OTRS Sync with AD Users

Moderator: crythias

Post Reply
TarekGamgoum
Znuny newbie
Posts: 4
Joined: 24 May 2016, 13:52
Znuny Version: 5.0.10
Real Name: Tarek Gamgoum

OTRS Sync with AD Users

Post by TarekGamgoum »

Hello
First of all, I’m not a linux professional but I’m doing as good as I can.
Well, I installed the OTRS on CentOS 7 and it worked fine, and that’s the good news.
The problem is that I can’t sync with my Active directory users.
I tried both RADIUS and LDAP sync, but unfortunately in vain
Here is what I have done:

Firs I run these 2 commands in the terminal:
cpan install Net::LDAP
cpan install Authen::Radius
to try both, and the modules installed successfully without errors

then I added the following line to the config.pm file:
# This is an example configuration for using an MS AD backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'computer name of my domain.my domain.net';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=my domain,dc=net';
$Self->{'AuthModule::LDAP::UID'} = 'SamAccountName for my domain which is the domain’s CN follows by $';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=my user name,OU=the ou where I’m located ,DC=domain,DC=net';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'my Password';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'OTRS Server name.my domain.net';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=my domain, dc=net';
$Self->{'AuthSyncModule::LDAP::UID'} = 'SamAccountname of my OTRS server name';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=my user name,OU=the ou where I’m located ,DC=domain,DC=net';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'my password';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'my first name',
UserLastname => 'my last name',
UserEmail => 'my email',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];


But it didn’t work,
Then I replaced these lines with the bellow lines to try Radius Authentication:

# This is a example configuration to auth. customer against a radius server
$Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::Radius';
$Self->{'Customer::AuthModule::Radius::Host'} = 'OTRS Server name.my domain.net';
$Self->{'Customer::AuthModule::Radius::Password'} = 'OTRS Server admin password';

But still I can’t login with any AD user credentials, also when I try to log with the local user that I created in the otrs locally it gives wrong credentials error, and logs with it when I remove the lines

also I need to know how to find the error log for OTRS to try to figure out the error

So, can anyone help please?
Giulio Soleni
Znuny wizard
Posts: 392
Joined: 30 Dec 2010, 14:35
Znuny Version: 6.0.x and 5.0.x
Real Name: Giulio Soleni
Company: IKS srl

Re: OTRS Sync with AD Users

Post by Giulio Soleni »

I found some possible mistakes in your configuration...
First of all AuthModule and AuthSyncModule are the default auth and sync modules used by OTRS DB in Defaults.pm
Unless you would like to substitute the default auth and sync with the LDAP
it is necessary to set different module, with a numeric suffix: 'AuthModule1', 'AuthModule::LDAP::BaseDN1' and so on...

Also, you should define a Group in your AD and put within that group all the users that you would like to authenticate in OTRS.

With the above preconditions try the following:

Code: Select all

 $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
 $Self->{'AuthModule::LDAP::Host1'} = 'yourDomainController.yourDomain.net';
 $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=yourDomain,dc=net';
 # Here you should exactly specify the string 'sAMAccountName' that's the way you use for the authorization
 $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
 # Add these...
 $Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=OTRS_Agents,OU=OneOfYourOUs,DC=yourDomain,DC=net';
 $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
 $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
 
 # Bind credentials to log into AD
 $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=my user name,OU=the ou where I’m located ,DC=yourDomain,DC=net';
 $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'my Password';

 # in case you want to normalize each login name to lowercase add the following...
 $Self->{'AuthModule::LDAP::UserLowerCase1'} = 0;
 
 # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
 $Self->{'AuthModule::LDAP::Params1'} = {
 port => 389,
 timeout => 120,
 async => 0,
 version => 3,
 };
 
 # I added also the following... 
 $Self->{'AuthModule::LDAP::Die1'} = 1;

 # Now sync data with OTRS DB
 $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
 # MIND that here you should again specify your domain controller, not the OTRS server... 
 $Self->{'AuthSyncModule::LDAP::Host1'} = 'yourDomainController.yourDomain.net';
 $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=yourDomain,dc=net';
 $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
 $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=my user name,OU=the ou where I’m located ,DC=yourDomain,DC=net';
 $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'my password';

 $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
 # DB -> LDAP ... the following values maps the actual values from the related fields in AD
 # therefore you should not specify your credentials, but exactly the caption strings that have a match in AD
 UserFirstname => 'givenName',
 UserLastname => 'sn',
 UserEmail => 'mail',
 };

