Unable to login as agent

[sanilramachandran]

Hi,
I am getting the below error message when i try to login as a newly added agent, but the customer user login is working fine.

"Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."

I am using LDAP for both gent and customer user. Below are the entries from Confing.pm.
It was working with this configuration, I ran into this problem after moving the AD group to another OU. I have updated the new DN of the group in Config.pm for both Agents and Customer User. Now Existing agents are able to login but for new agents login failes with the above error. Same time newly added customer users are able to login.


------------------------------------------------------------------------------------------------
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'FQDN of DC';
$Self->{'AuthModule::LDAP::BaseDN'} = 'Base DN of AD';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to
# use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'DN of AD Group';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'User ID';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'pswd';


# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub'
};

##############################################
# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'fqdn of DC';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'Base DN of AD';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'UserID';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'pswd';


$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'admins',
];
--------------------------------------------------------------------------------------------

[root]

"Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."

Hi,

I think it would be more helpful to show us your CustomerAuth configuration instead the one for agents.

- Roy

[sanilramachandran]

Hello Roy,

Thanks for replying. Below is the content of Config.pm.



------------------------------------------------------

#--
# Copyright (C) 2001-2019 xxx, https://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (GPL). If you
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
# --
# Note:
#
# -->> Most OTRS configuration should be done via the OTRS web interface
# and the SysConfig. Only for some configuration, such as database
# credentials and customer data source changes, you should edit this
# file. For changes do customer data sources you can copy the definitions
# from Kernel/Config/Defaults.pm and paste them in this file.
# Config.pm will not be overwritten when updating OTRS.
# --

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
my $Self = shift;

# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #

# The database host
$Self->{'DatabaseHost'} = '127.0.0.1';

# The database name
$Self->{'Database'} = "otrs";

# The database user
$Self->{'DatabaseUser'} = "otrs";

# The password of database user. You also can use bin/otrs.Console.pl Maint::Database::PasswordCrypt
# for crypted passwords
$Self->{'DatabasePw'} = 'DB pswd';

# The database DSN for MySQL ==> more: "perldoc DBD::mysql"
$Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";

# The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a TCP/IP connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

# The database DSN for Microsoft SQL Server - only supported if OTRS is
# installed on Windows as well
# $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

# The database DSN for Oracle ==> more: "perldoc DBD::oracle"
# $Self->{DatabaseDSN} = "DBI:Oracle://$Self->{DatabaseHost}:1521/$Self->{Database}";
#
# $ENV{ORACLE_HOME} = '/path/to/your/oracle';
# $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
# $ENV{NLS_LANG} = 'AMERICAN_AMERICA.AL32UTF8';

# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';

# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;

# ---------------------------------------------------- #

# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$

# ---------------------------------------------------- #


# Agent auth from Local DB
#
#$Self->{'AuthModule1’} = ’Kernel::System::Auth::DB';

## This is an example configuration for using an MS AD backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'FQDN OF DC';
$Self->{'AuthModule::LDAP::BaseDN'} = 'BASE DN';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to
# use otrs)

$Self->{'AuthModule::LDAP::GroupDN'} = 'GROUP DN FOR AGENTS;
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'USER ID';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'PSWD';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub'
};

##############################################
# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'FQDN OF DC';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'BASE DN';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'USER ID';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'PSWD';


$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'admins',
];

#Enable LDAP authentication for Customers / Users
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'FQDN DC';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'BASE DN';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

#Group Membership Ccheck



$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'GROUP DN FOR CUSTOMERS';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';


# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'USER ID';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'PSWD';

# CustomerUser
# (customer user database backend and settings)
$Self->{CustomerUser1} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'FQDN DC',
BaseDN => 'BASE DN',
SSCOPE => 'sub',
UserDN =>'USER ID',
UserPw => 'PSWD',
},


# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'SFOBLR',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 6000,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'division', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'comment', 1, 0, 'var' ],
],
};


# ---------------------------------------------------- #
# #
# end of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #

return 1;
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #

use Kernel::Config::Defaults; # import Translatable()
use parent qw(Kernel::Config::Defaults);

# -----------------------------------------------------#

1;

[root]

Hi,

Which URL do you use for login?

- Roy

[sanilramachandran]

Hi,
Below are the urls.

For Agents:
https://hostname/otrs/index.pl

For Customer User:
https://hostname/otrs/customer.pl




------------------------------
Thanks- Sanil

[root]

Hi,

I'm asking because your error message does not fit's your description at all: There is not message 'Authentication succeeded, but no customer record is found in the customer backend. Please contact the administrator.' for agent's. This message is only for customer user.

Sure that this is the error from /otrs/index.pl?

- Roy

[sanilramachandran]

Hi,
I am attaching a screenshot of the login page that shows the error and URL.

1.jpg

[root]

Hi,
I am attaching a screenshot of the login page that shows the error and URL.

Hi,

Your AuthSync is not working. That's all. Check if the agent is a direct member of this group and make sure that this group is not his primary group. If you use nested groups use LDAP_MATCHING_RULE_IN_CHAIN (see MS Technet or search the forum).

- Roy

[sanilramachandran]

Hi Roy,

I'm not using group nesting and this group is not his primary group as well.
Did you find any mistakes in my Config.pm entries? especially in authSync section.

[root]

Hi,

Not really. Did you checked the application log? Set the sysconfig MinimumLogLevel to debug an try again. And make sure that the agent has at leats the fields in the Active Directory filled which are used in the SyncMap:

- givenName
- sn
- mail

- Roy

[sanilramachandran]

Thanks Roy.
I found the field -sn was missing for this user.
Thank you very much for pointing it out.