Customer Authentication : sync data from LDAP into OTRS db

[MiDietz]

Hi,

yes, I know it is a VERY old thread, but it is exactly my problem.
I´m using OTRS 4 right now and I am facing the exact same problem, as amacquet. I understand that I have to map all information from the LDAP to all the right places in order to make the sync work, but unfortunately, I have no idea, what is all need to make it work.

So please, can someone tell me ALL parameters, that were needed and maybe an example for each one, so that I can adapt it for my configuration.
I would REALLY appreciate this, because I workes on it for about four weeks now, and I still get the annoying:

"Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."

massage.

I know, there are TONS of threads about that, and I got the feeling, that I nearly read them all. This one is the best example for my situation, which I could find and just this link isn´t working anymore.

I´m sorry for any potential misspelling - it´s been a while since I really had to write in english.

Greetings from Germany
Michael

[crythias]

To start, please post your Config.pm

[MiDietz]

Hi,

thank you for your quick Response.

I configured all thingsso far with the web Interface (which worked pretty well). The LDAP authentification process is working fine.
I tried different Config.pm to make the sync work, always with different results.
Here is my last one - where something have to be terribly wrong, because, as soon as I use it, I cannot longer reach the Server, which means no LogIn Screen or anything (just a connection failed screen).

Code: Select all

# This is an example configuration for an LDAP auth sync. backend.(take care that Net::LDAP is installed!)
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'MyHost';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'MyBaseDN';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountname';

# The following is valid but would only be necessary if the anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'MyAdminUser';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'MyAdminUserPassword';

# UserSyncLDAPGroups(If "LDAP" was selected="selected" for AuthModule, you can specify initial user groups for first login.)
 $Self->{UserSyncLDAPGroups} = [
 'Users',
 ];

# AuthSyncModule::LDAP::UserSyncMap (map if agent should create/synced from LDAP to DB after successful login)
 $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
 UserFirstname => 'givenName',
 UserLastname => 'sn',
 UserEmail => 'mail',
};

$Self->{'AuthSyncModule::LDAP::Params'} = {
    port    => 636,
    timeout => 120,
    async   => 0,
    version => 3,
};

As far as I learned, there are a lot of mapping Options missing, which is the initially reason for this thread.
So at the moment, my Config.pm is completly empty and any suggestion is welcome.

Edit: I forgot: In the System log I get the "no such User" massage - don´t know if it is important.

Another Update(I´m constantly working on this):
In another try, I changed my Config.pm in this way:

Code: Select all

    $Self->{UserSyncLDAPMap} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname => 'sn',
    UserEmail => 'mail',
    };
#CustomerUser
    #(customer user database backend and settings)
    $Self->{CustomerUser} = {
     Name => 'LDAP Datenquelle',
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
        Host => 'xxxxxxxxxx',
        BaseDN => 'CN=xxxxx,dc=xxxxx,dc=xxxxxx',
        SSCOPE => 'sub',
        UserDN => 'uid=xxxxx,CN=xxxxx,dc=xxxxx,dc=xxxxxx',
        UserPW => 'xxxxxx',
        AlwaysFilter => '',
        },
# customer unique id
CustomerKey => 'uid',
CustomerID => 'uid',
CustomerUserListFields => ['uid', 'cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'uid', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'uid', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
],
};

There is still no difference.
In my System log, now this message is showing up:

000004DC: LdapErr: DSID-0C090728, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580

which I haven´t seen before.

Is there anything else needed to start the sync process? And (according to this idea), is there the possibility, that the only thing, that is wrong, is my mapping?

Greetings from Germany
Michael

[crythias]

A pointer to my tutorial.
AuthSync is for Agents.

Actually, most of this is addressed in my tutorial.

[MiDietz]

Thank you again.

Seems to be very helpful - the first time that I see explained, which entry is for which reason.
I will proceed to read it and work with it. Maybe the are further questions incoming.

See you later...

Greetings from Germany
Michael

[MiDietz]

Hi,

it´s me again,

I read your tutorial and finally, I got the feeling, that I really understood something of the whole configuration.
(It´s still not working yet, but I think it will soon).

Now, there is a additional question. I has been said, that since OTRS 4.x it is not longer neccessary, to configure the Config.pm - instead, you can configure everything about the SysConfig on the webinterface. Is that true? And if it is - where can I find the mapping options?

Btw... a very nice tutorial!

Greetings from Germany,
Michael

[crythias]

I can't speak for OTRS 4 LDAP configuration, but I'd summarize it like this:
If it *still* can be found in Defaults.pm, it should be copied to Config.pm and modified within Config.pm.

[MiDietz]

Hi,

once again, it´s me.
Finally, most of the things went fine - mostly because of the very good tutorials - thank you again for that.

Unfortunately, it is still not working, as I wish.

