[OTRS 5] LDAP sync to Customers

[Ralph]

Hello,

I've been looking into getting part of our AD accounts to sync into OTRS as customers. However most of what I read and tried either ends up crashing the server or is related to Agent authentication/synchronization instead. I would like the system to recognize customers based on e-mail address and then show the User logon name to Agents (since we use this quite allot it's easy if people don't have to search for it in AD). Also we want to be able to type their names\e-mail\ad IDs in the TO or CC fields so we can easy find people that also should be notified from a ticket by mail.

I've added the LDAP customer part from http://otrs.github.io/doc/manual/admin/ ... ckend-ldap . I have a feeling I am missing some kind of synchronization code that does seem to be available for Agents but not for Customers?

Code: Select all

# CustomerUser
# (customer ldap backend and settings)
$Self->{CustomerUser} = {
    Name => 'LDAP Data Source',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => 'dc01.intra.example.local',
        # ldap base dn
        BaseDN => 'ou=Europe,dc=intra,dc=example,dc=local',
        # search scope (one|sub)
        SSCOPE => 'sub',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => 'OTRS',
        UserPw => 'otrs2016',
        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '',
            # if the charset of your ldap server is iso-8859-1, use this:
#            SourceCharset => 'iso-8859-1',

            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
    },
    # customer unique id
    CustomerKey => 'uid',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['uid', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add an ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # administrator can't change customer preferences
    AdminSetPreferences => 0,
#    # cache time to live in sec. - cache any database queries
#    CacheTTL => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
#        [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
    ],
};

Note: After this code the system log started giving errors that the list limit had been reached so I increased that. This solved the error, however it does give me the impression that the code above it correct and that something might be missing instead?

[jjurkus]

There is an option to cache the results of the LDAP queries. However, in your case I can spot something wrong, if you're using AD without any Unix extensions:

Code: Select all

CustomerKey => 'uid',

should be:

Code: Select all

CustomerKey => 'sAMAccountName',

And in similar places where uid is used.

If you have multiple AD servers you can use them like this:

Code: Select all

my @ldaphosts = ('dc01.intra.example.local','dc02.intra.example.local');
Host => \@ldaphosts,

But first get the thing working before changing that!

[Ralph]

I solved it with your hints, Thanks! Now I just need to see how I can sync multiple OU from an AD with the least amount of code.

Code: Select all

### START LDAP SYNC CUSTOMERS

# CustomerUser
# (customer ldap backend and settings)
$Self->{CustomerUser} = {
    Name => 'LDAP Data Source',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => 'dc.intra.local',
        # ldap base dn
        BaseDN => 'ou=Users,dc=intra,dc=local',
        # search scope (one|sub)
        SSCOPE => 'one',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        UserDN => 'OTRS',
        UserPw => 'otrs',
        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '',
            # if the charset of your ldap server is iso-8859-1, use this:
#            SourceCharset => 'iso-8859-1',

            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
    },
    # customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 1000,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add an ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # administrator can't change customer preferences
    AdminSetPreferences => 0,
#    # cache time to live in sec. - cache any database queries
#    CacheTTL => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly

        [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'sAMAccountName',            0, 1, 'var', '', 0 ],
#        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
#        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
#        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
#        [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
    ],
};

### END LDAP SYNC CUSTOMERS

[jjurkus]

Just change your basedn so it searches the entire tree:

BaseDN => 'dc=intra,dc=local',

[Ralph]

Just change your basedn so it searches the entire tree:

BaseDN => 'dc=intra,dc=local',

Thanks, normally I would do that but we have over 50.000 AD accounts worldwide. I just need them from a few countries with an OU setup like:

• 'ou=Germany,dc=intra,dc=local'
  'ou=Sweden,dc=intra,dc=local'
  'ou=Poland,dc=intra,dc=local'