otrs + ldap + service

[otresi]

Hello,

I m new in otrs and i have two question.

My otrs version is 3.3.8, appliance on vmware, ad is windows server 2008 r2.

1. First question is about integrate otrs and ldap, my ad server has adress 172.27.0.1, i create security global group OTRS_Customers, and organisation unit OTRS when i put some user and add that user in groups OTRS_Customers. My domain name is srbija.local
This is configuration i was change:

Code: Select all

# This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
     $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
     $Self->{'Customer::AuthModule::LDAP::Host'} = '172.27.0.1';
     $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=SRBIJA,dc=local';
     $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
     $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Customers,ou=OTRS,dc=RASRBIJA,dc=local';
     $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'sAMAccountName';
    # for ldap posixGroups objectclass (just uid)
     $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
    # for non ldap posixGroups objectclass (full user dn)
     $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
     $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '';
     $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
     $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

    # in case you want to add a suffix to each customer login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
     $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
     $Self->{'Customer::AuthModule::LDAP::Params'} = {
         port    => 389,
         timeout => 120,
         async   => 0,
         version => 3,
     };

after this change and don't see my test user in customer page, what is wrong?

2. My second question refer to change file Default.pm. When i changed something in Default.pm i couldn't log to index.pl or customer.pl, after reboot server everything is done. D
Does exist some other way to restart service or no?

[crythias]

1) use multiple backends. See documentation
2) never change Defaults.pm. Copy relevant items to Config.pm and edit there.

[otresi]

thanks you,

I change now only Default.pm
i saw documentation and add this code

Code: Select all

# CustomerUser LDAP
# (customer user ldap backend and settings) 
         $Self->{CustomerUser} = {
         Name => 'LDAP Backend',
         Module => 'Kernel::System::CustomerUser::LDAP',
         Params => {
             # ldap host
             Host => '172.27.0.1',
             # ldap base dn
             BaseDN => 'cn=OTRS_Customers,ou=OTRS,dc=SRBIJA,dc=local',
             # search scope (one|sub)
             SSCOPE => 'sub',
#            # The following is valid but would only be necessary if the
#            # anonymous user does NOT have permission to read from the LDAP tree
             UserDN => '',
             UserPw => '',
#            # in case you want to add always one filter to each ldap query, use
#            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
             AlwaysFilter => '',
#            # if both your frontend and your LDAP are unicode, use this:
             SourceCharset => 'utf-8',
             DestCharset   => 'utf-8',
#            # if your frontend is unicode and the charset of your
#            # ldap server is iso-8859-1, use these options.
             # SourceCharset => 'iso-8859-1',
             # DestCharset => 'utf-8',
#            # die if backend can't work, e. g. can't connect to server
#            Die => 0,
             # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
             Params => {
                 port    => 389,
                 timeout => 120,
                 async   => 0,
                 version => 3,
             },
         },
         # customer unique id
         CustomerKey => 'uid',
         # customer #
         CustomerID => 'mail',
         CustomerUserListFields => ['cn', 'mail'],
         CustomerUserSearchFields => ['uid', 'cn', 'mail'],
         CustomerUserSearchPrefix => '',
         CustomerUserSearchSuffix => '*',
         CustomerUserSearchListLimit => 250,
         CustomerUserPostMasterSearchFields => ['mail'],
         CustomerUserNameFields => ['givenname', 'sn'],
         # show now own tickets in customer panel, CompanyTickets
         CustomerUserExcludePrimaryCustomerID => 0,
#        # add a ldap filter for valid users (expert setting)
#        # CustomerUserValidFilter => '(!(description=gesperrt))',
         # admin can't change customer preferences
         AdminSetPreferences => 0,
#        # cache time to live in sec. - cache any ldap queries
#        CacheTTL => 0,
         Map => [
             # note: Login, Email and CustomerID needed!
             # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
             [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
             [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
             [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
             [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
             [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
             [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
             # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
             [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
             [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
             [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
         ],
     };

so when i login on index.pl, Admin-Customer User i saw ldap backend but i didn't see any user from my AD ou=OTRS?
What' s the problem?

thanks in advance

[crythias]

>BaseDN => 'cn=OTRS_Customers,ou=OTRS,dc=SRBIJA,dc=local',

[otresi]

>BaseDN => 'cn=OTRS_Customers,ou=OTRS,dc=SRBIJA,dc=local',

my domain name is SRBIJA.local
OTRS_customers is secuirty global group
OTRS is organization unit
i put some user in OTRS organization unit.

