[SOLVED]Multiple Customer user backends

[Daver]

Hi all,

the problem is as follows: I have edited the config.pm to allow customer users to be identified via LDAP and the local DB. Authentication in the customer interface with LDAP is working fine. But i can't log on with the users that I created in the local DB anymore. What causes confusion on my side is that when I log on in the admin Interface and take a look at the customer user management, I can see both, LDAP and DB users (check the attachment please). Which, if I get it right, means that OTRS recognizes and successfully shows the users from LDAP and the DB but doesn't allow users that are stored in the DB to log on from customer interface.
When i look in the Systemlog i can see that OTRS is only trying to check the LDAP but not the DB.

Much thanks in advance,

daver

Config.pm customer setting, note that LDAP authentication is working successfully, but the DB not:

Code: Select all

 ## start authentication settings for customers ##

$Self->{CustomerUser1} = {
    Name => 'Database Datasource',
    Module => 'Kernel::System::CustomerUser::DB',
    Params => {
            Table => 'customer_user',
            CaseSensitive => 0,
        },
CustomerKey => 'login',
CustomerID => 'customer_id',
CustomerValid => 'valid_id',
    CustomerUserListFields => ['first_name', 'last_name', 'email'],
    CustomerUserSearchFields => ['login', 'last_name', 'customer_id'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['email'],
    CustomerUserNameFields => ['title','first_name','last_name'],
    CustomerUserEmailUniqCheck => 1,
    Map => [
        [ 'UserFirstname',  'Firstname',  'first_name', 1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'last_name',  1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'login',      1, 1, 'var', '', 0 ],
        [ 'UserPassword',   'Password',   'pw',         0, 0, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'email',      1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var', '', 0 ],
        [ 'UserComment',      'Comment',     'comments',     1, 0, 'var', '', 0 ],
        [ 'ValidID',          'Valid',       'valid_id',     0, 1, 'int', '', 0 ],
    ],
};


# Customer LDAP data backend.
$Self->{CustomerUser2} = {
    # Just the display name in OTRS.
    Name => 'LDAP - Backend',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        Host => '',
        BaseDN => '',
        # Search Scope.
        SSCOPE => 'sub',
        # LDAP Bind credentials.
        UserDN => '',
        UserPw => '',
       # SourceCharset => 'utf-8',
       # DestCharset => 'utf-8',
        # We only need to see users, not computers, and no disabled users either.
#        AlwaysFilter => '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
    },
    CustomerKey => 'uid',
    CustomerID => 'mail',
 # Show fields when searching customers in the admin interface.
    CustomerUserListFields => ['uid', 'cn', 'mail'],
#    CustomerUserListFields => ['cn', 'mail'],
    # Search in these fields in LDAP.
    CustomerUserSearchFields => ['uid', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
#    CustomerUserSearchListLimit => '1000',
    Map => [
        # N
        [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
        [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
        [ 'UserLogin', 'Login', 'uid', 1, 1, 'var' ],
        [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
        [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
        [ 'UserCustomerIDs', 'CustomerIDs', 'customer_ids', 1, 0, 'var'],
        [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
};

That's the only thing that is shown at the systemlog, it seems that the DB backend is not even recognized:

Code: Select all

CustomerUser: Test authentication failed, no LDAP entry found!BaseDN='ou= ,ou= ,o= ', Filter='(uid=Test)', (REMOTE_ADDR:           ).

What the Apache error.log is showing:

Code: Select all

Traceback (1249):
   Module: Kernel::System::CustomerUser::LDAP::CustomerSearch (OTRS 3.3.9) Line: 379
   Module: Kernel::System::CustomerUser::CustomerSearch (OTRS 3.3.9) Line: 205
   Module: Kernel::Modules::AdminCustomerUser::_Overview (OTRS 3.3.9) Line: 671
   Module: Kernel::Modules::AdminCustomerUser::Run (OTRS 3.3.9) Line: 608
   Module: Kernel::System::Web::InterfaceAgent::Run (OTRS 3.3.9) Line: 871
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler (unknown version) Line: 41
   Module: (eval) (v1.99) Line: 206
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 206
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 172
   Module: ModPerl::Registry::handler (v1.99) Line: 31

[wurzel]

Hi,

you need to configure a Auth Backend for the users (local and LDAP) too.
Not only the datasources.

Florian

[Daver]

It's allerady configured for customers to, here's my full Config.pm .
The login at the agent interface is working fine for both, LDAP and the OTRS DB.
At the Customer interface only LDAP is working, but im getting no errors that are refering to the DB backend and why it's not working. Please take a look at the error logs i posted above.
Or am i missing a piece of code to make the DB Backend work?

