2 Customer User Backends, one not working

[ugob]

Hi,

We currently use only LDAP for Customer User backend (information+authentication). It works but we now need to be able to add users manually (that can't be added to our LDAP (AD) service), so we need to add a Customer User local backend (OTRS DB). My current config uses

Code: Select all

    $Self->{CustomerUser} = {

so I renamed it into

Code: Select all

    $Self->{CustomerUser1} = {

and now I can create users. However, the users that I created can't log in. Here is the error message:

Code: Select all

Dec  7 13:17:53 otrs OTRS-CGI-36[11193]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: user authentication failed, no LDAP entry found!BaseDN='cn=Users,dc=example,dc=com', Filter='(sAMAccountName=user)', (REMOTE_ADDR: 192.168.x.x).

I did a packet capture (my MySQL server is not on the same host) and I can see that it does the LDAP query first, then return this error, and then does this query:

Code: Select all

select title, first_name, last_name, login, pw, email, customer_id, phone, fax, mobile, street, zip, city, country, comments, valid_id, login  from otrs.customer_user where LOWER(login) = LOWER('user')

I did some research to make sure I've configured the system correctly and in the Defaults.pm file, I can see that the Defaults.pm file seems to contain what's needed to have the otrs DB auth working, but it doesn't, so I tried adding configs into Config.pm, no luck.

Code: Select all

    $Self->{'Customer::AuthModule'}                       = 'Kernel::System::CustomerAuth::DB';
    $Self->{'Customer::AuthModule::DB::Table'}            = 'customer_user';
    $Self->{'Customer::AuthModule::DB::CustomerKey'}      = 'login';
    $Self->{'Customer::AuthModule::DB::CustomerPassword'} = 'pw';
    $Self->{'Customer::AuthModule::DB::DSN'} = "DBI:mysql:database=otrs;host=mysqlhost";
    $Self->{'Customer::AuthModule::DB::User'} = "otrs";
    $Self->{'Customer::AuthModule::DB::Password'} = "somepass";

It's still querying only the LDAP backend. Do I have something special to do when I edit Config.pm?

Any help would be appreciated.

OTRS 3.3.6 (RPM), MySQL 5.0.95

[crythias]

did you fill in CustomerAuth within the Web interface?

[ugob]

I can only choose either DB or LDAP:

otrs_DB_or_LDAP.png

What I would like is that a customer is authenticated against one method, and if it doesn't work, it is authenticated against the second method.

[crythias]

Let me rephrase: Don't use the web interface.

[ugob]

No, I didn't use the web interface at all for this configuration.

[crythias]

No, I didn't use the web interface at all for this configuration.

The reset icon says that someone has configured it.

[ugob]

Oh, I don't know how we proceeded to enable the LDAP auth for customer. It was something like 5 years ago. Is there still a way to make it work how we'd like it to? All I can say is that I didn't use the web interface in the current configuration change (single LDAP customer auth to multiple auth (LDAP+DB)).

[crythias]

yes, multiple config entries in Config.pm with different appended index values.

[ugob]

I'm sending you my Config.pm by PM. Can you please have a look?

[ugob]

yes, multiple config entries in Config.pm with different appended index values.

I have multiple "CustomerUser" entries, one coming from Defaults.pm (CustomerUser, OTRS DB) and the other in Config.pm (CustomerUser1, LDAP).

Did you mean multiple CustomerUser entries or something else?

[crythias]

Defaults.pm provides CustomerUser (no index) for DB. and it shouldn't be changed.
If your Config.pm provides CustomerUser, it "wins"
If you need another CustomerUser, provide it as CustomerUser1 - CustomerUser9 in Config.pm. Note the number goes at the end of the list:
CustomerUser::Auth1, This::Long::List::Of::Params2

You *might* have a conflict if CustomerUser is also enable/configured in SysConfig directly, so don't do that.

[ugob]

Defaults.pm provides CustomerUser (no index) for DB. and it shouldn't be changed.
If your Config.pm provides CustomerUser, it "wins"

Im my case, Config.pm only provides CustomerUser1, so my Defaults.pm config is still valid right?

If you need another CustomerUser, provide it as CustomerUser1 - CustomerUser9 in Config.pm. Note the number goes at the end of the list:
CustomerUser::Auth1, This::Long::List::Of::Params2

That is what I did, CustomerUser1 is for my LDAP auth but it was "CustomerUser" before. I renamed it "CustomerUser1" to enable the creation of local customer accounts (and it works), but I also want auth against local DB.

You *might* have a conflict if CustomerUser is also enable/configured in SysConfig directly, so don't do that.

As I said, I didn't use it for this change, but I may have in the past. How can I tell if it's broke because of that or not?

Thanks,

[crythias]

Code: Select all

Dec  7 13:17:53 otrs OTRS-CGI-36[11193]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: user authentication failed, no LDAP entry found!BaseDN='cn=Users,dc=example,dc=com', Filter='(sAMAccountName=user)', (REMOTE_ADDR: 192.168.x.x).

CustomerUser is demographics
Customer::AuthModule is authentication

Code: Select all

    $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host1'} = 'ipa.ddr.ess.num or hostname';
    $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=tld';
    $Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
#    $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';
    # for ldap posixGroups objectclass (just uid)
    #$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'UID';
    # for non ldap posixGroups objectclass (full user dn)
    $Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS User,OU=My OU,DC=mydomain,DC=tld';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = '0trspassword!';
    $Self->{'Customer::AuthModule::LDAP::AlwaysFilter1'} = '(objectclass=user)';
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'Customer::AuthModule::LDAP::Params1'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
        inet4 => 1
    };

[ugob]

Ok so I must simply suffix all my LDAP Customer::AuthModule directives with a 1 so that the directives from Default.pm apply?

Thanks,

[ugob]

It worked, thanks!