LDAP users to OTRS Groups

[trzcionek]

Hello everyone ,
I have got a problem with customers who login by LDAP. I'll describe what I want to do.
I've one domain but six organization units which contain users from different offices.
I'd like to have groups in otrs which contain users from OU AD - e.g. in OTRS groups name:
users-abc1 contain users from OU=ABC1,DC=MYDAOMAIN,DC=COM.
users-abc2 contain users from OU=ABC2,DC=MYDAOMAIN,DC=COM
and so on.
After that I'll try to connect otrs's groups with queues and agents.
Can you tell me does my concept is real to do? What should I add to config file?

Now I've got Config.pm which add all users from AD:

Code: Select all

$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host1'} = 'xxxxxxxxxxxxxxx';
  $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'ou=abc,dc=xxx,dc=xx';
  $Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
  $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=xxxxx,OU=xxxxx,OU=xxxx,DC=xx,DC=xx';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'xxxxxxxxxxx';
  $Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';
  $Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN';
  $Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';

   $Self->{CustomerUser1} = {
    Name => 'LDAP Users',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      Host => 'xxxxxxxxxxxxxxx',
      BaseDN => ''ou=abc,dc=xxx,dc=xx',
      SSCOPE => 'sub',
      UserDN => 'CN=xxxxx,OU=xxxxx,OU=xxxx,DC=xx,DC=xx',
      UserPw => 'xxxxxxxxxxx',
          AlwaysFilter =>  '',
      SourceCharset => 'utf-8',
      DestCharset   => 'utf-8'
    },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'sAMAccountName',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
		['UserFirstname', 'Firstname', 'givenname', '1', '1', 'var'],
		['UserLastname', 'Lastname', 'sn', '1', '1', 'var'],
		['UserLogin', 'Login', 'sAMAccountName', '1', '1', 'var'],
		['UserEmail', 'Email', 'mail', '1', '1', 'var'],
		['UserCustomerID', 'CustomerID', 'mail', '0', '1', 'var'],
		['UserPhone', 'Phone', 'telephonenumber', '1', '0', 'var'],
    ],
  };

[crythias]

Customers don't map to groups by ldap. Only Agents.

one way to "group" Customers is by CustomerID. viewtopic.php?f=60&t=7531

[trzcionek]

Can you give me more details because I don't understand what I should to do with " CustomerFrontend::Module###CustomerTicketOverview".
I added Customer with name from "physicalDeliveryOfficeName"
I made mapping from AD:

Code: Select all

['UserCustomerIDs', 'CustomerIDs', 'employeeNumber', '0', '1', 'var'],
['UserCustomerID', 'CustomerID', 'physicalDeliveryOfficeName', '0', '1', 'var'],

[crythias]

Can you give me more details because I don't understand what I should to do with " CustomerFrontend::Module###CustomerTicketOverview".

I'm not sure, either. What do you want/expect to do with it in the context of your question?

CustomerIDs doesn't make any sense for a static entry that changes per employee (employeeNumber). Get rid of it/comment it out.

The summary of that page I linked to basically says: The Customer front end Company Tickets will show all ticket that have the same customer_id as the currently logged in user. In addition, the customer that has additional entries within customer_ids field will see all tickets in Company Tickets that have a customer_id that is one of customer_ids for that customer.

Reworded:

If the ticket has a customer_id of "accounting", all customers that have a customer_id of "accounting" will see the ticket in "Company Tickets".
If the customer has customer_ids = "accounting;finance", the customer will see, within Company Tickets, all of the tickets that match the customer's customer_id and all tickets that have customer_id of accounting or finance.

But if you don't want subordinates to have access to see each other's tickets within Company Tickets, you can use group membership to restrict access to that interface.

In addition, changing the customer_id of a customer does not retroactively change existing ticket customer_id. You will need to use Generic Agent to update (filter login, set customer_id)

[trzcionek]

Thanks for answering but I still don't understand how CustomerID connects with groups and next with queue.
You wrote:

New information:
You may assign a group to have access to Company Tickets
Ticket -> Frontend::Customer::ModuleRegistration
CustomerFrontend::Module###CustomerTicketOverView

I added to field "group" "users-abc",an I haven't got users in this group. I've got 5 other 'physicalDeliveryOfficeName' yet.
My english is not well so maybe I can't understand this solution, Can you explain me it step by step?
I've commented entry with CustomerIDs (employeenumber) and what next?

[crythias]

I still don't understand how CustomerID connects with groups and next with queue.

Customers don't map to groups by ldap. Only Agents.

one way to "group" Customers is by CustomerID. viewtopic.php?f=60&t=7531

I put "group" in quotes because it's not OTRS defined group. It's group in a literal sense: a collection of customers with a similar attribute. (This being customer_id). Customers with a similar customer_id are in the same "group".

You really shouldn't be trying to do customer based grouping for the purpose of segregating queues. Queues are for the types of things agents can do for clients (Plumbing, Software, Hardware).
But if you insist, you can use the customer_id of a customer in an ACL to provision the queues the customer is allowed to see.

in SysConfig, find:
Ticket -> Frontend::Customer::ModuleRegistration

In the Section CustomerFrontend::Module###CustomerTicketOverView, find and add a Group that members should have access to "Company Tickets".

My english is not well so maybe I can't understand this solution, Can you explain me it step by step?
I've commented entry with CustomerIDs (employeenumber) and what next?

1) Customers with the same customer_id have a common attribute for the purpose of ACL (See the docs for ACL) and for seeing each others' tickets in Company Tickets on the customer web front end. By default, because no group membership prevents access, all customers have access to Company Tickets, which means all customers have access to each others' tickets if they have the same CustomerID.
2) In certain organizations, only managers really need to have access to "Company Tickets" while subordinates probably do not need to see their peer's tickets. At that point, you'd create and assign managers to a group (manually) and assign it to the CustomerFrontEnd for Company Tickets.
3) Do not use customer based queues

[trzcionek]

To resolve my case I'll do:
1. I'll set 'CustomerID' from "physicalDeliveryOfficeName"
2. I'll create public and private queue.
3. I'll use GenericAgent with filtering by CustomerID and Queue (public) and action to set Queue (private).
4. I'll add agents to groups and assign groups to queues.

This solution should solve problem adding new users
I don't know why I missed your post:

In addition, changing the customer_id of a customer does not retroactively change existing ticket customer_id. You will need to use Generic Agent to update (filter login, set customer_id)