[otresi]

what is wrong:)

[crythias]

A BaseDN is intended to be the highest level DN or OU (but not group) that contains every filterable object below it.

If you want to see people in OTRS OU, then your BaseDN needs to start at that level, or higher.

[otresi]

ok i create now ou=otrs in root on my domain, this is my conf. now, but still not working?
i have one user in ou otrs, but on customer user management message-not user found-

Code: Select all

# CustomerUser LDAP
# (customer user ldap backend and settings)
         $Self->{CustomerUser} = {
         Name => 'LDAP Backend',
         Module => 'Kernel::System::CustomerUser::LDAP',
         Params => {
             # ldap host
             Host => '172.27.0.1',
             # ldap base dn
             BaseDN => 'ou=otrs,dc=SRBIJA,dc=local',
             # search scope (one|sub)
             SSCOPE => 'sub',
#            # The following is valid but would only be necessary if the
#            # anonymous user does NOT have permission to read from the LDAP tree
             UserDN => '',
             UserPw => '',
#            # in case you want to add always one filter to each ldap query, use
#            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
             AlwaysFilter => '',
#            # if both your frontend and your LDAP are unicode, use this:
             SourceCharset => 'utf-8',
             DestCharset   => 'utf-8',
#            # if your frontend is unicode and the charset of your
#            # ldap server is iso-8859-1, use these options.
             # SourceCharset => 'iso-8859-1',
             # DestCharset => 'utf-8',
#            # die if backend can't work, e. g. can't connect to server
#            Die => 0,
             # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
             Params => {
                 port    => 389,
                 timeout => 120,
                 async   => 0,
                 version => 3,
             },
         },
         # customer unique id
         CustomerKey => 'uid',
         # customer #
         CustomerID => 'mail',
         CustomerUserListFields => ['cn', 'mail'],
         CustomerUserSearchFields => ['uid', 'cn', 'mail'],
         CustomerUserSearchPrefix => '',
         CustomerUserSearchSuffix => '*',
         CustomerUserSearchListLimit => 250,
         CustomerUserPostMasterSearchFields => ['mail'],
         CustomerUserNameFields => ['givenname', 'sn'],
         # show now own tickets in customer panel, CompanyTickets
         CustomerUserExcludePrimaryCustomerID => 0,
#        # add a ldap filter for valid users (expert setting)
#        # CustomerUserValidFilter => '(!(description=gesperrt))',
         # admin can't change customer preferences
         AdminSetPreferences => 0,
#        # cache time to live in sec. - cache any ldap queries
#        CacheTTL => 0,
         Map => [
             # note: Login, Email and CustomerID needed!
             # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
             [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
             [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
             [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
             [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
             [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
             [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
             # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
             [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
             [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
             [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
         ],
     };

[otresi]

any help

[crythias]

Not really. On the one side, you're only showing the CustomerUser data side and not for auth.
on another, if it's Active Directory, it may need to provide bind credentials, but logs might be of assistance.

[otresi]

which code i need for authenticated side, some exampe please?
what u think about bind credentials, some example please?

Sorry but i need example not complicated answer

[crythias]

Examples in the documentation.
bind credentials = UserDN, UserPw

[otresi]

Please could you post complete required code which i need for customer login via ldap, and separately for agent login via ldap?

Thanks a lot

[crythias]

No. The complete code is in the documentation.

[otresi]

what your problem?

[crythias]

My problem? I don't know your system. I don't know your passwords. I don't know what you need me to do that I haven't already told you and posted and the docs don't say. I can't give you a working config because its your system.

[crythias]

Let me start over:

First, have you read my LDAP troubleshooting tutorial?
Have you seen any log error messages (System Log) related to the login? Could you kindly post them?
Could you post your current entire (credential redacted) Config.pm?
What have you tried to do?
What instructions have you followed to get to the point you're at now?
Where are the instructions you followed?
Have you searched the forums for your error message?
What has been your result?
Did it not solve your issue?
Why not? What's different from what other people have experienced?
What, after all this time, is your current issue?
How does it present itself?
How may we replicate your experience?