Thanks for your help

Code: Select all

# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2013 xxx, http://otrs.org/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> Most OTRS configuration should be done via the OTRS web interface
#       and the SysConfig. Only for some configuration, such as database
#       credentials and customer data source changes, you should edit this
#       file. For changes do customer data sources you can copy the definitions
#       from Kernel/Config/Defaults.pm and paste them in this file.
#       Config.pm will not be overwritten when updating OTRS.
# --

package Kernel::Config;

#use strict;
use warnings;
use utf8;

BEGIN {
        if (-f '/etc/otrs/database.pm') {
                require '/etc/otrs/database.pm';
                if ($dbtype eq 'pgsql') {
                        $dbport ||= '5432';
                        our $dsn = "DBI:Pg:dbname";
                }
                else {
                        $dbport ||= '3306';
                        our $dsn = "DBI:mysql:database";
                }
        }
}

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{DatabaseHost} = $dbserver || '127.0.0.1';

    # The database name
    $Self->{Database} = $dbname || 'otrs';
   # The database user
    $Self->{DatabaseUser} = $dbuser || 'otrs';

    # The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords
    $Self->{DatabasePw} = $dbpass || 'some-pass';

    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{DatabaseDSN} = "$dsn=$Self->{Database};host=$Self->{DatabaseHost};port=$dbport;";

    # The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a TCP/IP connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
    # if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
#    $Self->{DatabasePostgresqlBefore82} = 1;

    # The database DSN for Microsoft SQL Server - only supported if OTRS is
    # installed on Windows as well
#    $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

    # The database DSN for Oracle ==> more: "perldoc DBD::oracle"
#    $ENV{ORACLE_HOME} = '/u01/app/oracle/product/10.2.0/client_1';
#    $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
#    $ENV{NLS_LANG} = "american_america.utf8";

#    $Self->{DatabaseDSN} = "DBI:Oracle:sid=OTRS;host=$Self->{DatabaseHost};port=1522;";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # -----------------------------------------------------#




    # --------------------------------------------------- #
    # authentication sync settings                        #
    # (enable agent data sync. after succsessful          #
    # authentication)                                     #
    # --------------------------------------------------- #
                          

  ## start authentication settings for Agents ##

# First Backend    
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
   $Self->{'AuthModule::LDAP::Host'} = ' ';
    $Self->{'AuthModule::LDAP::BaseDN'} = '';
    $Self->{'AuthModule::LDAP::UID'} = 'uid';
    $Self->{'AuthModule::LDAP::GroupDN'} = '';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = '';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = '';
#    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
#    $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
    $Self->{'AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };
# Seventh Backend
    $Self->{'AuthModule6'} = 'Kernel::System::Auth::LDAP';

    $Self->{'AuthModule::LDAP::Host6'} = '';
    $Self->{'AuthModule::LDAP::BaseDN6'} = '';
    $Self->{'AuthModule::LDAP::UID6'} = 'uid';
    $Self->{'AuthModule::LDAP::GroupDN6'} = '';
    $Self->{'AuthModule::LDAP::AccessAttr6'} = 'member';
    $Self->{'AuthModule::LDAP::SearchUserDN6'} = '';
    $Self->{'AuthModule::LDAP::SearchUserPw6'} = '';
#   $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
#    $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
    $Self->{'AuthModule::LDAP::Params6'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
   };


# Second Backend
    $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = '';
    $Self->{'AuthModule::LDAP::BaseDN1'} = '';
    $Self->{'AuthModule::LDAP::UID1'} = 'uid';
    $Self->{'AuthModule::LDAP::GroupDN1'} = '';
    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = '';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = '';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
    $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
    $Self->{'AuthModule::LDAP::Params1'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

# Third Backend
    $Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host2'} = '';
    $Self->{'AuthModule::LDAP::BaseDN2'} = '';
    $Self->{'AuthModule::LDAP::UID2'} = 'uid';
    $Self->{'AuthModule::LDAP::GroupDN2'} = '';
    $Self->{'AuthModule::LDAP::AccessAttr2'} = 'member';
    $Self->{'AuthModule::LDAP::SearchUserDN2'} = '';
    $Self->{'AuthModule::LDAP::SearchUserPw2'} = '';
#    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
#    $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
    $Self->{'AuthModule::LDAP::Params2'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

# Fourth Backend
    $Self->{'AuthModule3'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host3'} = '10.1.16.29';
    $Self->{'AuthModule::LDAP::BaseDN3'} = '';
    $Self->{'AuthModule::LDAP::UID3'} = 'uid';
    $Self->{'AuthModule::LDAP::GroupDN3'} = '';
    $Self->{'AuthModule::LDAP::AccessAttr3'} = 'member';
    $Self->{'AuthModule::LDAP::SearchUserDN3'} = '';
    $Self->{'AuthModule::LDAP::SearchUserPw3'} = '';
#    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
#    $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
    $Self->{'AuthModule::LDAP::Params3'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

