[SOLVED] Agents and Customer LDAP Login

[MrMengsk]

Dear Sirs, since I download Otrs I could do a lot of thing on it, but now I´m trying to do the authentication throw LDAP for Agents and Costumer, I have read a lot and probably I miss something, but well my little issue is this:
I create two groups in my AD to split the Agents (Otrs_Agents) from the Costumer (Otrs_Users), if I try to login with a Agents Account works fine, but when I try to login with a customer account fail, because Otrs go to Agents group to search for the customer.

Could you help me on this, please.

This is my settings of LDAP

Agents group= Otrs_Agents
Customer group= Otrs_Users
Ldap Otrs user for read= Otrs

Code: Select all

#Agents Settings
    # This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = 'dc00.fs.local';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=fs,dc=local';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

    # Definimos grupo, en el que estar�n los agents de OTRS, si no definimos grupos, todos los users del Active D$  # podran hacer login como agents
    # En el caso del ejemplo, necesitar�s crear el grupo otrs_agents y a�adir a �l los users que quieres que hagan
    $Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=Otrs_Agents,OU=Grupos,OU=users,DC=fs,DC=local';
    #$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=Otrs_agents,OU=Grupos,OU=users,DC=fs,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=Otrs,OU=SM,OU=users,DC=fs,DC=local';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'passwords';


    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params1'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
       inet4 => 1,
    };
    # --------------------------------------------------- #
    # authentication sync settings                        #
    # (enable agent data sync. after succsessful          #
    # authentication)                                     #
    # --------------------------------------------------- #
    # This is an example configuration for an LDAP auth sync. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'clsandc00.fs.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=fs,dc=local';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=Otrs,OU=SM,OU=users,DC=fs,DC=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'Passwords';

# AuthSyncModule::LDAP::UserSyncMap
    # (map if agent should create/synced from LDAP to DB after successful login)
	    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        	#DB -> LDAP
	        UserFirstname => 'givenName',
	        UserLastname  => 'sn',
	        UserEmail     => 'mail',
    };
	
# Begin of Customer LDAP configuration

	$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::ConnectAD';
	$Self->{'Customer::AuthModule::ConnectAD::Host'} = 'dc00.fs.local';
	$Self->{'Customer::AuthModule::ConnectAD::BaseDN'} = 'dc=fs,dc=local';
	$Self->{'Customer::AuthModule::ConnectAD::UID'} = 'sAMAccountName';
# Group membership filtering start
	$Self->{'Customer::AuthModule::ConnectAD::GroupDN'} = 'CN=Otrs_users,OU=Grupos,OU=users,DC=fs,DC=local';
	$Self->{'Customer::AuthModule::ConnectAD::AccessAttr'} = 'member';
# only Member of this group are allowed to login, erase the commentsymbol(#) to enable filtering
	$Self->{'Customer::AuthModule::ConnectAD::SearchUserDN'} = 'CN=Otrs,OU=SM,OU=users,DC=fs,DC=local';
	$Self->{'Customer::AuthModule::ConnectAD::SearchUserPw'} = 'Passwords';

$Self->{CustomerUser} = {
	Name => 'otrs ldap1',
	Module => 'Kernel::System::CustomerUser::LDAP',
	Params => {
	Host => 'dc00.fs.local',
	BaseDN => 'dc=fs,dc=local',
	SSCOPE => 'sub',
	UserDN => 'CN=Otrs,OU=SM,OU=users,DC=fs,DC=local',
	UserPw => 'Passwords',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['givenname', 'sn', 'sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['givenname', 'sn', 'sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['givenname', 'sn', 'mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
#['UserSalutation', 'Title', 'title', '1', '0', 'var'],
['UserFirstname', 'Firstname', 'givenname', '1', '1', 'var'],
['UserLastname', 'Lastname', 'sn', '1', '1', 'var'],
['UserLogin', 'Login', 'sAMAccountName', '1', '1', 'var'],
['UserEmail', 'Email', 'mail', '1', '1', 'var'],
['UserCustomerID', 'CustomerID', 'mail', '0', '1', 'var'],
#['UserPhone', 'Phone', 'telephonenumber', '1', '0', 'var'],
#['UserAddress', 'Address', 'postaladdress', '1', '0', 'var'],
#['UserComment', 'Comment', 'description', '1', '0', 'var'],
],
};

If you can find the problem i will appreciate a lot.

Can I have both type of logint in the same pm file?

[jojo]

did you try to login as a customer on the agent login page? (index.pl)

[MrMengsk]

did you try to login as a customer on the agent login page? (index.pl)

Thank you Jojo for your question, yes I try and do not work either.

If i try with a user who should be a customer, this is a error message:

Code: Select all

[Notice][Kernel::System::Auth::LDAP::Auth] User: customer authentication failed, no LDAP group entry foundGroupDN='CN=Otrs_Agents,OU=Grupos,OU=Usuarios,DC=fs,DC=local'

How can Ido read from other group in ldap?

[crythias]

try customer.pl

[MrMengsk]

try customer.pl

I received the same message, try to look in the groups of Agents. My config could be wrong.

[crythias]

ConnectAd?

[MrMengsk]

The connection with AD works fine, the problem is when you want to get a custome from the "customer group" otrs search in the "agent groups"

[crythias]

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::ConnectAD';

Check this. Because it may be the problem. You say ConnectAD works, but it's the only non-standard part I can tell.

[MrMengsk]

Didnt work either, why otrs is not asking to the customer group?

[MrMengsk]

Please dont ask, i dont know how or why, but is working. Now the issue is this:

Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator

[crythias]

first, why are you on 3.1.7? You would should be on a later version 3.1.latest but I'd strongly suggest starting with a more recent version.

next, try a single-word name for CustomerUser Name=>

[MrMengsk]

I fix it, this is the setting to do it:

# CustomerUser
# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'Clsandc00.ferrostaal.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=ferrostaal,DC=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'saMaccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=Otrs_Usuarios,OU=Grupos,OU=Usuarios,DC=ferrostaal,DC=local';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=Otrs,OU=Santa Maria,OU=Usuarios,DC=Ferrostaal,DC=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Ot2736';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# USER LDAP SETTINGS WHEN SUBMITTING A TICKET

$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'clsandc00.ferrostaal.local',
BaseDN => 'dc=ferrostaal,dc=local',
SSCOPE => 'sub',
UserDN => 'CN=Otrs,OU=Santa Maria,OU=Usuarios,DC=Ferrostaal,DC=local',
UserPw => 'Ot2736',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

Works with 3.1.7 and 3.3.9 version

first, why are you on 3.1.7? You would should be on a later version 3.1.latest but I'd strongly suggest starting with a more recent version.

next, try a single-word name for CustomerUser Name=>

Hello, I downloaded the Otrs 3.3.9 Appliance, and I receive the same error when i try login in a "customer page"

"Authentication succeeded, but no customer record is found in the customer backend"

Now,, look this log

Sep 15 16:22:23 localhost OTRS-CGI-58[4854]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: user (CN=User,OU=Santa Maria,OU=Users,DC=Fs,DC=local) authentication ok (REMOTE_ADDR: 192.168.1.50).