Using LDAP - Panic! No UserData!!!

[ahkal]

Hi All,

I have configured all of my LDAP settings in SysConfig, by searching for LDAP, then clicking on "Frontend::Customer::Auth" in the results pane (thats the only result returned)

I have edited and modified the following fields, to match my AD, please note I have not left them blank, as per below.

Customer::AuthModule: LDAP
Customer::AuthModule::LDAP::Host:
Customer::AuthModule::LDAP::BaseDN:
Customer::AuthModule::LDAP::UID: sAMAccountName
Customer::AuthModule::LDAP::SearchUserDN:
Customer::AuthModule::LDAP::SearchUserPw:
Customer::AuthModule::LDAP::Params:
Customer::AuthModule::LDAP::Die: Yes

Now when I try to logon as a customer/agent, basically with an AD login, I get the error message:

Panic! No UserData!!!

When I check the otrs.log file, I see:

[Tue Oct 19 15:34:46 2010][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: arven06 (CN=xxxx xxxx ,OU=xxxx ,OU=xxxx ,OU=xxxx xxxx ,DC=xxxx ,DC=local) authentication ok (REMOTE_ADDR: 10.x.x.xxx).
[Tue Oct 19 15:34:46 2010][Error][Kernel::System::CustomerUser::SetPreferences][493] No such user 'arven06'!

The AD authentication bit seems to be OK, but i don't know why it says "No Such User..." as it actually does find the user as the full CN path is correct.

PS.
I haven't changed any Config.pm file, and to be honest wouldn't know which one to change as their are quite a few of them scatterred within the filesystem. But I think the main ones on a Windows environment are:
C:\Program Files\OTRS\OTRS\Kernel\Config.pm
C:\Program Files\OTRS\OTRS\Kernel\System\Config.pm
I also notice that what changes I make in the gui don't seem to be reflected in Config.pm.

Any help would be appreciated.

[jgbautista]

Hi ahkal,

One question: in the user fields in your Active Directory... Do you insert the value of email? If the field is empty is not going to allow authenticate.

I had this problem and I resolved to start this way. I hope you serve.


Best regards.

[ahkal]

Hi jgbautista,

Thanks for replying.

I have made sure that all the accounts I am testing with do have email addresses,

But one thought i have had is that maybe the system doesn't know which field from my AD maps to which field in otrs, because I have only made changes in the GUI via SysConfig, I haven't made any changes in Config.pm directly.

When I look at the documentation, there is mention of, syntax like the below, so i'm thinking maybe I have to tell otrs which fields from the AD map to the otrs fields.


Below taken from: http://doc.otrs.org/2.4/en/html/x1801.html

CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add an ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=locked))',
# administrator can't change customer preferences
AdminSetPreferences => 0,
# # cache time to live in sec. - cache any database queries
# CacheTTL => 0,
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};


So do I also have to modify my Config.pm and put the commands like the above in, if so please can you tell me which Config.pm i shoud modify?

C:\Program Files\OTRS\OTRS\Kernel\Config.pm
or
C:\Program Files\OTRS\OTRS\Kernel\System\Config.pm

Thanks in advance.

[jgbautista]

Hi ahkal

OK, look, this is my Config.pm:

$Self->{CustomerUser} = {
Name => 'Testing',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'XXX.XXX.XXX.XXX or DNS LDAP name',
BaseDN => 'dc=PPPPP, dc=AAAA',
SSCOPE => 'sub',
UserDN => 'user with permissions of search',
UserPw => 'pass',
AlwaysFilter => '',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['cn', 'sAMAccountName'],
CustomerUserSearchFields => ['uid', 'cn', 'sAMAccountName'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'sAMAccountName', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};

With this configuration should work.

Best regards.

[ahkal]

Hi jgbautista,

Thanks for replying, I copied your text below, but I still couldn't get it working, so I read the documentation (again). I came realise that there are two elements involved in setting up Customers with LDAP, one is the Customer User backend, the other is the backend used for authentication - can be LDAP for customers/agents or both.

So in order to get the Customer logins to authenticate to a LDAP backend, I also had to add (Config.pm) the lines below :

# Backend to Authenticate Customers - see Example 11-11. Customer user authentication against a LDAP backend
# This is an example configuration for an LDAP auth. backend.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc.mydomain.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# Users has to be a member od the AD group "OTRS Customers"
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS Customers,ou=XX,ou=XXX XXX,ou=XXXXX XXX,dc=mydomain,dc=local';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(mail=*)';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};


Thanks again for your help and input on this.

Regards.

[crythias]

Are you using this entry exactly as you pasted or have you made changes that reflect your server information?