[otresi]

Thanks you for help:)
This is my Config.pm

Code: Select all

# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2014 xxx, http://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> Most OTRS configuration should be done via the OTRS web interface
#       and the SysConfig. Only for some configuration, such as database
#       credentials and customer data source changes, you should edit this
#       file. For changes do customer data sources you can copy the definitions
#       from Kernel/Config/Defaults.pm and paste them in this file.
#       Config.pm will not be overwritten when updating OTRS.
# --

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{DatabaseHost} = '127.0.0.1';

    # The database name
    $Self->{Database} = 'otrs';

    # The database user
    $Self->{DatabaseUser} = 'otrs';

    # The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords
    $Self->{DatabasePw} = 'XBiL-Y_zjt66@Y_';
        $Self->{SecureMode}=1;
        $Self->{"Package::Timeout"}=120;
        $Self->{'SystemID'}=71;
        $Self->{'SessionName'}='OTRSAgentInterface';
### MARKER ###






    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a TCP/IP connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
    # if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
#    $Self->{DatabasePostgresqlBefore82} = 1;

    # The database DSN for Microsoft SQL Server - only supported if OTRS is
    # installed on Windows as well
#    $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

    # The database DSN for Oracle ==> more: "perldoc DBD::oracle"
#    $ENV{ORACLE_HOME} = '/u01/app/oracle/product/10.2.0/client_1';
#    $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
#    $ENV{NLS_LANG} = "american_america.utf8";

#    $Self->{DatabaseDSN} = "DBI:Oracle:sid=OTRS;host=$Self->{DatabaseHost};port=1522;";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #



# CustomerUser LDAP
# (customer user ldap backend and settings)
         $Self->{CustomerUser} = {
         Name => 'LDAP Backend',
         Module => 'Kernel::System::CustomerUser::LDAP',
         Params => {
             # ldap host
             Host => '172.27.0.1',
             # ldap base dn
             BaseDN => 'ou=otrs,dc=SRBIJA,dc=local',
             # search scope (one|sub)
             SSCOPE => 'sub',
#            # The following is valid but would only be necessary if the
#            # anonymous user does NOT have permission to read from the LDAP tree
             UserDN => '',
             UserPw => '',
#            # in case you want to add always one filter to each ldap query, use
#            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
             AlwaysFilter => '',
#            # if both your frontend and your LDAP are unicode, use this:
             SourceCharset => 'utf-8',
             DestCharset   => 'utf-8',
#            # if your frontend is unicode and the charset of your
#            # ldap server is iso-8859-1, use these options.
             # SourceCharset => 'iso-8859-1',
             # DestCharset => 'utf-8',
#            # die if backend can't work, e. g. can't connect to server
#            Die => 0,
             # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
             Params => {
                 port    => 389,
                 timeout => 120,
                 async   => 0,
                 version => 3,
             },
         },
         # customer unique id
         CustomerKey => 'uid',
         # customer #
         CustomerID => 'mail',
         CustomerUserListFields => ['cn', 'mail'],
         CustomerUserSearchFields => ['uid', 'cn', 'mail'],
         CustomerUserSearchPrefix => '',
         CustomerUserSearchSuffix => '*',
         CustomerUserSearchListLimit => 250,
         CustomerUserPostMasterSearchFields => ['mail'],
         CustomerUserNameFields => ['givenname', 'sn'],
         # show now own tickets in customer panel, CompanyTickets
         CustomerUserExcludePrimaryCustomerID => 0,
#        # add a ldap filter for valid users (expert setting)
#        # CustomerUserValidFilter => '(!(description=gesperrt))',
         # admin can't change customer preferences
         AdminSetPreferences => 0,
#        # cache time to live in sec. - cache any ldap queries
#        CacheTTL => 0,
         Map => [
             # note: Login, Email and CustomerID needed!
             # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
             [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
             [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
             [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
             [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
             [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
             [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
             # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
             [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
             [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
             [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
         ],
     };

 This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '172.27.0.1';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=SRBIJA,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Customers,ou=otrs,dc=SRBIJA,dc=local';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};







    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #

use base qw(Kernel::Config::Defaults);

# -----------------------------------------------------#

1;

Now i have this error when login on index.pl, customer.pl

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

So, my domain is SRBIJA.local
my ou=otrs on root domain
my security global group OTRS_Customers in otrs organization unit
my user in group OTRS_Customers.

where is the log file location?