 # AuthSyncModule::LDAP::UserSyncInitialGroups
 # (sync following group with rw permission after initial create of first agent
 # login)
 $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
 'users',
 ];
Once you have done the configuration you should also restart the daemon and trigger a rebuild, I suggest the following stop and start procedure:

###STOP

root# service httpd stop
root# service crond stop

root# su - otrs
otrs> /opt/otrs/bin/otrs.Daemon.pl stop
otrs> /opt/otrs/bin/otrs.Console.pl Maint::Config::Rebuild
otrs> /opt/otrs/bin/otrs.Console.pl Maint::Cache::Delete
otrs> /opt/otrs/bin/otrs.Console.pl Maint::Session::DeleteAll

otrs> /opt/otrs/bin/otrs.Console.pl Maint::Loader::CacheCleanup
otrs> /opt/otrs/bin/otrs.Console.pl Maint::Loader::CacheGenerate

otrs> exit
root# /opt/otrs/bin/otrs.SetPermissions.pl --otrs-user=otrs --web-group=apache /opt/otrs
root# service crond stop
root# service httpd stop

###START

root# service httpd start
root# service crond start
root# su - otrs
otrs> /opt/otrs/bin/otrs.Daemon.pl start

Hope this helps
Giulio
OTRS 6.0.x on CentOS 7.x with MariaDB 10.2.x database connected to an Active Directory for Agents and Customers.
ITSM and FAQ modules installed.
TarekGamgoum
Znuny newbie
Posts: 4
Joined: 24 May 2016, 13:52
Znuny Version: 5.0.10
Real Name: Tarek Gamgoum

Re: OTRS Sync with AD Users

Post by TarekGamgoum »

Hi Giulio

thanks a lot for your support and time.
I tried your modification but unfortunately same thing happens.

I want to make sure of something;

$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

what should be written in these fields(member & DN), should i leave them as they are?

also, do you have any other suggestions!!
Giulio Soleni
Znuny wizard
Posts: 392
Joined: 30 Dec 2010, 14:35
Znuny Version: 6.0.x and 5.0.x
Real Name: Giulio Soleni
Company: IKS srl

Re: OTRS Sync with AD Users

Post by Giulio Soleni »

Hello Tarek,
I can confirm that
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
should be left as they are...
To say the truth I have only a doubt about
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=yourDomain,dc=net';
that maybe it's better to specify with case "DC" ... that is:
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=yourDomain,DC=net';
...however I am not sure that this configuration is case sensitive.

but reading again your first post, I have a more important question...
In the end you said you attempted a configuration with Radius server for Customer users, while all the configuration that you posted before (and that I suggested) is valid for Agent users only... that is those users that authenticate themselves on http://your.otrs.server/otrs/index.pl portal

The LDAP configuration of customer users (those users that authenticate themselves on http://your.otrs.server/otrs/customer.pl portal) is similar but completely distinct and need to be specified in a different section of Config.pm file.
So please, what kind of users are you trying to configure? Agents? Customers? Both?
OTRS 6.0.x on CentOS 7.x with MariaDB 10.2.x database connected to an Active Directory for Agents and Customers.
ITSM and FAQ modules installed.
TarekGamgoum
Znuny newbie
Posts: 4
Joined: 24 May 2016, 13:52
Znuny Version: 5.0.10
Real Name: Tarek Gamgoum

Re: OTRS Sync with AD Users

Post by TarekGamgoum »

hello Giulio

for accessattr & userattr, i wrote them as they are, and DC is capital,,
as for what I need, well, in fact i need both, but costumers are more important for me; as i may create the agents manually(not too much agents).
but actually I was trying to access customers through agents portal :? ,, now I know the right one.
also i wrote the Radius lines in the same place as LDAP lines. and I'm not even sure about the host and password in these lines.
when I write my domain or my radius server name as host and the local admin password as password it gives the same error:

"
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.
"
Giulio Soleni
Znuny wizard
Posts: 392
Joined: 30 Dec 2010, 14:35
Znuny Version: 6.0.x and 5.0.x
Real Name: Giulio Soleni
Company: IKS srl

Re: OTRS Sync with AD Users

Post by Giulio Soleni »

Hello,
this is an example that I hope may fits your needs for the configuration of customers authentications via ActiveDirectory.
You may specify it within Config.pm file as well, right after the configuration done for agents.

