[SOLVED] Using both Database and LDAP for customers

[Mothra]

I have set OTRS 2.4.9 up with two backends and they both work for storing customer users; however as soon as I implemented the LDAP authentication for our internal customers, I lost the ability to sign in as external customers (who are stored in the database). The manual seems to describe how to set up two backends, but not how to get OTRS to authenticate against whichever is appropriate. is this possible? If so, how do I set it up?

[crythias]

you can set multiple back ends. http://doc.otrs.org/2.4/en/html/x1801.h ... r-backends

[Mothra]

you can set multiple back ends. http://doc.otrs.org/2.4/en/html/x1801.h ... r-backends

Forgive me but, as I said in my OP, I have already set multiple customer-backends up successfully.

What I can't get working is having LDAP customers authenticate via LDAP and database customers authenticate against their database-stored credentials.

When I implement the AD authentication, my AD customers can sign in but my database customers cannot. When I comment out the AD authentication, my AD customers cannot sign in, but my database customers can.

[Khris]

Look through your Config.pm file and make sure that you do not have two lines that are the same as this: $Self->{CustomerUser}

You need to differentiate between the two methods by adding a number to each line. $Self->{CustomerUser1} $Self->{CustomerUser2}

Same thing goes for agent authentication. $Self->{'AuthModule1'} $Self->{'AuthModule2'}

[Mothra]

Look through your Config.pm file and make sure that you do not have two lines that are the same as this: $Self->{CustomerUser}

You need to differentiate between the two methods by adding a number to each line. $Self->{CustomerUser1} $Self->{CustomerUser2}

I've got this bit right already... but it only gives me the choice of 2 backends, not two methods of authentication.

Same thing goes for agent authentication. $Self->{'AuthModule1'} $Self->{'AuthModule2'}

This doesn't seem to work, as it breaks the OTRS login screen (which prompts me to download the perl script, indicating a fatal error that prevented it from creating valid HTML).

At present, I have:

Code: Select all

# Customer DB Authentication
#$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::DB';
#$Self->{'Customer::AuthModule::DB::Table'} = 'customer_user';
#$Self->{'Customer::AuthModule::DB::CustomerKey'} = 'login';
#$Self->{'Customer::AuthModule::DB::CustomerPassword'} = 'pw';


# Customer LDAP Authentication
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ad.acme.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=acme,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrs-customer,ou=Security Groups,ou=Exchange,ou=Acme,dc=acme,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS,ou=Services,ou=Exchange,ou=Acme,dc=acme,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xyz123';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=acme,DC=com)';
$Self->{'Customer::AuthModule::LDAP::Params'} = { async => 0, port => 389, timeout => 120, version =>3, };

The DB auth section is commented out, as it's mutually exclusive to the LDAP auth. What do I have to change to remove the commenting and allow both methods of authentication?

[Mothra]

Just to summarise my problem: I have two types of customer -

internal company customers who are in Active Directory

and

external customers who are just in the database.

Adding several hundred external customers to our company Active Directory is something I would rather avoid if possible.

With two separate backends, I want both LDAP and Database customers to be able to log in without having to switch the authentication mechanism manually.

[jojo]

This should help:

Code: Select all

# Customer DB Authentication
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::DB';
$Self->{'Customer::AuthModule::DB::Table'1} = 'customer_user';
$Self->{'Customer::AuthModule::DB::CustomerKey'1} = 'login';
$Self->{'Customer::AuthModule::DB::CustomerPassword1'} = 'pw';

[Mothra]

This should help:

Code: Select all

# Customer DB Authentication
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::DB';
$Self->{'Customer::AuthModule::DB::Table'1} = 'customer_user';
$Self->{'Customer::AuthModule::DB::CustomerKey'1} = 'login';
$Self->{'Customer::AuthModule::DB::CustomerPassword1'} = 'pw';

Thank you! That did the trick.

[Mothra]

I should add, to avoid breaking the "CustomerPanelLostPassword" and "CustomerPanelCreateAccount" (which you may want to retain for your database customers, you need to make the change in the LDAP auth config, thus

Code: Select all

# Customer LDAP Authentication
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'ad.acme.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=acme,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
....

... and so on.

This is because Layout.pm checks the original module name before displaying the features:

$Self->{ConfigObject}->Get('[Customer::AuthModule') eq 'Kernel::System::CustomerAuth::DB'

With that caveat, I shall mark this as solved.