[SOLVED] Customer User Administration and LDAP Backend

[Sendero]

I have the Agent and Customer login working with LDAP (Active Directory) using this example for my Customer portion. Agents and Customers can login just fine. Agents user accounts are also created and pre-populated with the OTRS DB. However, I'm a little confused on the Customer LDAP part.

When a Active Directory user (Customer) logs in to create a ticket their information is populated correctly (email, phone, mobile, etc.), but they are not listed in the "Customer Management" list nor is their customer information in the 'customer_user' table. If the customer changes preferences I see their information in the 'customer_preferences' table with the correct user_id from the ticket. I noticed this when I went to create a Phone Ticket and clicking the "[Customer]" link and there were no customers listed.

So, when a Active Directory user (Customer) logs in am I to expect that user account to be listed in the Customer Management list? If the answer is no, how do we create a Phone Ticket and assign it to a Customer that is in LDAP? (Now, when I create a Phone ticket and use the email address of the AD user it does not link to the user and pull their information on the ticket)

[crythias]

Active Directory user (Customer) logs in am I to expect that user account to be listed in the Customer Management list

Yes, if you change to the ldap source.

how do we create a Phone Ticket and assign it to a Customer that is in LDAP? (Now, when I create a Phone ticket and use the email address of the AD user it does not link to the user and pull their information on the ticket)

It should, as long as mail is one of the search fields in the config.

[Sendero]

Yes, if you change to the ldap source.

I was looking at that earlier; it seems I am missing a setting somewhere:



I've combed though the SysConfig and did not find where that could be set.

It should, as long as mail is one of the search fields in the config.

You're referring to these settings?

Code: Select all

CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'sn', 'givenname', 'company',  'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'sn', 'givenname', 'company', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserValidFilter => '(company=*)',
CustomerUserExcludePrimaryCustomerID => 0,

[crythias]

Don't forget to include Name=>'LDAP Lookup'; in CustomerUser of Config.pm

[Sendero]

Don't forget to include Name=>'LDAP Lookup'; in CustomerUser of Config.pm

Shouldn't that be "Name=>'LDAP Lookup', (comma) instead of ; (semi-colon)?

I used the comma version and I now have "LDAP Lookup" listed in the drop down. However, searching with a * still yields no results and the 'customer_user' table is still empty. I've logged in with the user and created one new ticket to generate usage. Phone Ticket [Customer] doesn't work either, obviously.

[crythias]

Please post your config.pm.

[Sendero]

Code: Select all

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{'DatabaseHost'} = 'localhost';

    # The database name
    $Self->{'Database'} = 'otrs';

    # The database user
    $Self->{'DatabaseUser'} = 'otrs';

    # The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords
    $Self->{'DatabasePw'} = 'password';

    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

    # The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a TCP/IP connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
    # if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
#    $Self->{DatabasePostgresqlBefore82} = 1;

    # The database DSN for Microsoft SQL Server - only supported if OTRS is
    # installed on Windows as well
#    $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";
#    $Self->{Database::Type} = 'mssql';


    # The database DSN for Oracle ==> more: "perldoc DBD::oracle"
#    $ENV{ORACLE_HOME} = '/u01/app/oracle/product/10.2.0/client_1';
#    $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
#    $ENV{NLS_LANG} = "american_america.utf8";

#    $Self->{DatabaseDSN} = "DBI:Oracle:sid=OTRS;host=$Self->{DatabaseHost};port=1522;";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$

# ---------------------------------------------------- #
# LDAP Integration						               #
# ---------------------------------------------------- #

# Enable LDAP lookups for Agent logins. User must be a member of OTRS Agents group.
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'my.domain.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=my,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Search,dc=my,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS Agents,dc=my,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Enable LDAP lookups of Agent account informations and default roles.
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'my.domain.com';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=my,dc=domain,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Search,dc=my,dc=domain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthSyncModule::LDAP::GroupDN'} = 'CN=OTRS Agents,dc=my,dc=domain,dc=com';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
};

# Enable LDAP lookups for Customer logins.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'my.domain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=my,dc=domain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Search,dc=my,dc=domain,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRS Customers,dc=my,dc=domain,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# Enable LDAP lookups for Customer account information.
$Self->{CustomerUser} = {
  Name => 'LDAP Lookup',
  Module => 'Kernel::System::CustomerUser::LDAP',
  Params => {
        Host => 'my.domain.com',
        BaseDN => 'dc=my,dc=domain,dc=com',
        SSCOPE => 'sub',
        UserDN => 'CN=OTRS Search,dc=my,dc=domain,dc=com',
        UserPw => 'password',
        AlwaysFilter => '(objectclass=user)',
    GroupDN => 'CN=OTRS Customers,dc=my,dc=domain,dc=com',
        AccessAttr => 'member',
        UserAttr => 'DN',
  },
  CustomerKey => 'sAMAccountName',
  CustomerID => 'mail',
  CustomerUserListFields => ['sAMAccountName', 'sn', 'givenname', 'company',  'mail'],
  CustomerUserSearchFields => ['sAMAccountName', 'sn', 'givenname', 'company', 'mail'],
  CustomerUserPostMasterSearchFields => ['mail'],
  CustomerUserNameFields => ['givenname', 'sn'],
  CustomerUserValidFilter => '(company=*)',
  CustomerUserExcludePrimaryCustomerID => 0,
  Map => [
        [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
        [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
        [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
        [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
        [ 'UserCustomerID', 'CustomerID', 'company', 0, 1, 'var' ],
        [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
        [ 'UserMobile', 'Mobile', 'mobile', 1, 0, 'var' ],
        [ 'UserRoom', 'Room', 'physicalDeliveryOfficeName', 1, 0, 'var' ],
  ],
};

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.30 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

[Sendero]

I found a few more examples of Active Directory (LDAP) integration, but nothing that looked vastly different from mine. Although I did miss the 'Name" option in my original config. Should I be syncing LDAP users to the database using the UserSyncMap feature?

[Sendero]

Fixed it. For those following along the error was in this section:

Code: Select all

# Enable LDAP lookups for Customer account information.
$Self->{CustomerUser} = {
  Name => 'LDAP Lookup',
  Module => 'Kernel::System::CustomerUser::LDAP',
  Params => {
        Host => 'my.domain.com',
        BaseDN => 'dc=my,dc=domain,dc=com',
        SSCOPE => 'sub',
        UserDN => 'CN=OTRS Search,dc=my,dc=domain,dc=com',
        UserPw => 'password',
        AlwaysFilter => '(objectclass=user)',
        GroupDN => 'CN=OTRS Customers,dc=my,dc=domain,dc=com',
        AccessAttr => 'member',
        UserAttr => 'DN',
  },

I don't need the GroupDN, AccessAttr, and UserAttr parameters in the lookup information. It should look like this:

Code: Select all

# Enable LDAP lookups for Customer account information.
$Self->{CustomerUser} = {
  Name => 'LDAP Lookup',
  Module => 'Kernel::System::CustomerUser::LDAP',
  Params => {
        Host => 'my.domain.com',
        BaseDN => 'dc=my,dc=domain,dc=com',
        SSCOPE => 'sub',
        UserDN => 'CN=OTRS Search,dc=my,dc=domain,dc=com',
        UserPw => 'password',
        AlwaysFilter => '(objectclass=user)',
 },

Now I just need to figure out how to filter only active accounts.

[crythias]

Code: Select all

 AlwaysFilter => '(&(objectCategory=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',