[SOLVED] same customer login in multiple AD domain

[massimobianchi]

Hi,
I'm setting UP OTRS 3.1.3 for a bunch of different customer.

I have been able to setup the LDAP Integration with AD for the customer1, and using local db for agents.

In the future I will have to extend the customer integration with another ldap, I have already the guide to follow and I'm quite confident to have a few minor problems

BUT

what happens if I have the same login in both the customer repositories ?

I am using the smaccountname as login for authentication, and there can be situations where two different AD, belonging to different companies, use the same smaccountname.

Will OTRS try the combination smaccountname+password provided against each of the AD o will it stop at first "password error" ?
Have anyone tried to autenticate using UID=mail ?

I'm against the usage of mail because not every customer may have exchange, with the AD extensions installed or simply with the record populated.

Should it work to use the
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',

for example to search for MYDOMAIN1\userX or MYDOMAIN2\userX ?

But OTRS, in that case, should cascade the authentication tests.

I was not able to find a proper documentation regarding this.

Thanks,
Massimo

[swerny]

We have had this problem - 2 different LDAP directories with identical samaccountname.

The problem is that OTRS takes the first valid login and populates some fields like the mail-adress with wrong values.

I only found as work-around to create a unique local user account instead of using the ldap account.

For example I had 2 user wagner.s - if the first logged in he got an email adress mail@ldap1, if the second logged in, he got mail@ldap2

Maybe there is another way around this - I didn't find it.

[massimobianchi]

Hi,thank you for your suggestion, I will use it in case of identical identifier.
In the meantime, I have an idea but don't have the tech skill to implement it.

I was thinking of creating a set of custom skin, one "standard" and many for the different customer.
I can differenziate the skin based upon connecting address via sysconfig parameter.
And in this skin hack the code to force a determined domain to authenticate against...

Maybe googling will help me

regards,
Massimo

[kevinlawry]

have you considered userPrincipalName rather than sAMAccountName?
That should be unique, avoids problems with users who have multiple e-mail addresses, and should be recognisable to users as relating to their account

[massimobianchi]

Hi,
looks VERY promising.

Do you know if I can use it also for authentication, as a user, instead of sAMAccountName ?

Kind regards,
Massimo

[massimobianchi]

You are a GENIUS !!!

IT worked perfectly for authentication, chaning the lines in Config.pm.

Regards,
Massimo

[kevinlawry]

Happy to help