[SOLVED] Customers can't view all their tickets

[JSouzaF]

Hi,

I've been configuring OTRS 4.0.8 for a few weeks and almost everything is working good so far.

My agents are registered locally within OTRS and my customers are held in LDAP (something like 30 thousand customers entries).

The authentication works just fine. The problem I'm having is that for some queues, the customers just can't see their own tickets. I want them to view all tickets that are related to them. I know it's not exactly a problem with the ticket itself because just switching to queues associated with some other groups get they get visible.

I just want them to have access to ALL the queues, and I thought it would be the default configuration (as for the first 4 groups I created it worked perfectly without modifications). But for the queues I associated with groups created after that, they just didn't work. As I was looking for permission issues, I found out I should enable CustomerGroupSupport and assing all groups in CustomerGroupAlwaysGroups.

It didn't quite work and after few days searching I figured out that it didn't work for LDAP auth users. And I got to this solution: insert all groups in AuthSyncModule::LDAP::UserSyncInitialGroups. That also didn't work and today I saw crythias saying in another thread "Customer groups aren't supported through LDAP (At least, not historically.)".

And now I just don't know what to do. If the queue is associated to some groups (the first 4 or 5 I created) it works fine, for newly created it just don't work, and it doesn't make any sense to me...

I summarized the most important things I've done but I've tried a lot in the meantime. It seemed to me that simply getting customers to view their tickets regardless of the queue would be easy but I'm not sure what to do anymore. Could anyone help?

Thanks in advance!

Here follows a part of the configuration

Code: Select all

$Self - > {CustomerGroupSupport} = 1;
$Self - > {CustomerGroupAlwaysGroups} = ['stats', 'itsm-service', 'itsm-configitem', 'itsm-change-manager', 'itsm-change-builder', 'itsm-change', 'faq_admin', 'faq_approval', 'admin', 'users', 'faq', 'ServiceDesk', 'Infra'];

#LDAP SETTINGS
$Self - > {'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self - > {'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self - > {'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1';
$Self - > {'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
    'ou=people,dc=X,dc=X' => {
        'ServiceDesk' => {
            rw => 1,
                ro => 1,
        },
        'Infra' => {
            rw => 1,
                ro => 1,
        },
        'users' => {
            rw => 1,
                ro => 1,
        },

    }
};
$Self - > {'AuthSyncModule::LDAP::UserSyncInitialGroups'} = ['stats', 'itsm-service', 'itsm-configitem', 'itsm-change-manager', 'itsm-change-builder', 'itsm-change', 'faq_admin', 'faq_approval', 'admin', 'users', 'faq', 'ServiceDesk', 'Infra', ];
#Enable LDAP authentication for Customers / Users
$Self - > {'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self - > {'Customer::AuthModule::LDAP::Host'} = '-';
$Self - > {'Customer::AuthModule::LDAP::BaseDN'} = 'ou=people,dc=X,dc=X';
$Self - > { 'Customer::AuthModule::LDAP::UID'} = 'uid';
#$Self - > {'Customer::AuthModule::LDAP::UserAttr'} = 'mail';
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self - > {'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=X,dc=X,dc=X';
$Self - > {'Customer::AuthModule::LDAP::SearchUserPw'} = 'X';
$Self - > {'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};
$Self - > {'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self - > {CustomerUser} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => '-',
                BaseDN => 'ou=people,dc=X,dc=X',
                SSCOPE => 'sub',
                UserDN => 'cn=X,dc=X,dc=X',
                UserPw => 'X',
                SourceCharset => 'utf-8',
                DestCharset => 'utf-8',
        },

        CustomerKey => 'uid',
        CustomerID => 'uid',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['cn', 'mail', 'uid'],
        CustomerUserPostMasterSearchFields => ['cn', 'mail'],
        CustomerUserNameFields => ['cn', 'sn'],

        Map => [
            ['UserFirstname', 'Firstname', 'cn', 1, 1, 'var'],
            ['UserLastname', 'Lastname', 'sn', 1, 1, 'var'],
            ['UserLogin', 'Login', 'uid', 1, 1, 'var'],
            ['UserEmail', 'Email', 'mail', 1, 1, 'var'],
            ['UserCustomerID', 'CustomerID', 'uid', 0, 1, 'var', '', 0],
        ],
};

[crythias]

Customers will see tickets in "My Tickets" if:
they are members of the group that the ticket is in the queue of the same group
AND
the login of the current user matches the login/customer_user_id (not customer_id) of the ticket.

