Help to configure Customer DB using LDAP

[Amukinado]

Hi!

I managed to get agents to login via index.pl with openldap. my otrs server is centos 5 and OTRS Version is 3.1.3.

I Can't login via customer.pl link ans this is the error:

Code: Select all

Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.

This is what the syslog says about this login attempt:

Code: Select all

Mon Feb 11 16:33:06 2013 	error 	OTRS-CGI-30 	No such user 'xpto'!
Mon Feb 11 16:33:06 2013 	notice 	OTRS-CGI-30 	CustomerUser: xpto (uid=xpto,ou=Users,dc=xxx,dc=yyy) authentication ok (REMOTE_ADDR: 192.168.0.101).

Here's my confi.pm. Can you please take a look and tell me where I'm wrong???

Code: Select all

# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2011 xxx, http://otrs.org/
# --
# $Id: Config.pm.dist,v 1.25 2011/09/16 10:58:28 mg Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> OTRS does have a lot of config settings. For more settings
#       (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
#       LDAP, PostMaster, Session, Preferences, ...) see
#       Kernel/Config/Defaults.pm and copy your wanted lines into "this"
#       config file. This file will not be changed on update!
#
# --

package Kernel::Config;

use utf8;

sub Load {
    my $Self = shift;
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #         Start of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #
    # DatabaseHost
    # (The database host.)
    $Self->{DatabaseHost} = 'localhost';
    # Database
    # (The database name.)
    $Self->{Database} = 'otrs';
    # DatabaseUser
    # (The database user.)
    $Self->{DatabaseUser} = 'otrs';
    # DatabasePw
    # (The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords.)
    $Self->{DatabasePw} = '1234567';
    # DatabaseDSN
    # (The database DSN for MySQL ==> more: "man DBD::mysql")
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

    # (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a tcpip connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
    # if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
#    $Self->{DatabasePostgresqlBefore82} = 1;

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #           End of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

    #################### LDAP configuration##########################AGENT AUTH
    # This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = 'ldap://192.168.0.38';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=xxx,dc=yyy';
    $Self->{'AuthModule::LDAP::UID1'} = 'uid';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=SYSADMIN,ou=Groups,dc=xxx,dc=yyy';
    $Self->{'AuthModule::LDAP::AccessAttr1'} = '';
    # for ldap posixGroups objectclass (just uid)
    $Self->{'AuthModule::LDAP::UserAttr1'} = 'uidNumber';
    # for non ldap posixGroups objectclass (with full user dn)
    # $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=services,ou=DSA,dc=xxx,dc=yyy';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'secret';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    # $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

    # in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    # $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

    # In case you want to convert all given usernames to lower letters you
    # should activate this option. It might be helpfull if databases are
    # in use that do not distinguish selects for upper and lower case letters
    # (Oracle, postgresql). User might be synched twice, if this option
    # is not in use.
    # $Self->{'AuthModule::LDAP::UserLowerCase'} = 0;

    # In case you need to use OTRS in iso-charset, you can define this
    # by using this option (converts utf-8 data from LDAP to iso).
    # $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params1'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    };

    # Die if backend can't work, e. g. can't connect to server.
    # $Self->{'AuthModule::LDAP::Die'} = 1;

    # This is an example configuration for an apache ($ENV{REMOTE_USER})
    # auth. backend. Use it if you want to have a singe login through
    # apache http-basic-auth.
    # $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';
    # In case there is a leading domain in the REMOTE_USER, you can
    # replace it by the next config option.
    # $Self->{'AuthModule::HTTPBasicAuth::Replace'} = 'example_domain\\';
    # In case you need to replace some part of the REMOTE_USER, you can
    # use the following RegExp ($1 will be new login).
    # $Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} = '^(.+?)@.+?$';
    # Note:
    # If you use this module, you should use as fallback the following
    # config settings if user isn't login through apache ($ENV{REMOTE_USER}).
    # $Self->{LoginURL} = 'http://host.example.com/not-authorised-for-otrs.html';
    # $Self->{LogoutURL} = 'http://host.example.com/thanks-for-using-otrs.html';

    # This is example configuration to auth. agents against a radius server.
    # $Self->{'AuthModule'} = 'Kernel::System::Auth::Radius';
    # $Self->{'AuthModule::Radius::Host'} = 'radiushost';
    # $Self->{'AuthModule::Radius::Password'} = 'radiussecret';

