'Invalid DN Syntax' LDAP Integration

I have a lot of web systems which are integrated into the current LDAP server, and they all works fine. But Zammad keeps giving me Invalid DN Syntax

Full error message:

Can't connect to 'directory.example.com' on port '636', Can't bind to 'directory.example.com', 34, Invalid DN Syntax

My base DN is: ou=users,ou=directory,ou=example,ou=com

I can even perform ldapsearch directly from zammad server, like:

ldapsearch -x -D "uid=admin,ou=directory,ou=users,ou=com" -W -H ldaps://directory.example.com
and i got success result.

Is there anyway I can fix this? maybe, i can directly edit the integration file? if so where do i find it?

log/production.log file: https://paste.ubuntu.com/26403001/

Thanks!

Have you tried to use the full DN of the user in the “Bind User” field? THat worked for me

Thank you for your help!
I tried that and now it’s giving me another error message:

Unable to retrive group information, please check your bind user permissions.

I confirm this patch https://github.com/zammad/zammad/commit/2ae3b605a7e53ad94c994946fc23e34d3c2e33ac
And the user has admin privileges.
Any idea?

can you post a screenshot of your ldap connection settings?

I went through a few iterations to get the groupd filter and group dn settings correct

ICT_Services_Helpdesk_-_LDAP.png1328×740 35.5 KB

and got this:

ICT_Services_Helpdesk_-_LDAP.png1312×850 33.2 KB

what kind of ldap server are you using? and can you paste the production.log again as we have now a working connection but some kind of difference in group information…

I’m using OpenLDAP

Here is the latest production.log

I, [2018-01-17T10:06:33.817049 #1990]  INFO -- : Processing by OnlineNotificationsController#index as JSON
I, [2018-01-17T10:06:33.825171 #1990]  INFO -- :   Parameters: {"full"=>"true", "_"=>"1516183072731"}
I, [2018-01-17T10:06:33.865261 #1990]  INFO -- : Completed 200 OK in 40ms (Views: 0.3ms | ActiveRecord: 22.1ms)
I, [2018-01-17T10:06:44.657627 #1990]  INFO -- : Started POST "/api/v1/integration/ldap/discover" for 127.0.0.1 at 2018-01-17 10:06:44 +0000
I, [2018-01-17T10:06:44.671229 #1990]  INFO -- : Processing by Integration::LdapController#discover as JSON
I, [2018-01-17T10:06:44.671439 #1990]  INFO -- :   Parameters: {"host_url"=>"ldaps://directory.example.com:636", "ssl_verify"=>true}
E, [2018-01-17T10:06:44.720791 #1990] ERROR -- : Can't bind to 'directory.example.com', 48, Inappropriate Authentication (Exceptions::UnprocessableEntity)
/opt/zammad/lib/ldap.rb:138:in `binded_connection'
/opt/zammad/lib/ldap.rb:122:in `connect'
/opt/zammad/lib/ldap.rb:38:in `initialize'
/opt/zammad/app/controllers/integration/ldap_controller.rb:12:in `new'
/opt/zammad/app/controllers/integration/ldap_controller.rb:12:in `discover'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_controller/metal/basic_implicit_render.rb:4:in `send_action'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/abstract_controller/base.rb:186:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_controller/metal/rendering.rb:30:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/abstract_controller/callbacks.rb:20:in `block in process_action'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/callbacks.rb:131:in `run_callbacks'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/abstract_controller/callbacks.rb:19:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_controller/metal/rescue.rb:20:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_controller/metal/instrumentation.rb:32:in `block in process_action'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/notifications.rb:166:in `block in instrument'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/notifications/instrumenter.rb:21:in `instrument'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/notifications.rb:166:in `instrument'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_controller/metal/instrumentation.rb:30:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_controller/metal/params_wrapper.rb:252:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/railties/controller_runtime.rb:22:in `process_action'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/abstract_controller/base.rb:124:in `process'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionview-5.1.4/lib/action_view/rendering.rb:30:in `process'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_controller/metal.rb:189:in `dispatch'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_controller/metal.rb:253:in `dispatch'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/routing/route_set.rb:49:in `dispatch'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/routing/route_set.rb:31:in `serve'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/journey/router.rb:50:in `block in serve'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/journey/router.rb:33:in `each'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/journey/router.rb:33:in `serve'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/routing/route_set.rb:834:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:168:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:168:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:168:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:168:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:168:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:168:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:168:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:168:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:190:in `call!'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/strategy.rb:168:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/omniauth-1.7.1/lib/omniauth/builder.rb:63:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/rack-2.0.3/lib/rack/etag.rb:25:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/rack-2.0.3/lib/rack/conditional_get.rb:38:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/rack-2.0.3/lib/rack/head.rb:12:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/rack-2.0.3/lib/rack/session/abstract/id.rb:232:in `context'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/rack-2.0.3/lib/rack/session/abstract/id.rb:226:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/cookies.rb:613:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/callbacks.rb:26:in `block in call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/callbacks.rb:97:in `run_callbacks'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/callbacks.rb:24:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/debug_exceptions.rb:59:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/rack/logger.rb:36:in `call_app'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/rack/logger.rb:24:in `block in call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/tagged_logging.rb:69:in `block in tagged'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/tagged_logging.rb:26:in `tagged'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/tagged_logging.rb:69:in `tagged'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/rack/logger.rb:24:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/request_id.rb:25:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/rack-2.0.3/lib/rack/method_override.rb:22:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/rack-2.0.3/lib/rack/runtime.rb:22:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/cache/strategy/local_cache_middleware.rb:27:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/executor.rb:12:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/actionpack-5.1.4/lib/action_dispatch/middleware/static.rb:125:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/rack-2.0.3/lib/rack/sendfile.rb:111:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/railties-5.1.4/lib/rails/engine.rb:522:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/puma-3.11.0/lib/puma/configuration.rb:225:in `call'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/puma-3.11.0/lib/puma/server.rb:624:in `handle_request'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/puma-3.11.0/lib/puma/server.rb:438:in `process_client'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/puma-3.11.0/lib/puma/server.rb:302:in `block in run'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/puma-3.11.0/lib/puma/thread_pool.rb:120:in `block in spawn_thread'
/opt/zammad/vendor/bundle/ruby/2.4.0/gems/logging-2.2.2/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
I, [2018-01-17T10:06:44.728152 #1990]  INFO -- : Completed 200 OK in 57ms (Views: 0.9ms | ActiveRecord: 15.4ms)
I, [2018-01-17T10:07:17.476666 #1990]  INFO -- : Started POST "/api/v1/integration/ldap/bind" for 127.0.0.1 at 2018-01-17 10:07:17 +0000
I, [2018-01-17T10:07:17.506124 #1990]  INFO -- : Processing by Integration::LdapController#bind as JSON
I, [2018-01-17T10:07:17.506367 #1990]  INFO -- :   Parameters: {"base_dn"=>"ou=users,ou=directory,ou=ett,ou=com", "bind_user"=>"uid=admin,ou=directory,ou=ett,ou=com", "bind_pw"=>"[FILTERED]", "host_url"=>"ldaps://directory.example.com:636", "ssl_verify"=>true}
I, [2018-01-17T10:07:18.451522 #1990]  INFO -- : Completed 200 OK in 945ms (Views: 0.8ms | ActiveRecord: 11.4ms)
I, [2018-01-17T10:07:33.861113 #1994]  INFO -- : Scheduler running...
I, [2018-01-17T10:07:33.925141 #1994]  INFO -- : Started job thread for 'Check Channels' (Channel.fetch)...
I, [2018-01-17T10:07:34.124508 #1994]  INFO -- : execute Channel.fetch (try_count 0)...
I, [2018-01-17T10:07:34.175818 #1994]  INFO -- : fetching imap (imap.gmail.com/email@gmail.com port=993,ssl=true,folder=INBOX,keep_on_server=false)
I, [2018-01-17T10:07:36.163038 #1994]  INFO -- :  - no message
I, [2018-01-17T10:07:36.163132 #1994]  INFO -- : done
I, [2018-01-17T10:07:41.871492 #1994]  INFO -- : Starting worker thread Delayed::Backend::ActiveRecord::Job
I, [2018-01-17T10:07:43.943282 #1994]  INFO -- : Started job thread for 'Check streams for Channel' (Channel.stream)...
I, [2018-01-17T10:07:44.259047 #1994]  INFO -- : execute Channel.stream (try_count 0)...
I, [2018-01-17T10:07:45.991175 #1994]  INFO -- : 2018-01-17T10:07:45+0000: [Worker(host:HelpDesk pid:1994)] Job BackgroundJobSearchIndex (id=205464) RUNNING

