[SOLVED] Multiple Backends (for Customer)

[Araska]

Hi,

Firstly, sorry if this is a duplicate issue - I've been unable to locate information that has been useful in helping resolve this issue.

I would like to configure the multiple backend authentication feature in OTRS, specifically for customers.

I got LDAP to work, even synchronizing the data over, however whenever I try to add the additional database it... just doesn't work.

Any pointers or tips would be appreciated, I'm still kindof new to OTRS but i'm learning fast

Environment is:
OTRS 3.0.6 running on Debian Linux with MySQL for Agents, LDAP for Customers (hopefully soon MySQL AND LDAP )

Config.pm is below:

Code: Select all

package Kernel::Config;

sub Load {
    my $Self = shift;
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #         Start of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #
    # DatabaseHost
    # (The database host.)
    $Self->{'DatabaseHost'} = 'localhost';
    # Database
    # (The database name.)
    $Self->{'Database'} = 'otrs';
    # DatabaseUser
    # (The database user.)
    $Self->{'DatabaseUser'} = 'otrs';
    # DatabasePw
    # (The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords.)
    $Self->{'DatabasePw'} = 'hot';
    # DatabaseDSN
    # (The database DSN for MySQL ==> more: "man DBD::mysql")
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

    # (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a tcpip connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$
    $Self->{'DefaultCharset'} = 'utf-8';

        ########################################################
###############################Customer auth########################

  # CustomerUser1
  # (customer user ldap backend and settings)
  $Self->{CustomerUser} = {
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
                Host => 'e8group.net',                                                                          # ldap host
                BaseDN => 'OU=e8group, dc=e8group, dc=net',                                             # ldap base dn
                SSCOPE => 'sub',                                                                                                        # search scope (one|sub)
                # The following is valid but would only be necessary if the
                # anonymous user does NOT have permission to read from the LDAP tree
                UserDN => 'ldapquery',
                UserPw => 'Password123',

                ## in case you want to add always one filter to each ldap query, use
                ## this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
                #AlwaysFilter => '',
                AlwaysFilter => '(mail=*)',

        ## if both your frontend and your LDAP are unicode, use this:
                ##SourceCharset => 'utf-8',
                ##DestCharset   => 'utf-8',
        ## if your frontend is e. g. iso-8859-1 and the character set of your
        ## ldap server is utf-8, use these options:
        #SourceCharset => 'utf-8',
        #DestCharset => 'utf-8',

                #Params => {                                    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
                        #port => 389,
                        #timeout => 120,
                        #async => 0,
                        #version => 3,
                #},
        },

        #ReadOnly => 1,
    CustomerKey => 'sAMAccountName',                                                                    # customer unique id
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    #CustomerUserSearchFields => ['cn', 'givenname', 'mail'],
    CustomerUserSearchFields => ['uid', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    #CustomerUserExcludePrimaryCustomerID => 0,                                                 # show not own tickets in customer panel, CompanyTickets
    #AdminSetPreferences => 0,                                                                          # admin can't change customer preferences
        CacheTTL => 120,                                                # cache time to live in sec. - cache any database queries
        Map => [
                # note: Login, Email and CustomerID needed!
                # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
                [ 'UserFirstname',      'Firstname',            'givenname',            1, 1, 'var', '', 0 ],
                [ 'UserLastname',       'Lastname',                     'sn',                           1, 1, 'var', '', 0 ],
                [ 'UserLogin',          'Username',             'sAMAccountName',       1, 1, 'var', '', 0 ],
                [ 'UserEmail',          'Email',                        'mail',                         1, 1, 'var', '', 0 ],
                [ 'UserCustomerID', 'CustomerID',               'mail',                         0, 1, 'var', '', 0 ],
                #[ 'UserPhone',         'Phone',                        'telephonenumber',      1, 0, 'var', '', 0 ],
                #[ 'UserSalutation',    'Title',                'title',                                1, 0, 'var', '', 0 ],
                #[ 'UserAddress',       'Address',              'postaladdress',                1, 0, 'var', '', 0 ],
                #[ 'UserComment',       'Comment',              'description',                  1, 0, 'var', '', 0 ],
                #[ 'UserMobile',        'Mobile',               'mobile',                               1, 0, 'var', '', 0 ],
                #[ 'UserRoom',          'Room',                 'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
        ],
  };
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #           End of your own config options!!!          #

As you can see, I got it half working - querying LDAP is fine, syncing data is fine (by the way, thankyou crythias for a code snipped you provided for another user!) and Agents work well.
Currently internal customers will all be authenticating with LDAP, but we're hoping to allow external customers (that is, people outside of the company who don't have their own user account on our Active Directory infrastructure) to log in as well, which the additional backend.