CustomerGroupSupport off = customer is able to see all groups
CustomerGroupSupport on = customer is a member of CustomerGroupsAlwaysGroups and directly assigned Customers <-> Groups

[JSouzaF]

Thanks for the reply crythias!

I've turned off CustomerGroupSupport again and removed some useless configurations regarding that from the config now (attached at the end).

The problem is still on. There's a queue named "Infra" and another one named "ServiceDesk" and a few others. The fact is that customer can always see their tickets that are under Infra but never the ones under ServiceDesk, even with GroupSupport off.

I've accessed the database directly to explore both customer_user_id and customer_id of the tickets and they are exactly the same (the "uid" field of the corresponding customer on LDAP). And when a customer log in, the same "uid" is set to map as the UserCostumerID (as shown in the config below).

It still makes me really confused about what's going on. Since apparently the IDs are ok and GroupSupport off, there should be no viewing restrictions between queues. But, fox example, if a ticket is on queue "Infra" and the customer can see it, simply moving this ticket to ServiceDesk makes it desappear from his customer portal. The opposite is also true.

I've also checked Sysconfig Core::Ticket and tried all possible combinations of Granted and Required for

• CustomerTicket::Permission###1-GroupCheck
  CustomerTicket::Permission###2-CustomerUserIDCheck
  CustomerTicket::Permission###3-CustomerIDCheck

In the end, I left the three of them as Granted = 1 and Required = 0.

Also now, the customers can't create new tickets (the creation submit button simply reloads the page and gives the focus back to the subject field)..

Any ideas?

Code: Select all

$Self - > {CustomerGroupSupport} = 0;

#LDAP SETTINGS

$Self - > {'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self - > {'Customer::AuthModule::LDAP::Host'} = '-';
$Self - > {'Customer::AuthModule::LDAP::BaseDN'} = 'ou=people,dc=X,dc=X';
$Self - > { 'Customer::AuthModule::LDAP::UID'} = 'uid';
#$Self - > {'Customer::AuthModule::LDAP::UserAttr'} = 'mail';

$Self - > {'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=X,dc=X,dc=X';
$Self - > {'Customer::AuthModule::LDAP::SearchUserPw'} = 'X';
$Self - > {'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};
$Self - > {'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self - > {CustomerUser} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => '-',
                BaseDN => 'ou=people,dc=X,dc=X',
                SSCOPE => 'sub',
                UserDN => 'cn=X,dc=X,dc=X',
                UserPw => 'X',
                SourceCharset => 'utf-8',
                DestCharset => 'utf-8',
        },

        CustomerKey => 'uid',
        CustomerID => 'uid',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['cn', 'mail', 'uid'],
        CustomerUserPostMasterSearchFields => ['cn', 'mail'],
        CustomerUserNameFields => ['cn', 'sn'],
	AdminSetPreferences => 0,
        Map => [
                ['UserFirstname',       'Firstname',    'cn',   1, 1, 'var', '', 0],
                ['UserLogin',           'Login',        'uid',  1, 1, 'var', '', 0],
                ['UserEmail',           'Email',        'mail', 1, 1, 'var', '', 0],
                [ 'UserCustomerID',     'CustomerID',   'uid',  0, 1, 'var', '', 0]
        ],

};

[JSouzaF]

After reviewing and struggling for some time without noticing any wrong configs, I could put it all to work fine now.

The fact is, the last configuration I posted was correct and for some reason OTRS was still managing group permissions for users and preventing them to see their own tickets in some random queues.

I just gave it a shot trying to execute the binaries otrs.DeleteCache.pl and otrs.RebuildConfig.pl as it's done when upgrading and the issue was simply over.

The topic can be set as SOLVED now

Thanks.