#  Fith Backend
    $Self->{'AuthModule4'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host4'} = '';
    $Self->{'AuthModule::LDAP::BaseDN4'} = '';
    $Self->{'AuthModule::LDAP::UID4'} = 'uid';
    $Self->{'AuthModule::LDAP::GroupDN4'} = ';
    $Self->{'AuthModule::LDAP::AccessAttr4'} = 'member';
   $Self->{'AuthModule::LDAP::SearchUserDN4'} = '';
    $Self->{'AuthModule::LDAP::SearchUserPw4'} = '';
#    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
#    $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
    $Self->{'AuthModule::LDAP::Params4'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

# Eigth Backend
    $Self->{'AuthModule7'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host7'} = '';
    $Self->{'AuthModule::LDAP::BaseDN7'} = '';
    $Self->{'AuthModule::LDAP::UID7'} = 'uid';
    $Self->{'AuthModule::LDAP::GroupDN7'} = '';
    $Self->{'AuthModule::LDAP::AccessAttr7'} = 'member';
    $Self->{'AuthModule::LDAP::SearchUserDN7'} = '';
    $Self->{'AuthModule::LDAP::SearchUserPw7'} = '';
#    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
#    $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
    $Self->{'AuthModule::LDAP::Params7'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };


# Enable LDAP Authentication Sync for Agents
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = '';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = '';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = '';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '';
    # Enable Agent Mapping from LDAP to DB #
        $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
   ];

    # Sixth Backend, internal OTRS DB
    $Self->{'AuthModule5'} = 'Kernel::System::Auth::DB';
    $Self->{'AuthModule::DB::CryptType5'} = 'crypt';

                                  ## end authentication settings for agents  ##


 ## start authentication settings for customers ##

$Self->{CustomerUser1} = {
    Name => 'Database Datasource',
    Module => 'Kernel::System::CustomerUser::DB',
    Params => {
            Table => 'customer_user',
            CaseSensitive => 0,
        },
CustomerKey => 'login',
CustomerID => 'customer_id',
CustomerValid => 'valid_id',
    CustomerUserListFields => ['first_name', 'last_name', 'email'],
    CustomerUserSearchFields => ['login', 'last_name', 'customer_id'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['email'],
    CustomerUserNameFields => ['title','first_name','last_name'],
    CustomerUserEmailUniqCheck => 1,
    Map => [
        [ 'UserFirstname',  'Firstname',  'first_name', 1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'last_name',  1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'login',      1, 1, 'var', '', 0 ],
        [ 'UserPassword',   'Password',   'pw',         0, 0, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'email',      1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var', '', 0 ],
        [ 'UserComment',      'Comment',     'comments',     1, 0, 'var', '', 0 ],
        [ 'ValidID',          'Valid',       'valid_id',     0, 1, 'int', '', 0 ],
    ],
};


# Customer LDAP data backend.
$Self->{CustomerUser2} = {
    # Just the display name in OTRS.
    Name => 'LDAP - Backend',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        Host => '',
        BaseDN => '',
        # Search Scope.
        SSCOPE => 'sub',
        # LDAP Bind credentials.
        UserDN => '',
        UserPw => '',
       # SourceCharset => 'utf-8',
       # DestCharset => 'utf-8',
        # We only need to see users, not computers, and no disabled users either.
#        AlwaysFilter => '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
    },
    CustomerKey => 'uid',
    CustomerID => 'mail',
 # Show fields when searching customers in the admin interface.
    CustomerUserListFields => ['uid', 'cn', 'mail'],
#    CustomerUserListFields => ['cn', 'mail'],
    # Search in these fields in LDAP.
    CustomerUserSearchFields => ['uid', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
#    CustomerUserSearchListLimit => '1000',
    Map => [
        # N
        [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
        [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
        [ 'UserLogin', 'Login', 'uid', 1, 1, 'var' ],
        [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
        [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
        [ 'UserCustomerIDs', 'CustomerIDs', 'customer_ids', 1, 0, 'var'],
        [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
};


 ## end authentication for customers ##

 # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #
    # switch off the web based installer for the Debian package
    $Self->{SecureMode} = 1;

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
 }

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #

use base qw(Kernel::Config::Defaults);

# -----------------------------------------------------#

1;

[crythias]

I don't see any Customer authentication at all. Just Customer *information*. authentication sources in your Config.pm apply to agents.

[Daver]

Ok, now I get It. If I add the following I should be fine.
Thanks for showing me.

Code: Select all

# This is the auth. module againt the otrs db
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::DB';
$Self->{'Customer::AuthModule::DB::Table'} = 'customer_user';
$Self->{'Customer::AuthModule::DB::CustomerKey'} = 'login';
$Self->{'Customer::AuthModule::DB::CustomerPassword'} = 'pw';
#$Self->{'Customer::AuthModule::DB::DSN'} = "DBI:mysql:database=customerdb;host=customerdbhost";
#$Self->{'Customer::AuthModule::DB::User'} = "some_user";
#$Self->{'Customer::AuthModule::DB::Password'} = "some_password";

Code: Select all

# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.example.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

[crythias]

don't forget to index (append 1, 2, etc) for additional backends.