
*sn: Staff*
ssdRole: Test Staff User
departmentNumber: Test Staff User
*mail: [EMAIL PROTECTED]
mailLocalAddress: [EMAIL PROTECTED]
mailRoutingAddress: [EMAIL PROTECTED]
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: inetLocalMailRecipient
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: standardSchoolDistrict
objectClass: sambaSamAccount
gidNumber: 2000
gecos: Test Staff Account
description: Test Staff Account
displayName: Test Staff Account
loginShell: /bin/bash

Christophe Flaviani wrote:
On Wed, Jun 11, 2008 at 7:32 PM, Jeff Davis <[EMAIL PROTECTED] <[EMAIL PROTECTED]>> wrote: 

    Well, I've gotten openldap auth to work but cannot get the
    UserSyncLDAPMap to work.  I've copied the code from Defaults.pm
    and configured for our ldap config.  Have been working on this on
    and off for 3 days, and still no luck.  The code in LDAP.pm that
    fails appears to be trying to pull attribute values from the
    directory, but adding code to put more detail into the log has not
    been illuminating.  Posts ive found in the archive seemto speak
    primarily to AD issues, which in some ways makes me think that
    OpenLDAP or a more standards-based LDAP implementation should be
    more straightforward.  "Obviously I'm mistaken".  I would sure
    like to get this figured out so we can move forward.  Otherwise I
    will probably have to look at a different system.

    This is the value that throws the error:
    
Net::LDAP::Entry=HASH(0xace6e04)->get_value(Kernel::Config=HASH(0x9af735c)->Get('UserSyncLDAPMap'.)->{UserFirstname})

    The following code block in LDAP.pm is where the problem occurs
     (line 348 is bolded):

    foreach my $Entry ($Result->all_entries) {
      $UserDN = $Entry->dn();
      foreach my $Key (keys
    %{$Self->{ConfigObject}->Get('UserSyncLDAPMap'.$Self->{Count})}) {
          # detect old config setting
          if ($Key =~ /^(Firstname|Lastname|Email)/) {
              $Key = "User".$Key;
              $Self->{LogObject}->Log(
                  Priority => 'error',
                  Message => "Old config setting detected, please use
    the new one from Kernel/Config/Defaults.pm (User* has been added!).",
              );
          }
    *        $SyncUser{$Key} =
    
$Entry->get_value($Self->{ConfigObject}->Get('UserSyncLDAPMap'.$Self->{Count})->{$Key});*
          # e. g. set utf-8 flag
          $SyncUser{$Key} = $Self->_ConvertFrom($SyncUser{$Key},
    $Self->{ConfigObject}->Get('DefaultCharset'));
      }
      if ($Entry->get_value('userPassword')) {
          $SyncUser{Pw} = $Entry->get_value('userPassword');
          # e. g. set utf-8 flag
          $SyncUser{Pw} = $Self->_ConvertFrom($SyncUser{Pw},
    $Self->{ConfigObject}->Get('DefaultCharset'));
      }
    }


    When logging in it throws the following error:

    Software error:

    Can't locate object method "get_value" via package
    "Net::LDAP::Entry" at ../..//Kernel/System/Auth/LDAP.pm line 348,
    <PRODUCT> line 4.

    For help, please send mail to the webmaster ([EMAIL PROTECTED]
    <[EMAIL PROTECTED]>>), giving this
    error message and the time and date of the error.

    Here's the agent portion of my config.pm <http://config.pm/>.

    # This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'ldap.example.com
    <http://ldap.example.com/>';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=users,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'uid';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} =
    'cn=techsupport,ou=Groups,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    # for ldap posixGroups objectclass (just uid)
    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    # for non ldap posixGroups objectclass (with full user dn)
    #$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthModule::LDAP::SearchUserDN'} =
    'cn=xxxxxxxxx,ou=xxx,dc=example,dc=com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
    '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

    # in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists [EMAIL PROTECTED]
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com
    <http://domain.com/>';

    # Net::LDAP new params (if needed - for more info see perldoc
    Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    };

    # Die if backend can't work, e. g. can't connect to server.
    $Self->{'AuthModule::LDAP::Die'} = 1;

    # UserSyncLDAPMap
    # (map if agent should create/synced from LDAP to DB after login)
    $Self->{UserSyncLDAPMap} = {
    ## DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname => 'sn',
    UserEmail => 'mail',
    };
    # UserSyncLDAPGroups
    # (If "LDAP" was selected for AuthModule, you can specify initial
    # user groups for first login.)
    $Self->{UserSyncLDAPGroups} = [
    'users',
    ];






    _______________________________________________
    OTRS mailing list: otrs - Webpage: http://otrs.org/
    Archive: http://lists.otrs.org/pipermail/otrs
    To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
    Support or consulting for your OTRS system?
    => http://www.otrs.com/


------------------------------------------------------------------------

_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/

begin:vcard
fn:Jefferson Davis
n:Davis;Jefferson
org:Standard School District
adr:;;1200 North Chester Ave;Bakersfield;CA;93308;usa
email;internet:[EMAIL PROTECTED]
title:Technology and Information Systems Mgr
tel;work:661.392.2110
tel;fax:661.392.0681
x-mozilla-html:TRUE
url:http://www.standard.k12.ca.us
version:2.1
end:vcard


_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/