Genesys and LDAP integration

[amarceau]

Ok - been playing with this for weeks and desprite the "External Authentication Guide" - still unable to get this working....

Maybe someone can help point me in the right direction?  Here's what I currently have in the config.conf file under the ldap area

[color=red][authentication]
library=gauth_ldap

[gauth_ldap]
ldap-url =ldap://**mydomain**.com:389/DC=xxx,DC=xxx,DC=com??sub?(sAMAccountName=X)
app-user=SRVgenesys
password=*********[/color]

Disclaimer off the bat -- I've never done an LDAP integration before, so this is all new to me.  The app-user is a service account we have setup which has rights to all our ldap servers.  So that shouldn't be the issue.    I've also installed Softerra and I'm able to successfully search for a user using Softerra.  It just won't work with Genesys.  Keep getting errors back saying "invalid" password.  My thought (thoughts based on reading lots of good searches) is that Genesys is not passing the bind credentials.  Our LDAP does not allow for anonymous binds.  But I'm guessing...

I can send logs - but they are not very helpful.  We've tried a couple different variations of the LDAP URL above.  Errors are ranging as follows:

Client 368 failed to get authorization. Name [SCI], type [SCI], user [Angela Marceau], address [159.3.xxx.xxx.2218]. Reason : 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 775, vece

Client 368 failed to get authorization. Name [IRD], type [InteractionRoutingDesigner], user [Axxxxxx Mxxxxxx], address [159.3.xxx.xxx:2580]. Reason : Search parameters are not set

Client 368 failed to get authorization. Name [IRD], type [InteractionRoutingDesigner], user [Axxxxxx Mxxxxxx], address [159.3.xxx.xxx:2580]. Reason : Search parameters are not set

And we will get different errors logged based on what program we are tying to launch...

This is also a brand new install we are currently going through.  We don't have this rolled out yet to anyone (luckily).

Any help would be appreciated.

[René]

Hi,

I have LDAP authentication working on my platform. Could you please increase log level (verbose = 2 in [gauth_ldap] section) and post the relevant part of the log here?

What LDAP system do you have?

R.

[amarceau]

We have MS Active Directory.  And I'm getting the Genesys setting changed and will post results.

[amarceau]

Ok - added that verbose = 2 - attempted to login again and here is the log results:

MSGCFG_CLIENTREGISTER
  attr: SATRCFG_PROTOCOLEX          value: "CfgProtocol 5.1.3.70"
  attr: SATRCFG_PROTOCOL            value: "CfgProtocol 5.1.3.54"
  attr: SATRCFG_USERPASS            value: "******"
  attr: SATRCFG_USERNAME            value: "Angela Marceau"
  attr: SATRCFG_APPPASS            value: ""
  attr: SATRCFG_APPNAME            value: "IRD"
  attr: IATRCFG_APPTYPE            value: 51 [InteractionRoutingDesigner]
  attr: IATRCFG_REQUESTID          value: 2