[crythias]

500 errors are apache /var/log/apache2/error.log
also /var/log/messages or /var/log/syslog

Please edit your signature (see mine) to contain your OTRS environment so those who might answer don't have to search for it.

[otresi]

hi this is code now..

Code: Select all

# CustomerUser LDAP
# (customer user ldap backend and settings)
         $Self->{CustomerUser} = {
         Name => 'LDAP Backend',
         Module => 'Kernel::System::CustomerUser::LDAP',
         Params => {
             # ldap host
             Host => '172.27.0.1',
             # ldap base dn
             BaseDN => 'ou=otrs,dc=SRBIJA,dc=local',
             # search scope (one|sub)
             SSCOPE => 'sub',
#            # The following is valid but would only be necessary if the
#            # anonymous user does NOT have permission to read from the LDAP tree
             UserDN => 'aduser2',
             UserPw => '123456',
#            # in case you want to add always one filter to each ldap query, use
#            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
             AlwaysFilter => '',
#            # if both your frontend and your LDAP are unicode, use this:
             SourceCharset => 'utf-8',
             DestCharset   => 'utf-8',
#            # if your frontend is unicode and the charset of your
#            # ldap server is iso-8859-1, use these options.
             # SourceCharset => 'iso-8859-1',
             # DestCharset => 'utf-8',
#            # die if backend can't work, e. g. can't connect to server
#            Die => 0,
             # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
             Params => {
                 port    => 389,
                 timeout => 120,
                 async   => 0,
                 version => 3,
             },
         },
         # customer unique id
         CustomerKey => 'mail',
         # customer #
         CustomerID => 'sAMAccountName',
         CustomerUserListFields => ['cn', 'mail'],
         CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
         CustomerUserSearchPrefix => '',
         CustomerUserSearchSuffix => '*',
         CustomerUserSearchListLimit => 250,
         CustomerUserPostMasterSearchFields => ['mail'],
         CustomerUserNameFields => ['givenname', 'sn'],
         # show now own tickets in customer panel, CompanyTickets
         CustomerUserExcludePrimaryCustomerID => 0,
#        # add a ldap filter for valid users (expert setting)
#        # CustomerUserValidFilter => '(!(description=gesperrt))',
         # admin can't change customer preferences
         AdminSetPreferences => 0,
#        # cache time to live in sec. - cache any ldap queries
#        CacheTTL => 0,
         Map => [
             # note: Login, Email and CustomerID needed!
             # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
             [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
             [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
             [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
             [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
             [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
             [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
     # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
             [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
             [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
             [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
         ],
     };


# This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '172.27.0.1';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=otrs,dc=SRBIJA,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

now i change some code and i see AD user on otrs, but can't login with that user on customer page?

[otresi]

any help?

[crythias]

My crystal ball doesn't work too well today.

You have to realize that we aren't in your environment. We don't see your logs, your error messages, your distinguishedName for the user in question, etc.

We don't have your environment and can't replicate your issue.

In case you missed my Need help? link, what do your logs say?

[crythias]

Also, please note that after you make any change, we assume something log-based must also have changed. If not, that's okay, but we want to see logs and error messages.

[otresi]

ok, here are the logs..

[crythias]

seriously? you can't just snip the relevant parts?

[otresi]

seriously? you can't just snip the relevant parts?

i don't now where is the error, where is the problem..

[crythias]

For starters, the error is within a minute or two of when it occurred.