the error message up there makes me wonder if this has anything to do along the lines of https://github.com/zammad/zammad/issues/1114 ?

maybe you could also create the ldap debug which is mentioned on the issue in the last comment to find the real reason this request fails?

This might be the same issue as: https://github.com/zammad/zammad/issues/1602

and might got fixed with: https://github.com/zammad/zammad/issues/1664

Please try with the latest develop version (just for testing) and report.

Thanks! according to your fix:
My users objectClass assigned with organizationalUnit
so i added mine like this:

@filter ||= lookup_filter(['(objectClass=organizationalUnit)', '(objectClass=groupOfUniqueNames)', '(objectClass=group)', '(objectClass=posixgroup)', '(objectClass=organization)'])

and, it works!

You guys are awesome! thank you!

Another strange issue is that, there are around 1305 users on LDAP servers. Only a few are imported it showed 706 untouched, 577 skipped

Any idea?

Thanks!

this depends on your user import filter… maybe this does not “see” all users because they are stored in a different ou?

The user’s group I’m interested in is: ou=users
my structure looks like this:

LDAP_-_No_entry_selected_-_Apache_Directory_Studio.png486×648 70 KB

I need those users under c=TT but I don’t mind to import everything. I tried a lot of filter settings with objectClass but nothing works.
Any thought?

I’d try something like this in LDAP User filter (of course depending on how your users are created this might change the objectClass/objectCategory types)

(&(objectCategory=person)(objectClass=user)(uid=*)())

then you should be able to see all users and then use the role assignement to select

c=TT,ou=users,OU=directory,ou=whatever,ou=com

and assign those users to the role you need them to be in…

I managed the filters based on the directory structure.

Now, I can see that all users are imported(I can see some of them in the activity stream). When I click on one of them, I can change their setting. However, I cannot found them on the user’s list. A bug?

That’s what the role assignement does. You should assign a user to a role using the assignment rules in the ldap connector (second part of my last message)

Already did that and checked so many times. But still gets the same result.

ICT_Services_Helpdesk_-_LDAP.png1256×894 43.7 KB

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.