[SOLVED] New installation and customization

[ruzzetto]

Hi All,
i'm a newbie of OTRS but at first sight it seems to be the solution i need in order to achieve my goal to migrate from older help desk system to a new one.

A quick premise: my company is provider and customer at the same time, so this is an internal ITSM for us.

My requirements are:

- 4 line of services offered to my end-users;
- some of end-users coulb be an agent too (for example i'm an agent for network security related issue but i'm an end-user for a service request about hardware/software purchase or travelling stuff);
- all of my end-user must be authenticate with AD credentials;
- agents belonging to a specific group/queue must not allow to see other requests;

I'm starting to read admin guide and i'm wondering if:
- agents belonging to same group (for example VMware support) should be defined as a group in AD or just into otrs?

I'm going to start to configure my OTRS!
Thanks guys!!

[Giulio Soleni]

Hi,
configuration of Agents and Customers pulled from AD are done within /opt/otrs/Kernel/Config.pm file, and you do not have to confuse the OTRS permissions on queues and services with the authentication provided to selected groups of users in AD.

Generally speaking you need to configure two separate sections of Config.pm for the Agent authentication and for the customer authentication and, even if you are talking of the same set of users, I'd suggest you to define two separate groups in your AD, one called e.g "OTRS_Agents" whose members will be authenticated as OTRS agents, and one named e.g. "OTRS_Customers" whose members will be authenticated as OTRS Customers.

That said, you need also to define a technical user in your AD to let OTRS access and browse the directory.

As a suggestion: do not replace the definition of database OTRS internal users with the authentication of users from your AD ... to let both the sources active you just have to put a number at the end of any "$Self" reference in the modules used to authenticate users and customers.
So for example you will have:

Code: Select all

$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'yourdomaincontroller.whateverdomain.whateversuffix';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=whateverdomain,DC=whateversuffix';
[...]

and not just $Self->{'AuthModule'} and so on, which are used within the Defaults.pm (MIND NOT TO TOUCH THAT FILE) to define the database authentication modules.

Finally just a remark: you may notice that customers users taken from AD will populate your OTRS consoles as soon as you complete the configuration of Config.pm file, while it's necessary for agents to login to the web console at least a first time, before you may see them appear on the admin console.

Please make your tests and should you find any trouble, post hereby your /opt/otrs/Kernel/Config.pm file so that community may check the details of your configuration.

HTH
Giulio

[ruzzetto]

Hi,
i'm trying step by step to configure otrs for LDAP. Now i modified the file /Kernel/Config/Default.pm with these values:
-----------------------------------------------------------------------------
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'MYLDAP';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=MYCOMPANY,dc=lan';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=Domain Users,ou=Groups,ou=XXXX,dc=XXXXX,dc=lan';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'MYCOMPANY\user';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'MYPASSWORD';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
# $Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 636,
timeout => 120,
async => 0,
version => 3,
# };

My LDAP works with SSL over port 636.
Are there other parameters to configure?

Thanks

[jojo]

Never modify the Defaults.pm!

Please read the admin manual carefully.

You have to adjust the line

$Self->{'Customer::AuthModule::LDAP::Host1'} = 'ldaps://MYLDAP';

[ruzzetto]

[EDIT]
thanks, as other member already suggested me i restored the original Default.pm and modified /Kernel/Config.pm.... adjusted with ldaps://myldap but now it returns me an error:
ERROR: OTRS-CGI-82 Perl: 5.16.3 OS: linux Time: Thu Apr 20 12:55:26 2017

Message: Can't connect to ldaps://myldap: Connection refused

RemoteAddress: myremoteclientIP
RequestURI: /otrs/customer.pl

Traceback (19350):
Module: Kernel::System::CustomerAuth::LDAP::Auth Line: 174
Module: Kernel::System::CustomerAuth::Auth Line: 135
Module: Kernel::System::Web::InterfaceCustomer::Run Line: 227
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_customer_2epl::handler Line: 40
Module: (eval) (v1.99) Line: 207
Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
Module: ModPerl::Registry::handler (v1.99) Line: 32
---------------------------
Tried to configure LDAP over standard port 389 first and it seems it lookups the right user but return and error:
Message: Search failed! base='CN=Domain Users,OU=Users,DC=MYCOMPANY,DC=LAN', filter='(member=CN=My Name,OU=My OU,OU=My company,DC=MYCOMPANY,DC=LAN)', 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=MYCOMPANY,DC=LAN'

[ruzzetto]

i still have problem with AD integration. while customer user is ok (but not on LDAPS) i tried to configure agent side and i cannot login. this is my configuration:

Code: Select all

# AGENT CONFIGURATION
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'myldap';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=my,dc=ldap';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=OTRS Agents,OU=Groups,OU=xxxxxxxxx,DC=my,DC=ldap';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=otrs account,OU=Service Accounts,OU=xxxxxx,OU=xxxxxxxxxxx,DC=my,DC=ldap';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'mypassword';

$Self->{'AuthModule::LDAP::UserLowerCase1'} = 0;
$Self->{'AuthModule::LDAP::Params1'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'myldap';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=my,dc=ldap';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=otrs account,OU=Service Accounts,OU=xxxx,OU=xxxxxxxx,DC=my,DC=ldap';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'mypassword';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        # DB -> LDAP
          UserFirstname => 'givenName',
          UserLastname  => 'sn',
          #UserEmail     => 'mail',
          };

        # AuthSyncModule::LDAP::UserSyncInitialGroups
        # (sync following group with rw permission after initial create of first agent login)
        $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
              'users',
               ];

[root]

Please double check all DNs for proper spelling

[ruzzetto]

@root i checked with my microsoft sysadmin and i capture sessions with tcpdump too. Active directory responds correctly and find the right user. If you want i can upload capture.
Thanks,
Fabio

[root]

I only referred to the error message ("DSID-03100238, problem 2001") that indicates a possibly wrong DN.

What are the members of the group? Users or other groups? Nested group are not supported by OTRS.

And:

read this carefully:

Search failed! base='CN=Domain Users,OU=Users,DC=MYCOMPANY,DC=LAN', filter='(member=CN=My Name,OU=My OU,OU=My company,DC=MYCOMPANY,DC=LAN)',

The search base (base='CN=Domain Users,OU=Users,DC=MYCOMPANY,DC=LAN') does not match the filter.

[ruzzetto]

hi root you're referring to an old errror message about customer authentication. Now the issue is about agent authentication, indeed i did not receive that error message

[root]

Ok, and no error message?

[ruzzetto]

sure,
"AH01215: Message: No UserID found for 'myusername'!"

i suppose it could be a autosync issue.....could be?

i'm getting crazy, tried to change any parameters but it does not work

[root]

"AH01215: Message: No UserID found for 'myusername'!"

i suppose it could be a autosync issue.....could be?

Looks like that there's no agent with the login myusername. Configure fix the sync or add the user first manually to confirm the LDAP authentication

[ruzzetto]

Apologize it was my fault..."UserAttr" was typed "UserAttri" and I was getting crazy....now it works
Thanks for your helpful and precious patient.

Have a great weekend
Fabio