[SOLVED] Customer Authentication and Customer Records

Moderator: crythias

Locked
bpage
Znuny newbie
Posts: 5
Joined: 07 Oct 2013, 19:22
Znuny Version: 3.2.10

[SOLVED] Customer Authentication and Customer Records

Post by bpage »

I am excited about the prospect of using OTRS to replace the current help desk application that my employer currently uses - so much so that I have taken additional time before an after work over the past two weeks to configure and reconfigure it so that it is exactly what I envision prior to showing the work to the decision makers. So between LDAP configurations and email IMAP troubleshooting, I've seen that OTRS is incredibly flexible and that most installation issues are caused by not fully understanding how OTRS interfaces with existing systems. But this one has me stumped, so I am posting in an attempt to understand what is wrong with my configuration.

I am using OTRS Version: 3.2.10
I am using OS: CentOS 6
I am using Database: MySQL

I have this problem: UI - "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." Syslog - No such user 'page_b@domain.tld'!

I am encountering my issue on this screen: When attempting to log in via customer.pl with known good credentials (authentication succeeeded, after all).
I can replicate the issue by: Each attempt to log in via the portal produces this error.
This is what I've tried: I believe the issue to be related to an attempt to sync customer data with a local backend, but all configuration options for customer authentication in SysConfig are keyed to LDAP and the settings appear to be correct.
These are the posts I've found that are relevant, but don't seem to answer my question: I have googled every permutation of this error message and the syslog messages that I can think of over the past week.
I've looked at the HowTos on this: I've probably tried using 5 different how-tos.
I've looked at the Docs: I've looked at the official docs and several unofficial "This is how I got it working" style posts.
The logs say: Authentication successful, followed by No such user
I've done a non-specific generic search for the error message and it says: I honestly don't even remember at this point. I've built and rebuilt the config several times over the past week, and after giving myself the weekend to start anew today, I have a jumbled mess of potential solutions floating around in my head.

My question is: What is generally the misconfiguration that generally causes this error to be thrown, and what are the minimum configuration parameters (particularly as relate to the data Mapping) that are required in order to enable an LDAP customer to log into the customer portal and view existing tickets that have been submitted by the individual? A later goal is to allow a subset of individuals to view all tickets originating from their department (Human Resources, Finance, etc), but I am more concerned about enabling the customer login first, at which point I can continue my configuration and testing. Below is the customer portion of the Config.pm (scrubbed for security of course). userPrincipalName is probably a surprise, but it is the value that I need to key the authentication through - the common value did not work when I tried it early last week.

A concern I have is that our LDAP user names and email addresses use different domains, though I can't quite place my finger on why I feel its a concern. It may be irrelevant to my current difficulties, but I did want to mention it as a potentially unusual deployment environment.

Code: Select all

   $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
	$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.domain.tld';
	$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=tld';
	$Self->{'Customer::AuthModule::LDAP::UID'} = 'userPrincipalName';

	$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=CustomerGroup,ou=OU,dc=domain,dc=tld';
	$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
	$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
	$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.tld';

	$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldapsearch@domain.tld';
	$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

	$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

	$Self->{CustomerUser} = {
       	Name => 'LDAP Lookup',
	       Module => 'Kernel::System::CustomerUser::LDAP',
	       Params => {
  			Host => 'ldap.domain.tld',
  			BaseDN => 'dc=domain,dc=tld',
  			SSCOPE => 'sub',
  			UserDN => 'CN=ldapsearch,ou=ou,DC=domain,DC=tld',
  			UserPw => 'password',
  			AlwaysFilter => '(&(objectCategory=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
  			Params => {
				port => 389,
				timeout => 120,
				async => 0,
				version => 3,
			},
		},
		CustomerKey => 'sAMAccountName',
		CustomerID => 'sAMAccountName',
		CustomerUserListFields => ['givenname', 'sn', 'mail'],
		CustomerUserSearchFields => ['givenname', 'sn', 'mail'],
		CustomerUserPostMasterSearchFields => ['mail'],
		CustomerUserNameFields => ['givenname', 'sn'],
		CustomerUserValidFilter => '(mail=*)',
		CustomerUserExcludePrimaryCustomerID => 0,
		Map => [
			[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
			[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
			[ 'UserLogin', 'Login', 'userPrincipalName', 1, 1, 'var' ],
			[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
			[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
			[ 'UserDepartment', 'Department', 'department', 1, 0, 'var'],
		],
	};
I tried my best to keep the indenting correct, and I appreciate any advice, direction or discussion that anyone can provide.
Last edited by bpage on 09 Oct 2013, 16:28, edited 1 time in total.
OS: CentOS 6
OTRS Version: 3.2.10
OTRS DB: MySQL
Top
bpage
Znuny newbie
Posts: 5
Joined: 07 Oct 2013, 19:22
Znuny Version: 3.2.10

Re: Customer Authentication and Customer Records

Post by bpage »

Looking through more information, I discovered that in the Customer Management List view (which is populating based on an applied filter), each user listed has an associated username, email address and customerid. However, inspecting each individual user, none of the required information is present. It is, essentially, a blank create-user dialog - no name, login, email or customerid. I'm expecting the Edit Customer dialog to have the current information from LDAP, and to not allow me to change it via OTRS. Does this sound correct? Am I misunderstanding something?
OS: CentOS 6
OTRS Version: 3.2.10
OTRS DB: MySQL
Top
bpage
Znuny newbie
Posts: 5
Joined: 07 Oct 2013, 19:22
Znuny Version: 3.2.10

Re: Customer Authentication and Customer Records

Post by bpage »

And I just figured it out. CustomerKey => value needed to match with Map => ['UserLogin', 'Login', 'value', 1, 1, 'var' ]. In my particular case, I needed both to use userPrincipalName when they were both set to sAMAccountName. I knew it would be something I completely overlooked in the configuration, which was why I posted for a fresh set of eyes.

OtterHub is a great resource, and though I didn't get any direct responses, the knowledge base that it has become was the sole reason I discovered my error.
OS: CentOS 6
OTRS Version: 3.2.10
OTRS DB: MySQL
Top
Locked

Return to “General”