Once this is done, we're hoping to customise the customer portal a bit - creating templated tickets, and hopefully a change request bit specific to internal customers, but that's secondary to the authentication issue.

Thanks in advance for any help you can provide

Nathan
The Frame Group
nathan.murphy@framegroup.com.au

*Note - edited to make the config look pretty in a code box.

[crythias]

$Self->{CustomerUser}
$Self->{CustomerUser1}
....
$Self->{CustomerUser9}

Where is Customer::AuthModule? http://doc.otrs.org/3.0/en/html/auth-ba ... h-backends

[Araska]

Crythias,

I see what you mean - in order for the customer auth module to allow multiple backends, CustomerUser, CustomerUser1 etc is required.

I rewrote the configuration as below to better follow the documentation, and now Apache will not restart. Where have I gone wrong?

Code is below;

Code: Select all

# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{'DatabaseHost'} = 'localhost';
# Database
# (The database name.)
$Self->{'Database'} = 'otrs';
# DatabaseUser
# (The database user.)
$Self->{'DatabaseUser'} = 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/otrs.CryptPassword.pl
# for crypted passwords.)
$Self->{'DatabasePw'} = 'hot';
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';

# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;

# ---------------------------------------------------- #

# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$
$Self->{'DefaultCharset'} = 'utf-8';

#------------------------------------------------------#
# Custom Config Settings #
#------------------------------------------------------#

#  LDAP auth. backend.
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'e8group.net';
$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=e8group,dc=e8group,dc=net';
$Self->{'AuthModule::LDAP::SSCOPE'} = ''sub'
$Self->{'AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=e8group,dc=e8group,dc=net';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapquery';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password123';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = 'mail=*';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#    $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://e8group.net/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=e8group, dc=net';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=ldapquery,ou=e8group,dc=e8group,dc=net';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password123';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
};
[...]

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];

# This is the auth. module againt the otrs db
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::DB';
$Self->{'Customer::AuthModule::DB::Table'} = 'customer_user';
$Self->{'Customer::AuthModule::DB::CustomerKey'} = 'login';
$Self->{'Customer::AuthModule::DB::CustomerPassword'} = 'pw';
#$Self->{'Customer::AuthModule::DB::DSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
#$Self->{'Customer::AuthModule::DB::User'} = "otrs";
#$Self->{'Customer::AuthModule::DB::Password'} = "hot";

# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer1::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer1::AuthModule::LDAP::Host'} = 'e8group.net';
$Self->{'Customer1::AuthModule::LDAP::BaseDN'} = 'OU=e8group, dc=e8group, dc=net';
$Self->{'Customer1::AuthModule::LDAP::SSCOPE'} = 'sub'
$Self->{'Customer1::AuthModule::LDAP::UID'} = 'uid';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer1::AuthModule::LDAP::SearchUserDN'} = 'ldapquery';
$Self->{'Customer1::AuthModule::LDAP::SearchUserPw'} = 'password123';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer1::AuthModule::LDAP::AlwaysFilter'} = 'mail=*';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer1::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

[crythias]

Code: Select all

$Self->{'AuthModule::LDAP::SSCOPE'} = ''sub'

was the first error... match your apostrophes, end with semicolon or comma where appropriate.

[crythias]

Code: Select all

$Self->{'Customer1::AuthModule::LDAP::SSCOPE'} = 'sub'

needs semicolon

[Araska]

Aha, so it did. I also left "[...]" in there apparently.

Apache is working, yay!

sadly, the data isn't synchronising though. it's not querying the LDAP database for customers.

CustomerUser: No auth record in 'customer_user' for 'nathan.murphy' (REMOTE_ADDR: 10.20.128.18)

Now at first I thought it simply wasn't able to sync the data, but now - well, the sys log shows thus:

Can't connect to 10.26.20.22: IO::Socket::INET: connect: Connection timed out

which means it can't connect to the LDAP server anymore. What I can't figure out is that it was working with these parameters in my original configuration.

**Edit: Apparently I lied to you - it is connecting to the LDAP server for authentication of customers, but not synchronizing data as I originally suspected. the IO::Socket::INET error is specific to Agents attempting to login. I found this out by commenting out the internal database authentication of the customers.

[crythias]

The 1s aren't after customer, they're after the last of the path

Code: Select all

Customer1::AuthModule::LDAP::SSCOPE

is

Code: Select all

Customer::AuthModule::LDAP::SSCOPE1

adjust others as required.

[Araska]

I feel like I'm missing something simple here.