    # Die if backend can't work, e. g. can't connect to server.
    # $Self->{'AuthModule::Radius::Die'} = 1;

    # --------------------------------------------------- #
    # authentication sync settings #
    # (enable agent data sync. after succsessful #
    # authentication) #
    # --------------------------------------------------- #
    # This is an example configuration for an LDAP auth sync. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'ldap://192.168.0.38';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=xxx,dc=yyy';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'uid';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'cn=services,ou=DSA,dc=xxx,dc=yyy';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'secret';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    # $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

    # AuthSyncModule::LDAP::UserSyncMap
    # (map if agent should create/synced from LDAP to DB after successful login)
    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
    # # DB -> LDAP
    UserFirstname => 'cn',
    UserLastname => 'sn',
    UserEmail => 'mail',
    };

    # In case you need to use OTRS in iso-charset, you can define this
    # by using this option (converts utf-8 data from LDAP to iso).
    $Self->{'AuthSyncModule::LDAP::Charset1'} = 'iso-8859-1';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthSyncModule::LDAP::Params1'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    };

    # Die if backend can't work, e. g. can't connect to server.
    # $Self->{'AuthSyncModule::LDAP::Die'} = 1;

    # Attributes needed for group syncs
    # (attribute name for group value key)
    # $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
    # (attribute for type of group content UID/DN for full ldap name)
    # $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'uid';
    # $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'dn';

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    # $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    # 'users',
    # ];

    # AuthSyncModule::LDAP::UserSyncGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs groups, define the following.)
    # $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
    # # ldap group
    # 'cn=agent,o=otrs' => {
    # # otrs group
    # 'admin' => {
    # permission
    # rw => 1,
    # ro => 1,
    # },
    # 'faq' => {
    # rw => 0,
    # ro => 1,
    # },
    # },
    # 'cn=agent2,o=otrs' => {
    # 'users' => {
    # rw => 1,
    # ro => 1,
    # },
    # }
    # };
    # AuthSyncModule::LDAP::UserSyncRolesDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs roles, define the following.)
    # $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
    # # ldap group
    # 'cn=agent,o=otrs' => {
    # # otrs role
    # 'role1' => 1,
    # 'role2' => 0,
    # },
    # 'cn=agent2,o=otrs' => {
    # 'role3' => 1,
    # }
    # };

    # AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # attributes to otrs groups, define the following.)
    # $Self->{'AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition'} = {
    # # ldap attribute
    # 'LDAPAttribute' => {
    # # ldap attribute value
    # 'LDAPAttributeValue1' => {
    # # otrs group
    # 'admin' => {
    # # permission
    # rw => 1,
    # ro => 1,
    # },
    # 'faq' => {
    # rw => 0,
    # ro => 1,
    # },
    # },
    # },
    # 'LDAPAttribute2' => {
    # 'LDAPAttributeValue' => {
    # 'users' => {
    # rw => 1,
    # ro => 1,
    # },
    # },
    # }
    # };

    # AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # attributes to otrs roles, define the following.)
    # $Self->{'AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition'} = {
    # # ldap attribute
    # 'LDAPAttribute' => {
    # # ldap attribute value
    # 'LDAPAttributeValue1' => {
    # # otrs role
    # 'role1' => 1,
    # 'role2' => 1,
    # },
    # },
    # 'LDAPAttribute2' => {
    # 'LDAPAttributeValue1' => {
    # 'role3' => 1,
    # },
    # },
    # };

    ##############################CUSTOMER LDAP LOGIN####################################
    
    # ---------------------------------------------------- #
    # OTRS Active Directory integration Customers#
    # ---------------------------------------------------- #

    #Enable LDAP authentication for Customers / Users
      $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
      $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap://192.168.0.38';
      $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=xxx,dc=yyy';
      $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=UsersPeP,ou=Groups,dc=xxx,dc=yyy';
      $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
     #The following is valid but would only be necessary if the
    #anonymous user do NOT have permission to read from the LDAP tree
      $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=services,ou=DSA,dc=xxx,dc=yyy';
      $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'secret';

    # ----------------------------------------------------   #
    # OTRS Active Directory integration Backed DB Customers  #
    # ----------------------------------------------------   #

