can't add Agent with OTRS authenticating via LDAP

[martyb]

Greetings,

This is a question for a new install of OTRS v.3.0.11 with ITSM v.3.0.5. I have configured OTRS to authenticate via our AD/LDAP infrastructure. The local 'root@localhost' user no longer works for login (as expected). My account works with my LDAP username and password. The problem is, I forget exactly what I had done to add myself as an agent. I may have done it with the 'root@localhost' user with the LDAP configuration in Config.pm commented out. In fact, I'm pretty sure this was the case. Now that LDAP is up and running, I can't seem to add additional Agents from LDAP. I _thought_ I had to add a user as a customer first, then promote them to Agent status by adding them to the Agents group. However, I'm thwarted now after clicking on the 'submit' button of the create and manage customers page by the following error:

"Not supported for this module!"

The following few lines appear in the otrs log when this error appears in the web browser:

Code: Select all

ERROR: OTRS-CGI-01 Perl: 5.10.1 OS: linux Time: Mon Nov 28 14:30:20 2011

 Message: Not supported for this module!

 Traceback (21365): 
   Module: Kernel::System::CustomerUser::LDAP::CustomerUserUpdate (v1.62) Line: 679
   Module: Kernel::System::CustomerUser::CustomerUserUpdate (v1.61.2.1) Line: 414
   Module: Kernel::Modules::AdminCustomerUser::Run (v1.89.2.6) Line: 179
   Module: Kernel::System::Web::InterfaceAgent::Run (v1.58.2.1) Line: 853
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 46
   Module: (eval) (v1.89.2.1) Line: 204
   Module: ModPerl::RegistryCooker::run (v1.89.2.1) Line: 204
   Module: ModPerl::RegistryCooker::default_handler (v1.89.2.1) Line: 170
   Module: ModPerl::Registry::handler (v1.99) Line: 31

I don't want to just add an agent, correct? The add agent interface requires a password for the new agent, and I don't recall doing that for my account.

Am I doing something wrong? I'm new to OTRS in general, so I may be missing something obvious.

Thanks in advance,


M a r t y

[gears]

Show us your Config.pm so we have more to go on regarding how you set things up.

I haven't quite worked out all the kinks in my own deployment yet, but it is up and running and I found these helpful in this area:
http://doc.otrs.org/3.0/en/html/auth-backends.html
http://devilx.net/2010/03/19/otrs-ldap- ... customers/

[martyb]

Thanks for the reply, gears. I replaced the identifying information from the Config.pm with XXXXXXXXXX. Authentication seems to be working on some level, I just can't add Agents from LDAP. Am I at least going about it correctly?

Thanks for the links. I've been through much of the official 3.0.x OTRS online documentation, and the second devilx.net link has also been in my browser frequently recently.

Begin Config.pm:


-----------

Code: Select all

# --

package Kernel::Config;