Code: Select all

    $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host1'} = '10.26.20.22';
    $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'OU=e8group, dc=e8group, dc=net';
    $Self->{'Customer::AuthModule::LDAP::SSCOPE1'} = 'sub';
    $Self->{'Customer::AuthModule::LDAP::UID1'} = 'uid';

    # The following is valid but would only be necessary if the
    # anonymous user does NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'ldapquery';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'password123';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'Customer::AuthModule::LDAP::AlwaysFilter1'} = 'mail=*';

    # in case you want to add a suffix to each customer login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'Customer::AuthModule::LDAP::UserSuffix1'} = '@domain.com';

    $Self->{'Customer::AuthModule::LDAP::UserSyncMap1'} => {
            'Firstname' => 'givenname',
            'Lastname' => 'sn',
            'Username' => 'sAMAccountName',
            'Email' => 'mail',
            'CustomerID' => 'mail',
    },

gives the same results as before.


** Edit: Additional Information.

Syslogs say this:

Tue Jul 19 22:05:48 2011 notice OTRS-CGI-10 CustomerUser: nathan.murphy@framegroup.com.au authentication failed, no LDAP entry found!BaseDN='ou=E8Group,dc=E8Group,dc=net', Filter='(sAMAccountName=nathan.murphy@framegroup.com.au)', (REMOTE_ADDR: 10.4.0.235). when attempting to login to a user in the local database
Tue Jul 19 22:05:38 2011 error OTRS-CGI-10 No such user 'nathan.murphy'!
Tue Jul 19 22:05:38 2011 notice OTRS-CGI-10 CustomerUser: nathan.murphy (CN=Nathan Murphy,OU=Users,OU=Frame,OU=E8Group,DC=E8Group,DC=Net) authentication ok (REMOTE_ADDR: 10.4.0.235). when attempting to log in as a Customer in the LDAP directory
Tue Jul 19 22:05:31 2011 error OTRS-CGI-10 Can't connect to 10.26.20.22: IO::Socket::INET: connect: Connection timed out When attempting to log in as an Agent

[Araska]

No ideas?

I'm happy to provide any information you might need, up to and including remote access to the server. there's nothing special on it aside from OTRS anyway.

[crythias]

There's no information to fix, here.

At least, none that you've given in the config. Apparently *one* ldap auth doesn't work, but another does: no problem.

Problems logging in as an agent means your authentication isn't set up properly for agents.

[Araska]

I've been attempting to get multiple backends working, Crythias - that it authenticates is great, but it doesn't have information in the database to allow you to actually log in. Nor did it allow you to authenticate with a user in the internal database backend.

For clarity's sake, here is the workflow i'm trying to get working.

Customer user 1 (internal customer uses LDAP) attempts to authenticate on the customer portal.
OTRS then queries LDAP for the username. If found, OTRS queries LDAP for authentication.
If customer data does not exist in OTRS, synchronize user account.
If OTRS did not find the user in the LDAP directory, OTRS then queries the internal database for username/password.

This far, only the first part works - if the customer data does not exist in OTRS, it fails with the 'no such user' error. Additionally, if the customer account is not found in LDAP, it simply refuses authentication.

Ignore the agent stuff, that's unimportant at this juncture anyway - I'm removing the agent ldap stuff and only using the internal database for that.

Cheers,
Nathan

[Araska]

I figured it out.

defining the internal database in the web backend (CustomerAuth module) and then inserting this in the config.pm file worked.

Code: Select all

$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = '10.61.40.20';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'OU=e8group, dc=e8group, dc=net';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'ldapquery';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'Password123';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter1'} = '(mail=*)';
$Self->{'Customer::AuthModule::LDAP::Params1'} = { async => 0, port => 389, timeout => 120, version =>3, };
## The above is the LDAP Customer Authentication module.

 $Self->{CustomerUser2} = {
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
                Host => '10.61.40.20',
                BaseDN => 'OU=e8group, dc=e8group, dc=net',
                SSCOPE => 'sub',
                UserDN => 'ldapquery',
                UserPw => 'Password123',
                AlwaysFilter => '(mail=*)',
        },

    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['uid', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
        CacheTTL => 120,
        Map => [
                # note: Login, Email and CustomerID needed!
                # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
                [ 'UserFirstname',      'Firstname',            'givenname',            1, 1, 'var', '', 0 ],
                [ 'UserLastname',       'Lastname',                     'sn',                           1, 1, 'var', '', 0 ],
                [ 'UserLogin',          'Username',             'sAMAccountName',       1, 1, 'var', '', 0 ],
                [ 'UserEmail',          'Email',                        'mail',                         1, 1, 'var', '', 0 ],
                [ 'UserCustomerID', 'CustomerID',               'mail',                         0, 1, 'var', '', 0 ],
        ],
  };
## The above is the LDAP Customer Sync module

It took a while, and a lot of misunderstanding the modules (specifically, CustomerUser and CustomerAuth - in hindsight, odvious), but all is working properly now.

Cheers for your help Crythias, I see where I was going wrong, and where you tried to point me in the right direction, but I didn't understand it then.