Agent and Customer Auth using Active Directory

Moderator: crythias

Post Reply
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Agent and Customer Auth using Active Directory

Post by jvhowell »

Been working on this problem for weeks now. I've been through multiple different HowTo's and am currently using the sample from the OTRS site.
I can authenticate Agents, with the user manually entered into ORTS but I cannot authenticate Customers. I do not want to have to enter each customer into the OTRS DB. I would like to be able to authenticate Customers using only AD.

Would it be worth while just dumping this config and using the System Configuration feature in OTRS 6?

This is the LDAP part of my config.

# This is an example configuration for using an MS AD backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = LEVDC.xxxxx.xxx';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=xxx';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=HelpdeskAgents,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=xxxxx,DC=xxx;
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'OTRS-LDAP@xxxxx.xxx';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxx';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'LEVDC.xxxxx.xxx';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=xxx';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'OTRS-LDAP@xxxxx.xxx';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# AuthSyncModule::LDAP::UserSyncGroupsDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# groups to otrs groups, define the following.)
$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
# ldap group
'CN=HelpdeskAdmins,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=xxxxx,DC=xxx' => {
# otrs group
'admin' => {
# permission
rw => 1,
ro => 1,
},
},
'CN=HelpdeskAgents,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=xxxxx,DC=xxx' => {
'users' => {
move_into => 1,
},
}
};

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# LDAP binding for Customer #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #


$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'LEVDC.xxxxx.xxx';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=xxx';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=xxxxx,DC=xxx';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxxx';
#
# LDAP/AD Backend
#
$Self->{CustomerUser1} = {
Name => ‘Active Directory or LDAP',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'LEVDC.southplainscollege.edu',
BaseDN => 'OU=SPC,DC=xxxxx,DC=xxx',
SSCOPE => 'sub',
UserDN =>'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=xxxxx,DC=xxx',
UserPw => 'xxxxxxx',
},
# customer unique id
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Ende LDAP binding #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
wurzel
Znuny guru
Posts: 3224
Joined: 08 Jul 2010, 22:25
Znuny Version: x.x.x
Real Name: Florian

Re: Agent and Customer Auth using Active Directory

Post by wurzel »

Hi,

config looks fine. Without having a look in your logs, there is not much to help.

Flo
OTRS 8 SILVER (Prod)
OTRS 8 auf Debian 11 (Test)
Znuny 7.x latest version testing auf Debian 11

-- Ich beantworte keine Forums-Fragen PN - No PN please

I won't answer to unfriendly users any more. A greeting and regards are just polite.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent and Customer Auth using Active Directory

Post by root »

Hi Van,

There should be any related entry in the log like wurzel wrote. So far your Config looks good.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Re: Agent and Customer Auth using Active Directory

Post by jvhowell »

When I try a customer logon this is the error I get in /var/log/messages

Jul 13 08:08:36 otrs OTRS-CGI-95[32931]: [Error][Kernel::System::User::UserLookup][Line:968]: No UserID found for 'ttesthowell2734'!

And these messages in /var/log/httpd/error_log

[Fri Jul 13 08:08:36.622806 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: , referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
[Fri Jul 13 08:08:36.622840 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: RemoteAddress: 10.1.131.8, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
[Fri Jul 13 08:08:36.622866 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: RequestURI: /otrs/index.pl, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
[Fri Jul 13 08:08:36.622870 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: , referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
[Fri Jul 13 08:08:36.622890 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: Traceback (32931): , referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
[Fri Jul 13 08:08:36.622935 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: Module: Kernel::System::User::UserLookup Line: 968, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
[Fri Jul 13 08:08:36.622976 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: Module: Kernel::System::Auth::Auth Line: 245, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
[Fri Jul 13 08:08:36.623028 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: Module: Kernel::System::Web::InterfaceAgent::Run Line: 248, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
[Fri Jul 13 08:08:36.623072 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: Module: /opt/otrs/bin/cgi-bin/index.pl Line: 40, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
[Fri Jul 13 08:08:36.623077 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: , referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent and Customer Auth using Active Directory

Post by root »