sub Load {
    my $Self = shift;
    # ---------------------------------------------------- #
    #         Start of your own config options!!!          #
    # ---------------------------------------------------- #
    #$Self->{Organization} = "XXXXXXXXXX"
    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #
    $Self->{'DatabaseHost'} = 'XXXXXXXXXX';
    $Self->{'Database'} = 'XXXXXXXXXX';
    $Self->{'DatabaseUser'} = 'XXXXXXXXXX';
    $Self->{'DatabasePw'} = 'XXXXXXXXXX';
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # WSE-specific settings                                #
    # ---------------------------------------------------- #
    $Self->{'Customer::AuthModule::LDAP::Params'} =  {
      'async' => '0',
      'port' => '389',
      'timeout' => '120',
      'version' => '3'
      };
    $Self->{'LogModule::LogFile::Date'} =  '1';
    $Self->{'LogModule::LogFile'} =  '/tmp/log/otrs.log';
    $Self->{'LogModule::SysLog::Charset'} =  'utf-8';
    $Self->{'Organization'} =  'XXXXXXXXXX';
    $Self->{'AdminEmail'} =  'XXXXXXXXXX';
    $Self->{'HttpType'} =  'https';
    $Self->{'FQDN'} =  'XXXXXXXXXX';
    $Self->{'SystemID'} =  '01';
    $Self->{'ProductName'} =  'XXXXXXXXXX';
    $Self->{'SecureMode'} =  '1';
    #$Self->{Debug} = 3;
    # agent authorization
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'XXXXXXXXXX';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'XXXXXXXXXX';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'XXXXXXXXXX';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'XXXXXXXXXX';
    # control who gets in as an agent
    $Self->{'AuthModule::LDAP::GroupDN'} = 'XXXXXXXXXX';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
    # customer authorization
    $Self->{'Customer::AuthModule'} =  'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} =  'XXXXXXXXXX';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} =  'XXXXXXXXXX';
    $Self->{'Customer::AuthModule::LDAP::UID'} =  'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =  'XXXXXXXXXX';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} =  'XXXXXXXXXX';
    # control who gets in as a customer
    $Self->{'Customer::AuthModule::LDAP::GroupDN'} =  'XXXXXXXXXX';
    $Self->{'Customer:AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'Customer:AuthModule::LDAP::UserAttr'} = 'DN';
    # synchronization between AD/LDAP and MySQL backend upon successful login for user data
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'XXXXXXXXXX';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'XXXXXXXXXX';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'XXXXXXXXXX';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'XXXXXXXXXX';
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
    # Settings for customer backend with LDAP
    $Self->{CustomerUser} = {
        Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => 'XXXXXXXXXX',
            BaseDN => 'XXXXXXXXXX',
            SSCOPE => 'sub',
            UserDN => 'XXXXXXXXXX',
            UserPw => 'XXXXXXXXXX',
            AlwaysFilter => '(objectclass=user)',
            },
    # customer LDAP to MySQL database unique id mapping
    CustomerKey => 'sAMAccountName',
    CustomerID => 'sAMAccountName',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
    ],

  };


    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$
    $Self->{'DefaultCharset'} = 'utf-8';

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #           End of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.23 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

[martyb]

I have another data point. It seems the problem is a little broader than I initially observed.

Users and Agents can authenticate via LDAP using the two web portals, but they are not added to the MySQL backend. I'm triple-checking my AuthSyncModule settings now. This is the correct place to look, right?

[crythias]

If you use another data source for your agents and users, you shouldn't expect them to merge to otrs. They're being queried from the external source. As they are being queried from the external source, it is expected that you'll handled additions and removals via the external source's front end.

[martyb]

I'm loathe to correct a moderator, especially since I'm so new to the OTRS community. But the official documentation states:

The configuration parameters shown in Script 11.8 can be used to synchronize the user data from your LDAP directory into your local OTRS database. This reduces the number of requests to your LDAP server and speeds up the authentication with OTRS. The data synchronization is done when the agent authenticates the first time. Although the data can be syncronized into the local OTRS database, the LDAP directory is the last instance for the authentication, so an inactive user in the LDAP tree can't authenticate to OTRS, even when the account data is already stored in the OTRS database. The agent data in the LDAP directory can't be edited via the web interface of OTRS, so the data has to be managed directly in the LDAP tree.

http://doc.otrs.org/3.0/en/html/auth-backends.html

It's working now for me, and I believe it was because I omitted the following two lines from the AuthSyncModule section of my Config.pm:

Code: Select all

$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';    
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';

Now it's working for me. If an \Agent logs into the Agent portal, they show up in the ours.users MySQL table, ad I can now give them roles and assign them to groups, where I could not do either before because they entries were not being created in MySQL.

I appreciate everyone's time, please mark this thread as [Solved].

[ricardobarrosozcr]

We can use two authentication methods simultaneously? LDAP and internal DB?

[crythias]

We can use two authentication methods simultaneously? LDAP and internal DB?

First, please don't hijack old threads.
Second, the answer is "yes" but "consecutively authenticated" instead of "simultaneously". The concept is called "additional backend" authentication. First authentication method to pass "wins".