LDAP Auth with mail instead of uid

[rmaul]

Hello, i am using OTRS 3.3.8 and i am having some trouble switching from uid to mail auth with LDAP sync.

Here is my scenario:

My users have been logging in with uid, both customers and agents. Everything works perfect and have been for a few months. Now we want to expand our services to our subsidiaries in other states. The problem is that since we use uid, we realized that we may have the same uid in our subsidiary. So we came with the solution to use the full e-mail adress as login, as they are and will be unique, since each subsidiary company has its own. For example: my full email adress with be rmaul@company.com and the same rmaul in a subsidiary would be rmaul@STATE.company.com. So that would work perfectly.

I edited the fields as below (only pasting the ones i changed):

$Self->{'Customer::AuthModule::LDAP::UID1'} = 'mail';

CustomerKey => 'mail',

And from the mapping part i changed this:

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],


The login works, and now everyone needs to use their full email. My users can open a ticket without a problem, and look the FAQ. However when they click on a ticket to follow it they get the following message:

Insufficient Rights
Message: No Permission!

And here is my log message:

[Mon Jun 15 11:48:47 2015][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: teste200@ac.sesc.com.br (CN=teste200 DN-DR,OU=AC,O=SESC) authentication ok (REMOTE_ADDR: ::1).
[Mon Jun 15 11:48:50 2015][Notice][Kernel::System::Ticket::TicketCustomerPermission] Permission denied (UserID: teste200@ac.sesc.com.br 'ro' on TicketID: 484)!

As u can see i changed the code where my customer id was uid to the mail, so they would all be unique as well. I tried accessing old tickets and new tickets and no matter what i get the same error.
On the SQL, my customer_id already shows as the email on the new tickets.

What am I missing here?

I also dont use groups for costumers or companies.
I changed :
Ticket::Permission###3-GroupCheck >> granted and required both to 0
and
CustomerTicket::Permission###1-GroupCheck >> granted and required both to 0

It didnt make a difference.

I appreciate any help u guys may be able to give me.
Thank you in advice.

[Linwood]

By chance is it only tickets they opened before you made the change? I wonder if perhaps internally they are becoming a different agent record entirely now, same name, but different internal ID? (This is pure speculation, easy to see if you query your user table in sql).

[rmaul]

They cannot see any tickets, not old, not new. I assumed they could not see the old ones because the ID was different, so i went ahead and forced the ids to be the e-mail on the old tickets. They still cannot see it, so i opened new tickets after all the changes, they still cannot see it. So no matter if its old or new, before or after the change, they cannot see it. I can create new tickets no problem, but i cant do any follow up cuz i keep getting the insufficient rights error.

I guess that is what u asked, right?
Thank you

[Linwood]

I guess that is what u asked, right?
Thank you

Yes, and I have no idea now, it was just speculation that the owner changed. Sorry, I'm out of ideas, hopefully someone else will dive in. Sorry for the tangent.

[crythias]

The other part is the group membership. If the users aren't part of the group that is the same as the queue's group, they won't have permission to see the ticket.

This would only happen if customer Group Support is enabled and the customer's assigned group membership and customergroupsalwaysgroups don't include the ticket-queue-group.

And yes, it matters that the username has changed. Group membership is by group_name-login_name assignment.

[rmaul]

ok so, as user groups:

CustomerGroupSupport >>> NO
CustomerGroupAlwaysGroups >>> users

The roles i created for my queues, all have rw in the users group.

And yes, it matters that the username has changed. Group membership is by group_name-login_name assignment.

I get the username matters, however if i changed the username, and opened a new ticket, it would be assined to the new username right? and yet they dont have access rights not even to those.

Is there any sugestions on what else should i look into ?

Is there a way to wipe clean my users ? Would that help? Other than a complete reinstall of OTRS. Cuz since they are synced from LDAP, they dont actually go into my SQL table.

Thank you Crythias.

[crythias]

All I can do is look at this:
Permission denied (UserID: teste200@ac.sesc.com.br 'ro' on TicketID: 484)!

And check every bit of spelling, character, punctuation mark and see if the login of the user matches the customer user login of the ticket. If not, attempt to manually change the customer of the ticket with the customer button.

The long and short of it says that explicitly the user doesn't have 'ro' access (even though rw is provided (?))...

[rmaul]

System::Customer::Permission >>> RO and RW
--------
Not sure if this applies to anything in this case but....
Framework -> CustomerInformationCenter
AgentCustomerInformationCenter::MainMenu###010-EditCustomerID >> Is turned OFF
-------
CustomerGroupSupport >> NO
CustomerGroupAlwaysGroups >> users

----
Those are what i judged to be relevant in the case. As for the RO and RW permission for users, i thought it was default the RW? Where can i check that ? i just never changed it.

-----

Im adding a pic of the select on the ticket table.... I highlighted the collums so u can see the ID before and after the change. So the tickets created after the change should give access to that id, right ?

Thank you again, still hope u guys can help me with this !!!

[crythias]

We believe the ticket table is correct. It still is a problem with the current user not having access to the ticket/queue/group that the ticket sits.
ticket.queue_id
queue.group_id
SELECT * FROM `groups`
make sure users is a valid group (1)

OTOH, this may be an encoding issue. I don't know for sure, but there might be a problem with special characters for the username. I can't imagine...
also delete cache.

[rmaul]

Ok, im going to check on that and will report back in a few.
Thank you!