As for the agents, also for the customers the configuration for the database backend (the default one) needs to be separated from the configuration of ActiveDirectory backend;
Moreover, the customer users authentication is needed for ActiveDirectory but should not be specified for the internal database, therefore, you will have only one "MS ActiveDirectory CUSTOMERS AUTH" section and not any "Internal Database CUSTOMERS AUTH" section

I personally make use of CustomerCompanySupport so I decided to enable it for both MS ActiveDirectory and Internal DB configuration sections.
You may decide to set it to 0 ... my suggestion is to set it the same for both MS ActiveDirectory and Internal DB configuration sections.
Also the maps can be customized to best fit your needs...

Code: Select all

#
# CUSTOMERS CONFIGURATION
#------------------------------------------
# MS ActiveDirectory CUSTOMERS AUTH
# N.B Customer::AuthModule is the default auth (used by OTRS DB in Defaults.pm)
# unless you would like to substitute the default auth with the LDAP
# it is necessary to set a different module: Customer::AuthModule1 
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'yourDomainController.yourDomain.net';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'DC=yourDomain,DC=net';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
# The following AD group can be the same used for Agents or another one
$Self->{'Customer::AuthModule::LDAP::GroupDN1'} = 'CN=OTRS_Customers,OU=OneOfYourOUs,DC=yourDomain,DC=net';
$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN'; 
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=my user name,OU=the ou where I’m located ,DC=yourDomain,DC=net';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'my password'; 
     
# The following part is specified for Internal Database CUSTOMERS BACKEND
# please note that you should reference this section as $Self->{CustomerUser} without any numeric suffix
    $Self->{CustomerUser} = {
        Name   => 'Database Backend',
        Module => 'Kernel::System::CustomerUser::DB',
        Params => {
            Table => 'customer_user',
            # CaseSensitive will control if the SQL statements need LOWER()
            #   function calls to work case insensitively. Setting this to
            #   1 will improve performance dramatically on large databases.
            CaseSensitive => 0,
        },
        # customer unique id
        CustomerKey => 'login',

        CustomerID             => 'customer_id',
        CustomerValid          => 'valid_id',
        CustomerUserListFields => [ 'first_name', 'last_name', 'email' ],

        CustomerUserSearchFields           => [ 'login', 'first_name', 'last_name', 'customer_id', 'phone', 'mobile' ],
        CustomerUserSearchPrefix           => '*',
        CustomerUserSearchSuffix           => '*',
        CustomerUserSearchListLimit        => 250,
        CustomerUserPostMasterSearchFields => ['email'],
        CustomerUserNameFields     => [ 'title', 'first_name', 'last_name' ],
        CustomerUserEmailUniqCheck => 1,

# Set the following to 1 if you do not want to show customer's own tickets in CompanyTickets panel
        CustomerUserExcludePrimaryCustomerID => 1,
# Set the following to 1 to enable customer company support (reference to company, See CustomerCompany settings)
        CustomerCompanySupport => 1,
		
        Map => [

            # note: Login, Email and CustomerID needed!
            # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly, http-link-target
            [ 'UserTitle',      'Title',      'title',      1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',  'first_name', 1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',   'last_name',  1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',   'login',      1, 1, 'var', '', 0 ],
            [ 'UserPassword',   'Password',   'pw',         0, 0, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'email',      1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var', '', 0 ],
            [ 'UserPhone',        'Phone',       'phone',        1, 0, 'var', '', 0 ],
            [ 'UserFax',          'Fax',         'fax',          1, 0, 'var', '', 0 ],
            [ 'UserMobile',       'Mobile',      'mobile',       1, 0, 'var', '', 0 ],
            [ 'UserStreet',       'Street',      'street',       1, 0, 'var', '', 0 ],
            [ 'UserZip',          'Zip',         'zip',          1, 0, 'var', '', 0 ],
            [ 'UserCity',         'City',        'city',         1, 0, 'var', '', 0 ],
            [ 'UserCountry',      'Country',     'country',      1, 0, 'var', '', 0 ],
            [ 'UserComment',      'Comment',     'comments',     1, 0, 'var', '', 0 ],
            [ 'ValidID',          'Valid',       'valid_id',     0, 1, 'int', '', 0 ],
        ],

