[Solved] Problem setting AD/LDAP costumer auth

[fbobraga2]

I'm setting up a support environment for users of my company/institution: all user data (agents and costumers) comes from only one LDAP source.

For our evaluation of the product/setup, the authentication for agents is configured up and working (setup made accordingly to http://wiki.otrs.org/index.php?title=Us ... for_agents ), but I'm having trouble setting costumer auth: after the setup, all attempts to login leads to "Panic! No UserData!!!" (setup based on http://wiki.otrs.org/index.php?title=Us ... _customers )

I'm not understanding this behavior... anyone has passed through and solved it?

* the changes we're made by editing the file /opt/otrs/Kernel/Config.pm (based on parts of /opt/otrs/Kernel/Config/Default.pm) - I'm afraid that it's not the correct way to do it... what is the correct way? Through the web interface? How?

[crythias]

I set it up as you have, more or less copy/pasting directly from the help files. I took the info from http://doc.otrs.org/1.3/en/html/ldap-integration.html and it was pretty painless (Edit: don't use this link for 2.4.7+! don't do what I did.), though the links you site should be more up to date.

[fbobraga2]

Thanks for the quick reply

The problem persists for customer auth (the "Panic! No UserData!!!" message), but I've noted:

- no record in the 'customer_user' table is created, after a customer tried to log (the "Panic! No UserData!!!" message is displayed);

- the system behavior is the same even with no backend defined ($Self->{CustomerUser}) in the Config.pm (only the auth section is defined, through $Self->{'Customer::AuthModule'} and related)
-> log after an agent login:

Code: Select all

Jul 20 11:14:14 <host> OTRS-CGI-10[7693]: [Notice][Kernel::System::Auth::LDAP::Auth] User: <user> (<user_DN>) authentication ok (REMOTE_ADDR: <user_IP>).
Jul 20 11:14:14 <host> OTRS-CGI-10[7693]: [Notice][Kernel::System::User::UserUpdate] User: '<user>' updated successfully (1)!
Jul 20 11:14:14 <host> OTRS-CGI-10[7693]: [Notice][Kernel::System::User::SetPassword] User: '<user>' changed password successfully!

-> log after a costumer try to log (the "Panic! No UserData!!!" message is displayed):

Code: Select all

Jul 20 11:18:53 Glpi OTRS-CGI-10[7701]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: <user_mail> (<user_DN>) authentication ok (REMOTE_ADDR: <user_IP>).

Any ideas of what is going on are much appreciated

[crythias]

My *guess* is that you don't have the Map set up properly in Config.pm. There's not enough information to provide you with better answer at this point.

[fbobraga2]

problem solved: some config that I did after install, using the admin web frontend (in the Frontend::Customer::Auth section) caused the issue: cleaning all items (only turning off the checkboxes) solved it

[jramig]

I have the same problem and still get the "Panic! No UserData!!! message, will you give a hand??
This my Config.pm

# Customer Authentication backend.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
# Have seen a few issues when using specific hostnames or IP addresses. Using domain works.
$Self->{'Customer::AuthModule::LDAP::Host'} = '10.100.5.170';
# Where do you want to start searching?
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=mycompany,DC=cl';
# What LDAP attribute would you like to use as User ID in OTRS?
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# LDAP search credentials. Dunno if a full DN is required or if just the username is enough. Have only tried this.
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=wpsbind,CN=Users,DC=mycompany,DC=cl';

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'mypassword';
# We only need to see users. Not computers and no disabled users.
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))';



# Customer DATA backend.
$Self->{CustomerUser} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '10.100.5.170',
BaseDN => 'DC=mycompany,DC=cl',
# Search Scope. (one|sub). One-Level or entire Sub-Tree
SSCOPE => 'sub',
# LDAP search credentials. Dunno if a full DN is required or if just the username is enough. Have only tried this.

UserDN => 'CN=wpsbind,CN=Users,DC=mycompany,DC=cl',
UserPw => 'mypassword,
# This is needed to avoid issues with ae, oe, aa. Dunno what happens or if it's entirely correct.
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
# We only need to see users. Not computers and no disabled users.
AlwaysFilter => '(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',

CustomerKey => 'sAMAccountName',
CustomerID => 'o',
CustomerUserListFields => ['cn'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],

},

# customer uniq id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName','cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# # show not own tickets in customer panel, CompanyTickets
# CustomerUserExcludePrimaryCustomerID => 0,
# # add a ldap filter for valid users (expert setting)
# # CustomerUserValidFilter => '(!(description=gesperrt))',
# # admin can't change customer preferences
# AdminSetPreferences => 0,
# # cache time to life in sec. - cache any ldap queris
# CacheTTL => 0,
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
# # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};

# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];



# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}

fbobraga2 can you tell me what you did to resolve this issue??

Regards

[crythias]

I may be really off here, but I question the { pairing location(s), as well as the filter being really strict.

but taking a cue from here: http://doc.otrs.org/2.4/en/html/x1801.html, it really seems like you are close but missing a few things.

You need to close } on Params probably immediately after AlwaysFilter, though you should try to be a BIT more relaxed about it, first.
AlwaysFilter => '(objectclass=user)' is a good start.


I could be very wrong, but you probably should eyeball the aforementioned link and make certain you have things that look sane. (in fact, I wouldn't hesitate to suggest copy/paste and fill in your own information just to be safe.). This is also replicated in the wiki: http://wiki.otrs.org/index.php?title=Us ... _customers

If you could have possibly enclosed your posted info in [ code ] [ /code ] tags, it would ease our ability to help out.

[jramig]

Thaks A LOT!!!! the wiki really works!! of course I changed some stuff, but it works just perfect.

Thank you and god bless you