So here are two questions and I think, if I will understand these two Points, I will have a really good chance to make it work.
So here is a part of my actual config.

Code: Select all

#CustomerUser
    #(customer user database backend and settings)
    $Self->{CustomerUser} = {
     Name => 'LDAP Datenquelle',
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
        Host   => 'xxx',
        BaseDN => 'dc=xxx,dc=xxx',
        SSCOPE => 'sub',
        UserDN => 'CN=xxx,CN=xxx,dc=xxx,dc=xxx',
        UserPW => 'xxxxx',
        AlwaysFilter => '',
        Params => {
                port => 389,
                async => 0,
                version => 3,
            },

        },
# customer unique id
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 2500,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],

and here are my two questions:
1. What does the entry beyond "#Customer User" do?
Until now, my entry there was my search user - which doesn´t make any sense, since I descriped the search user right above this part, right?
So, if I doesn´t have to put in the search user here, which one I have to?

2. and also the field "# Customer unique id" confuses me.
I have really no idea, what is meant with "CustomerKey" and "CustomerID" (I just guessed the entries), so can someone please help me out?

Really sorry for asking all these basic questions, but I really try to understand what I´m doing here.

Greetings from Germany
Michael

[crythias]

#CustomerUser is customer demographics: What is known/recorded about the customer after login.

CustomerID: viewtopic.php?t=7531

CustomerKey: the field/attribute that holds the unique value to look up the customer in the customer data storage backend.

[MiDietz]

Finally, I solved it - it works!

There were several problems within the code - all of them my fault.

I will post my working Config.pm here - maybe someone can derive benefit from it.
Nevertheless, I have to point out two of the most annoying problems.

First - there is a Problem with special characters in the password, auch as *,% or $. It causes the "first bind failed" error - thanks to the tutorial, I was able to spot that - last but not least.

Second - really, and I mean really - go through the Default.pm step by step!
There is nothing as annoying as forgetting something important because of being scatterbrained (not sure if I can use this word here).

Whatever - here is the working Config.pm (doesn´t look too impressive - but it was hard work, I´m not a dev!)

Code: Select all

# (customer user ldap backend and settings)
 $Self->{CustomerUser} = {
 Name => 'LDAP Datenquelle',
 Module => 'Kernel::System::CustomerUser::LDAP',
 Params => {
 # ldap host
 Host => 'xxx',
 # ldap base dn
 BaseDN => 'xxxx',
 # search scope (one|sub)
 SSCOPE => 'sub',
 # The following is valid but would only be necessary if the
 # anonymous user does NOT have permission to read from the LDAP tree
 UserDN => 'xxxxx',
 UserPw => 'xxx',
 # in case you want to add always one filter to each ldap query, use
 # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
 AlwaysFilter => '(objectclass=user)',
 # die if backend can't work, e. g. can't connect to server
 Die => 0,
 # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
 Params => {
 port => 389,
 timeout => 120,
 async => 0,
 version => 3,
 },
 },
 # customer unique id
 CustomerKey => 'sAMAccountName',
 # customer #
 CustomerID => 'mail',
 CustomerUserListFields => ['cn', 'mail'],
 CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
 CustomerUserSearchPrefix => '',
 CustomerUserSearchSuffix => '*',
 CustomerUserSearchListLimit => 2500,
 CustomerUserPostMasterSearchFields => ['mail'],
 CustomerUserNameFields => ['givenname', 'sn'],
 # show now own tickets in customer panel, CompanyTickets
 CustomerUserExcludePrimaryCustomerID => 0,
 # add a ldap filter for valid users (expert setting)
 # CustomerUserValidFilter => '(!(description=gesperrt))',
 # admin can't change customer preferences
# AdminSetPreferences => 0,
 # cache time to live in sec. - cache any ldap queries
 CacheTTL => 0,
 Map => [
 # note: Login, Email and CustomerID needed!
 # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
 [ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
 [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
 [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
 [ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
 [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
 [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
 # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
 [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
 [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
 [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
 ],
 };


 # This is an example configuration for an LDAP auth. backend.
 # (take care that Net::LDAP is installed!)
##$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
##$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.example.com';
##$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
##$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

 # Check if the user is allowed to auth in a posixGroup
 # (e. g. user needs to be in a group xyz to use otrs)
## $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
 # for non ldap posixGroups objectclass (full user dn)
## $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

 # The following is valid but would only be necessary if the
 # anonymous user do NOT have permission to read from the LDAP tree
## $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '';
## $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';


 # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
 $Self->{'Customer::AuthModule::LDAP::Params'} = {
 port => 389,
 timeout => 120,
 async => 0,
 version => 3,
 };
  # config settings taken from Kernel/Config/Defaults.pm #

I commented out the "AuthModule" part because I have configured it with the web Interface. No need to do it here again.

So thank you - for all the patience and advice - I really appreciate it!

(very happy) Greetings from Germany
Michael