        # default selections
        Selections => {

#            UserTitle => {
#                'Mr.' => 'Mr.',
#                'Mrs.' => 'Mrs.',
#            },
        },
    };

# The following part is specified for MS ActiveDirectory CUSTOMERS BACKEND
# N.B CustomerUser is the default backend (used by OTRS DB in Defaults.pm)
# unless you would like to substitute the default backend with the LDAP
# it is necessary to set a different module: CustomerUser1 
$Self->{CustomerUser1} = {
   Name => 'ActiveDirectory Data Source',
   Module => 'Kernel::System::CustomerUser::LDAP',
   Params => {
      Host => 'yourDomainController.yourDomain.net',
      BaseDN => 'DC=yourDomain,DC=net',
      SSCOPE => 'sub',
	  # the following is the same as $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'}
      UserDN => 'CN=my user name,OU=the ou where I’m located ,DC=yourDomain,DC=net',
      UserPw => 'my password',
      # in case you want to add always one filter to each ldap query, use
      # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
      AlwaysFilter => '(memberOf=CN=OTRS_Customers,OU=OneOfYourOUs,DC=yourDomain,DC=net)',
      #AlwaysFilter => '',
      # if both your frontend and your LDAP are unicode, use this:
      SourceCharset => 'utf-8',
      DestCharset   => 'utf-8',
      Params => {
         port => 389,
         timeout => 120,
         async => 0,
         version => 3,
      },      
   },
   # just a read only source
   ReadOnly => 1,
   CustomerKey => 'sAMAccountName',
   CustomerID => 'mail',
   CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
   CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail', 'telephonenumber', 'mobile'],
   CustomerUserSearchPrefix => '',
   CustomerUserSearchSuffix => '*',
# Set the following to 1 to enable customer company support (reference to company, See CustomerCompany settings)
   CustomerCompanySupport => 1,
   CustomerUserSearchListLimit => 250,
   CustomerUserPostMasterSearchFields => ['mail'],
   CustomerUserNameFields => ['givenname', 'sn'],
# Set the following to 1 if you do not want to show customer's own tickets in CompanyTickets panel
   CustomerUserExcludePrimaryCustomerID => 1,
   # add an ldap filter for valid users (expert setting)
#   CustomerUserValidFilter => '(!(description=locked))',
   # administrator can't change customer preferences
   AdminSetPreferences => 0,
   # cache time to live in sec. - cache any database queries
   CacheTTL => 120,
   Map => [
      # note: Login, Email and CustomerID are mandatory!
      # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
      [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
      [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
      [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
      [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
      [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
      [ 'UserCustomerID', 'CustomerID', 'company',            0, 1, 'var', '', 0 ],
      [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
      [ 'UserFax',          'Fax',         'facsimileTelephoneNumber',          1, 0, 'var', '', 0 ],
      [ 'UserMobile',       'Mobile',      'mobile',       1, 0, 'var', '', 0 ],
      [ 'UserStreet',       'Street',      'streetAddress',       1, 0, 'var', '', 0 ],
      [ 'UserZip',          'Zip',         'postalCode',          1, 0, 'var', '', 0 ],
      [ 'UserCity',         'City',        'physicalDeliveryOfficeName',         1, 0, 'var', '', 0 ],
      [ 'UserCountry',      'Country',     'co',      1, 0, 'var', '', 0 ],      
      [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
      [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
   ],
};
I hope I did not make any typos :P

Remember to rebuild the configuration after you apply the changes.

P.S. I didn't use Radius configuration on production environment so far and I only checked it on some test systems, so I do not think I could give real sound suggestions/advices on that part.

HTH
Giulio
OTRS 6.0.x on CentOS 7.x with MariaDB 10.2.x database connected to an Active Directory for Agents and Customers.
ITSM and FAQ modules installed.
TarekGamgoum
Znuny newbie
Posts: 4
Joined: 24 May 2016, 13:52
Znuny Version: 5.0.10
Real Name: Tarek Gamgoum

Re: OTRS Sync with AD Users

Post by TarekGamgoum »

hello Giulio

sorry for replying too late.
still have the same issue :? , I don't think it's about OTRS anymore.
I tested my server and AD using a tool and it also couldn't get users from AD but I can see groups only,, so it seems to be a problem in my AD itself. I'll check it and retry your tips.
anyways, you helped me a lot,, I appreciate it.

thank you
Tarek Gamgoum
Post Reply