Customer login authentication using LDAP & local DB

Moderator: crythias

Post Reply
numerouno
Znuny newbie
Posts: 26
Joined: 19 Jun 2014, 13:02
Znuny Version: OTRS 4.0.3

Customer login authentication using LDAP & local DB

Post by numerouno »

Hello Community,

I see many threads on similar topic but I am just unable to get both LDAP (agents) and local DB (customers) login authentication working together.

Previously out customers did not login to OTRS so we did not require this.

My current Config.pm is below, please can someone help!

# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2014 xxx, http://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# -->> Most OTRS configuration should be done via the OTRS web interface
# and the SysConfig. Only for some configuration, such as database
# credentials and customer data source changes, you should edit this
# file. For changes do customer data sources you can copy the definitions
# from Kernel/Config/Defaults.pm and paste them in this file.
# Config.pm will not be overwritten when updating OTRS.
# --

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
my $Self = shift;

# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #

# The database host
$Self->{'DatabaseHost'} = '127.0.0.1';

# The database name
$Self->{'Database'} = "root";

# The database user
$Self->{'DatabaseUser'} = "otrs";

# The password of database user. You also can use bin/otrs.CryptPassword.pl
# for crypted passwords
$Self->{'DatabasePw'} = '******';

# The database DSN for MySQL ==> more: "perldoc DBD::mysql"
$Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";

# The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a TCP/IP connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# if you have PostgresSQL 8.1 or earlier, activate the legacy driver with this line:
# $Self->{DatabasePostgresqlBefore82} = 1;

# The database DSN for Microsoft SQL Server - only supported if OTRS is
# installed on Windows as well
# $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

# The database DSN for Oracle ==> more: "perldoc DBD::oracle"
# $ENV{ORACLE_HOME} = '/u01/app/oracle/product/10.2.0/client_1';
# $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
# $ENV{NLS_LANG} = "american_america.utf8";

# $Self->{DatabaseDSN} = "DBI:Oracle:sid=OTRS;host=$Self->{DatabaseHost};port=1522;";

# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/opt/otrs';

# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #

#Bens LDAP confit got AD agent authentication
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '***********';
$Self->{'AuthModule::LDAP::BaseDN'} = '********';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS Agents,OU=Groups,OU=MT-Users,DC=corp,DC=******,DC=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Service Account,OU=Service-Accounts,OU=MT-Users,DC=corp,DC=*******,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '*******';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub'
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '********';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = '***********';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Service Account,OU=Service-Accounts,OU=MT-Users,DC=corp,DC=*******,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '*******';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'customer_user',
];



# Enable LDAP lookups for Customer account information.
$Self->{CustomerUser3} = {
Name => 'LDAP Lookup',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '********',
BaseDN => '*******',
SSCOPE => 'sub',
UserDN => '*********',
UserPw => '*******',
#AlwaysFilter => '(objectclass=user)',
#GroupDN => 'CN=OTRS Customers,DC=corp,DC=******,DC=com',
#AccessAttr => 'member',
UserAttr => 'DN',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'sn', 'givenname', 'company', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'sn', 'givenname', 'company', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserValidFilter => '(company=*)',
CustomerUserExcludePrimaryCustomerID => 0,
Map => [
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'company', 0, 1, 'var' ],
[ 'UserDepartment', 'Department', 'department', 1, 0, 'var'],
[ 'Team', 'Team', 'team', 1, 0, 'var', '', 0 ]
],
};

# ticket acl
#$Self->{TicketAcl}->{'106-restrictsource-ACL'} = {
# match properties
# Properties => {
# current ticket match properties
# Ticket => {
# QueueID => ['19','20','21','22','23'],
#
# }
# },
# return possible options (white list)
# Possible => {
# possible ticket options (white list)
# Ticket => {
# DynamicField_Source => ['8','9','10'],
# },
# },
#};

# ticket acl
#$Self->{TicketAcl}->{'107-restrictsource-ACL'} = {
# match properties
# Properties => {
# current ticket match properties
# Ticket => {
# QueueID => ['6','7','8','9','10','11','12','13','14','15','16','17','18']
#
# }
# },
# return possible options (white list)
# PossibleNot => {
# possible ticket options (white list)
# Ticket => {
# DynamicField_Source => ['8','9','10'],
# },
# },
#};




# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# end of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #

# ---------------------------------------------------- #
# needed system stuff (don't edit this) #
# ---------------------------------------------------- #

use base qw(Kernel::Config::Defaults);

# -----------------------------------------------------#
}

1;
jlima
Znuny newbie
Posts: 34
Joined: 03 Jul 2014, 13:48
Znuny Version: 6.0.18
Real Name: Jorge Lima
Location: Braga, Portugal

Re: Customer login authentication using LDAP & local DB

Post by jlima »

Hi
I don't use DB for customer validation so I don't have hands on experience on this but I think that before

Code: Select all

$Self->{CustomerUser3} = {
you need to set up the customer authentication.

To validate against DB please check Defaults.pm for the corresponding section.
You'll find someting like

Code: Select all

 $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::DB';
In your case I think you must have Customer::AuthModule3 to match the 3 in $Self->{CustomerUser3}
OTRS 6.0.18 (public/testing) on CentOS with Postgres database
Post Reply