13:20:53.643 AUT_MAIN: Put request to queue. Request ID = 0
13:20:53.643 AUT_MAIN: Request in queue. Request ID = 0
13:20:53.675 AUT_DBG: Authentication request received. Request ID = 0
13:20:53.675 AUT_DBG: Error description file ldaperrors.txt is processed
13:20:53.675 AUT_DBG: Error code [81] set to be retried
13:20:53.675 AUT_DBG: Error code [85] set to be retried
13:20:53.675 AUT_DBG: Error code [91] set to be retried
13:20:53.675 AUT_DBG: Error code [-1] set to be retried
13:20:53.675 AUT_DBG: Error code [-11] set to be retried
13:20:53.675 AUT_DBG: Native authentication function returned 0, system code = 0
13:20:53.675 AUT_DBG: Request [0] is in progress, stage 0
13:20:53.675 AUT_DBG: Checking connection object for request [0], stage 0
13:20:53.675 AUT_DBG: Checking retry-timeout for request [0]
13:20:53.675 AUT_DBG: Retry-timeout check passed for request [0].
13:20:53.675 AUT_DBG: Trying to connect for request [0].
13:20:53.675 AUT_DBG: Connecting to ldap server: citnetldp.citnet.cit.com:389...
13:20:53.675 ldap_create
13:20:53.675 ldap_url_parse_ext(ldap://citnetldp.citnet.cit.com:389)
13:20:53.675 ldap_simple_bind_s
13:20:53.675 ldap_sasl_bind_s
13:20:53.675 ldap_sasl_bind
13:20:53.675 ldap_send_initial_request
13:20:53.675 ldap_new_connection
13:20:53.675 ldap_int_open_connection
13:20:53.675 ldap_connect_to_host: TCP citnetldp.citnet.cit.com:389
13:20:53.722 ldap_new_socket: 832
13:20:53.722 ldap_prepare_socket: 832
13:20:53.722 ldap_connect_to_host: Trying 159.3.96.46:389
13:20:53.722 ldap_connect_timeout: fd: 832 tm: -1 async: 0
13:20:53.722 ldap_ndelay_on: 832
13:20:53.722 ldap_ndelay_off: 832
13:20:53.722 ldap_open_defconn: successful
13:20:53.722 ldap_send_server_request
13:20:53.722 ldap_result msgid 1
13:20:53.722 ldap_chkResponseList for msgid=1, all=1
13:20:53.722 ldap_chkResponseList for msgid=1, all=1
13:20:53.722 ldap_int_select
13:20:53.722 read1msg: msgid 1, all 1
13:20:53.722 ldap_read: message type bind msgid 1, original id 1
13:20:53.722 ldap_chase_referrals
13:20:53.722 read1msg:  V2 referral chased, mark request completed, id = 1
13:20:53.722 new result:  res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece>, res_matched: <>
13:20:53.722 read1msg:  0 new referrals
13:20:53.722 read1msg:  mark request completed, id = 1
13:20:53.722 request 1 done
13:20:53.722 res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece>, res_matched: <>
13:20:53.722 ldap_free_request (origid 1, msgid 1)
13:20:53.722 ldap_free_connection
13:20:53.722 ldap_free_connection: refcnt 1
13:20:53.722 ldap_parse_result
13:20:53.722 ldap_msgfree
13:20:53.722 ldap_err2string
13:20:53.722 ldap_err2string
13:20:53.722 AUT_DBG: Error 49 Invalid credentials binding App user SRVgenesys
13:20:53.722 AUT_DBG: Server error message is: '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece'
13:20:53.722 ldap_unbind
13:20:53.722 ldap_free_connection
13:20:53.722 ldap_send_unbind
13:20:53.722 ldap_free_connection: actually freed
13:20:53.722 AUT_DBG: Reset request [0], stage: 0, error code: 49
13:20:53.722 AUT_DBG: LDAP error 49 - Invalid credentials
13:20:53.722 AUT_DBG: Request cannot be retried[0], stage: 0, error code: 49
13:20:53.768 Std 22122 Client 804 failed to get authorization. Name [IRD], type [InteractionRoutingDesigner], user [Angela Marceau], address [159.3.108.107:3087]. Reason : Password is incorrect
13:20:53.768 Std 23500 Configuration Server Error : Error  [CFGLoginIncorrect], object [], property [Unknown] Description Password is incorrect
13:20:53.768 Trc 04542 Message MSGCFG_ERROR sent to 804 ( '')

[René]

Hi,

I haven't been here for few days so sorry for late response... Error in the log is saying that the credentials of SRVgenesys are incorrect thus ConfigServer is unable to connect to LDAP.

I'm not sure the format of user-name is correct and it should contain the full location in your LDAP directory tree in my opinion. Please double-check with LDAP administrator what format is expected. And of course, checking log of LDAP Server may help as well.

R.

[bublepaw]

Hi,

There is one important thing to remeber about LDAP configuration - password in ldapclient.conf must allways be encrypted even when encryption is set to false in confserv.cfg (this is valid for 8.0 - I lost one day because of that ) - External Authentication Guide p. 37

Pawel

[tomparker12]

Was this issue resolved in the end? Appear to be facing the same issue my end.

Have validated my LDAP URL and using Softerra LDAP Administrator, am able to successfully browse the required AD folder.

Thanks,

[deadmeat]

Hi guys, if it's still usefull. The only difference I've found comparing to our configuration is:

app-user - in our case is in the following format:

CN=gensys,OU=System Users,OU=Information Technologies Department,OU=XXXXX,DC=xxxxxx,DC=com
hope it was helpfull