        $Self->{CustomerUser} = {
            Name => 'LMH Users',
            Module => 'Kernel::System::CustomerUser::LDAP',
            Params => {
                Host => 'ldap://192.168.0.38',
                BaseDN => 'dc=xxx,dc=yyy',
                SSCOPE => 'sub',
                UserDN => 'cn=services,ou=DSA,dc=xxx,dc=yyy',
                UserPw => 'secret',
                AlwaysFilter => '',
                Params => {
                    port => 389,
                    timeout => 120,
                    async => 0,
                    version => 3,
                },
            },
            CustomerKey => 'uid',
            CustomerID => 'uid',
            CustomerUserListFields => ['cn', 'mail'],
            CustomerUserSearchFields => ['uid', 'cn', 'mail'],
            CustomerUserSearchListLimit => 250,
            CustomerUserPostMasterSearchFields => ['mail'],
            CustomerUserNameFields => ['cn', 'sn'],
            CustomerUserExcludePrimaryCustomerID => 0,
            AdminSetPreferences => 0,
            Map => [
               [ 'UserSalutation', 'Title',      'title',           1, 0, 'var', '', 0 ],
                [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
                [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
                [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
                [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
                [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
                [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
                [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
                [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
            ],
        };


    ##############################################
    #$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=UsersPeP,ou=Groups,dc=xxx,dc=yyy';

}
# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.25 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;

Thanks. Regards

[Amukinado]

Huummm...sorry to up it this way... Any kind of help, please?

Regards

[crythias]

Your topic has been split as you appended to a 3 year old topic.

Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.

means what it says. There's more contextual information for this error that can be helpful to troubleshooting, as it includes the information that it tried to look up in your backend.

[dantheman972]

I'm having the same issue, the problem is obviously that OTRS is using LDAP for authentication but not syncing/mapping the user into OTRS' DB on first log in. I've seen in documentation for previous versions a way to do this but not in the current documentation.

Basically if one were to want a customer's profile to be created upon first log on from the info in AD, what would be required?

ninja edit: Using OTRS 3.2.2 here

[crythias]

the problem is obviously that OTRS is using LDAP for authentication but not syncing/mapping the user into OTRS' DB on first log in

Dan, your problem is not identical to Amukinado, because you are attempting to use OTRS DB for CustomerUser and the OP is trying to use LDAP for CustomerUser.

(There is no customer sync between otrsdb and ldap. There doesn't need to be, either.)
viewtopic.php?f=60&t=16543

[dantheman972]

Basically, I want it to be where any user in our AD can log on to OTRS without us setting up a profile for them manually. My conf file seems to be identical to the one in the post you linked but I am stuck at "No such user!" Could you point me to what I need to configure in order to do that?

customer auth section from my config:

Code: Select all

	# This is an example configuration for an LDAP auth. backend.
	# (make sure Net::LDAP is installed!)
	$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
	$Self->{'Customer::AuthModule::LDAP::Host'} = 'XXXXXXX.corp';
	$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=People,dc=bnd,dc=corp';
	$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

	# Check if the user is allowed to auth in a posixGroup
	# (e. g. user needs to be in a group xyz to use otrs)
	#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
	#$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
	# for ldap posixGroups objectclass (just uid)
	$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
	# for non ldap posixGroups objectclass (full user dn)
	#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

	# The following is valid but would only be necessary if the
	# anonymous user does NOT have permission to read from the LDAP tree
	$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=XXXXXXX,CN=Users,DC=bnd,DC=corp';
	$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'XXXXXX';

	# in case you want to add always one filter to each ldap query, use
	# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

	# in case you want to add a suffix to each customer login name, then
	# you can use this option. e. g. user just want to use user but
	# in your ldap directory exists user@domain.
	#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

	# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
	$Self->{'Customer::AuthModule::LDAP::Params'} = {
		port => 389,
		timeout => 120,
		async => 0,
		version => 3,
	};

[crythias]

Basically, I want it to be where any user in our AD can log on to OTRS without us setting up a profile for them manually.

I gather as much.

My conf file seems to be identical to the one in the post you linked

Then why are you only showing me the authentication?

[dantheman972]

...

[crythias]

Read the linked post again.

There are two parts for both users and customers: authentication and demographics.

One proves who you are. The other retrieves information it has about the person who has just verified himself.
They can be from the same or different sources.
Once you've provided authentication, the next step is to obtain everything about that person. By default, this is in the OTRS database. But if you haven't created that person in your database, you have two options:
create the person in the database
or
look up information in a different data source.

Since it's likely you have the information you seek in Active Directory, first you authenticate, then you (might) query it again for the demographic information.
(How?)
Read the post.
(There isn't any information on how to do that in the post)
Right, but there are links to the documentation that provides the steps to do this.