OTRS/Active Directory Integration

[tomzegers]

Hey All,

I have spent a lot of time reading about OTRS/Active Directory. I decided to try it myself. I edited the nececary scripts, and the authentication is functioning.
However, when "old" people login to the customer section, the login process succeeds. When I create a new user in Active Directory, who is allowed to logon to OTRS, i receive a message:
Error: Need CustomerID!!!

Second problem is that when i logon to the agent section with an appropriate user, i receive the error:
Panic, user authenticated but no user data can be found in OTRS DB!! Perhaps the user is invalid.
I am quite sure the user isn't invalid.

I googled this, and i read a couple of solutions. One of them was to replace all the UID with: sAMAccountName

To give you a better view of my problem, i'll post the script here, and I hope someone can tell me what the problem is. This problem is bugging me for over 2 days now, I read a lot of possible solutions, but somehow, I am missing something!

# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #

$Self->{LogModule} = 'Kernel::System::Log::File';
$Self->{LogModule::LogFile} = 'D:/OTRS/OTRS/var/log/otrs.log';
# $DIBI$
$Self->{'DefaultCharset'} = 'utf-8';

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';

#agent login gedeelte
$Self->{'AuthModule::LDAP::Host'} = 'srv01';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=siouxehv,DC=nl';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'siouxehv\user1';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

#customer login gedeelte
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'srv01';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=siouxehv,DC=nl';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'siouxehv\user1';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

#get customer user information
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'srv01',
BaseDN => 'OU=Systeembeheer,OU=Ondersteuning,OU=Sioux Eindhoven,DC=siouxehv,DC=nl',
SSCOPE => 'sub',
UserDN => 'siouxehv\user1',
UserPw => 'password',
},

CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
#userdn defaults: sAMAccountName=sys, ou=user, dc=otrs, dc=org
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'srv01';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=siouxehv,DC=nl';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'siouxehv\user1';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
[...]

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];

#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'siouxehv\user1';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';


Additional info: user1 is member of the Windows Authorization Access Group.

[kool_kid]

Panic, user authenticated but no user data can be found in OTRS DB!!

This happened with me as well and it happens when you dont have the user created in DB. Simple thing, create the user with same username and email address then try to login. Your script should automatically create the users in DB, but I think there is something that needs to be added in the script (Sorry i dont remember what exactly it is). If you search this forum for AD Authentication posts or just search for the error you are getting you will find answers yourself.

[jojo]

Customers don't need to be inside OTRS database. So there is no need to copy them into OTRS Tables

[tomzegers]

Customers don't need to be inside OTRS database. So there is no need to copy them into OTRS Tables

Thats what i thuoght.
The funny thing is, when i try to login to OTRS customer section with users who exist in the AD for a longer time, no problems persist. However, i tried to add a new user, just to test, and that didt work. Any ideas?

[jojo]

Have a look on CacheTTL...

[tomzegers]

I solved the problem partially.
The issue is, that alot of my active directory users don't have an exchange emailaddress configured. My script looks for the customerID, in a couple of fields. One of them is the e-mail field in the general tab of the useraccount in active directory. Once i added a fake emailaddress, my new testuser worked.
Looking now for a script to add 100 emailaddresses in active directory:P

[Wolfgangf]

create an ldiff file and run it with ldapmodify against AD (LDAP)?

[tomzegers]

create an ldiff file and run it with ldapmodify against AD (LDAP)?

I am looking for something like that, but i am not that good in scripting:)

[Wolfgangf]

no need for scripting
ldiff - file is standard format for updating LDAP http://en.wikipedia.org/wiki/LDAP_Data_ ... nge_Format
and then use this file as input for ldapmofiy

[ferrosti]

Instead of a fake mailaddress I´d rather take 'userprincipalname'.

[crythias]

or consider not having individual CustomerID and assigning a static one. Use group membership to restrict access to Company Tickets.

[tomzegers]

or consider not having individual CustomerID and assigning a static one. Use group membership to restrict access to Company Tickets.

This is actually a pretty good one. I am taking a closer look to that soon:)

[crythias]

http://forums.otrs.org/viewtopic.php?f=60&t=7531

[tomzegers]

Thanx alot! I didnt have the time yet to look for it, since i am busy with alot of other things ATM, but thanx in advance! I will try it and post the results:)