[otresi]

ERROR: OTRS-CGI-71 Perl: 5.10.1 OS: linux Time: Wed Sep 10 15:02:56 2014

Message: Search failed! 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db0^@

RemoteAddress: XXXXX
RequestURI: /otrs/customer.pl

Traceback (1565):
Module: Kernel::System::CustomerAuth::LDAP::Auth (OTRS 3.3. Line: 216
Module: Kernel::System::CustomerAuth::Auth (OTRS 3.3. Line: 147
Module: Kernel::System::Web::InterfaceCustomer::Run (OTRS 3.3. Line: 207
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_customer_2epl::handler (unknown version) Line: 41
Module: (eval) (v1.99) Line: 204
Module: ModPerl::RegistryCooker::run (v1.99) Line: 204
Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 170
Module: ModPerl::Registry::handler (v1.99) Line: 31

[crythias]

Fill these in:

Code: Select all

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';

[otresi]

ok i add these line

When trying to log in as a customer, I get the error “Authentication succeeded,
but no customer record is found in the customer backend. Please contact your
administrator.”. Authentication works good, but apparently the information from
Active Directory does not synchronize to OTRS… When I use a wrong password I
get the error “Login failed! Your user name or password was entered
incorrectly”, so authenticating works good…

[crythias]

CustomerKey => 'uid',
change to
CustomerKey => 'sAMAccountName',


$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
change to
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';

other hints: http://wiki.otterhub.org/index.php?titl ... _customers

[otresi]

working now, thanks a lot

[otresi]

hi
now i see user from AD on my otrs. My users are on OU, one OU for Customers and one OU for Agents.
I must move every user to OU and that working.
But i want configure otrs with group, how can i do that?

Thanks

[otresi]

any help

[crythias]

look up ldap filters.

[otresi]

i add filter but not working

Code: Select all

    # CustomerUser LDAP
    # (customer user ldap backend and settings)
             $Self->{CustomerUser} = {
             Name => 'LDAP Backend',
             Module => 'Kernel::System::CustomerUser::LDAP',
             Params => {
                 # ldap host
                 Host => '172.27.0.1',
                 # ldap base dn
                 BaseDN => 'ou=otrs,dc=SRBIJA,dc=local',
                 # search scope (one|sub)
                 SSCOPE => 'sub',
    #            # The following is valid but would only be necessary if the
    #            # anonymous user does NOT have permission to read from the LDAP tree
                 UserDN => 'aduser2',
                 UserPw => '123456',
    #            # in case you want to add always one filter to each ldap query, use
    #            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
                 AlwaysFilter => '',
    #            # if both your frontend and your LDAP are unicode, use this:
                 SourceCharset => 'utf-8',
                 DestCharset   => 'utf-8',
    #            # if your frontend is unicode and the charset of your
    #            # ldap server is iso-8859-1, use these options.
                 # SourceCharset => 'iso-8859-1',
                 # DestCharset => 'utf-8',
    #            # die if backend can't work, e. g. can't connect to server
    #            Die => 0,
                 # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
                 Params => {
                     port    => 389,
                     timeout => 120,
                     async   => 0,
                     version => 3,
                 },
             },
             # customer unique id
             CustomerKey => 'sAMAccountName',
             # customer #
             CustomerID => 'sAMAccountName',
             CustomerUserListFields => ['cn', 'mail'],
             CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
             CustomerUserSearchPrefix => '',
             CustomerUserSearchSuffix => '*',
             CustomerUserSearchListLimit => 250,
             CustomerUserPostMasterSearchFields => ['mail'],
             CustomerUserNameFields => ['givenname', 'sn'],
             # show now own tickets in customer panel, CompanyTickets
             CustomerUserExcludePrimaryCustomerID => 0,
    #        # add a ldap filter for valid users (expert setting)
    #        # CustomerUserValidFilter => '(!(description=gesperrt))',
             # admin can't change customer preferences
             AdminSetPreferences => 0,
    #        # cache time to live in sec. - cache any ldap queries
    #        CacheTTL => 0,
             Map => [
                 # note: Login, Email and CustomerID needed!
                 # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
                 [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
                 [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
                 [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
                 [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
                 [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
                 [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
         # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
                 [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
                 [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
                 [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
             ],
         };


    # This is an example configuration for an LDAP auth. backend.
        # (take care that Net::LDAP is installed!)
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = '172.27.0.1';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=otrs,dc=SRBIJA,dc=local';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Customers,ou=otrs,dc=SRBIJA,dc=local';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'aduser2';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '123456';
    $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectCategory=user)(memberOf=OTRS_Customers,ou=otrs,dc=SRBIJA,dc=local)';

now i can login with all user in OU otrs
i want login only with user members in group OTRS_Customers. That group located on OU otrs

Thanks

[otresi]

any help?

[otresi]

Does someone know?