Hi Van,

That's the webserver log. OTRS is logging via Syslog or in a custom file (see SysConfig LogModule, LogModule::LogFile) or check the System Log in the admin area.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Re: Agent and Customer Auth using Active Directory

Post by jvhowell »

This is the message from System Log

Fri Jul 13 08:08:36 2018 error OTRS-CGI-95 No UserID found for 'ttesthowell2734'!
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent and Customer Auth using Active Directory

Post by root »

jvhowell wrote: 13 Jul 2018, 16:58 This is the message from System Log

Fri Jul 13 08:08:36 2018 error OTRS-CGI-95 No UserID found for 'ttesthowell2734'!
Hi Van,

This message is related to an agent login. The message for CustomerUser woud be like "No such user.."

There must be another message in the OTRS log after an customer tries to login via /otrs/customer.pl

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Re: Agent and Customer Auth using Active Directory

Post by jvhowell »

Thats the only message related to the logon.
If I were to add a GroupDN for customers would that help?
Also, can I add more than one GroupDN. My customers will be in one of two groups. "Faculty and Staff" or "Students Security"
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Re: Agent and Customer Auth using Active Directory

Post by jvhowell »

Also, what if I use only the Customer LDAP Authentication and eliminate the Agent. Since I have to put the Agent into OTRS anyway it seems pointless to use AD. I have a small number of agents to work with.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent and Customer Auth using Active Directory

Post by root »

I woud start without any group restrictions first. Do you really use customer.pl to check the customer login?

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent and Customer Auth using Active Directory

Post by root »

jvhowell wrote: 13 Jul 2018, 17:14 Also, what if I use only the Customer LDAP Authentication and eliminate the Agent. Since I have to put the Agent into OTRS anyway it seems pointless to use AD. I have a small number of agents to work with.
Hi,

You can do both or the one or other. I prefer alway both to keep it simple for everyone to use the same password (and authentication backend). They don't interfere each other.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Re: Agent and Customer Auth using Active Directory

Post by jvhowell »

OK, I commented out the GroupDN and the rights assignment in the Sync section.
I can now logon with the customer account but I think it is connected as an agent. (not sure, new to this software)

Why would this happen?

The AD account I am using is not a member of the HelpDeskAgent group so I would think it would skip that section and attempt to connect using the Customer Auth section.
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Re: Agent and Customer Auth using Active Directory

Post by jvhowell »

When I look at Admin, Agents I see the ttesthowell2734 user listed there. I also have 250+ Customer Users listed. How were these created?
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent and Customer Auth using Active Directory

Post by root »

jvhowell wrote: 13 Jul 2018, 18:42 When I look at Admin, Agents I see the ttesthowell2734 user listed there. I also have 250+ Customer Users listed. How were these created?
CustomerUsers from LDAP/Active Directory were not created, just referenced.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Re: Agent and Customer Auth using Active Directory

Post by jvhowell »

I pasted the config from a notes file I was working on. I noticed that there is one change I have made in the production Config.pm file.
I have added the 1 after the modules for Agent Auth but I do not have a number with the Customer Auth. Will this make a difference?

Below is a copy of the section from the Production Config.pm

# This is an example configuration for using an MS AD backend
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'LEVDC.southplainscollege.edu';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=southplainscollege,DC=edu';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
# $Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=HelpdeskAgents,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu';
# $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
# $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxxx';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter1'} = '(objectclass=user)';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'LEVDC.southplainscollege.edu';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'DC=southplainscollege,DC=edu';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'DN';

$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
'users',
];
# AuthSyncModule::LDAP::UserSyncGroupsDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# groups to otrs groups, define the following.)
$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition1'} = {
# ldap group
'CN=HelpdeskAdmins,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu' => {
# otrs group
'admin' => {
# permission
rw => 1,
ro => 1,
},
},
'CN=HelpdeskAgents,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu' => {
'users' => {
move_into => 1,
},
}
};

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# LDAP binding for Customer #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #


$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'LEVDC.southplainscollege.edu';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=southplainscollege,DC=edu';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxx';
#
# LDAP/AD Backend
#
$Self->{CustomerUser1} = {
Name => 'Active Directory or LDAP',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'LEVDC.southplainscollege.edu',
BaseDN => 'DC=southplainscollege,DC=edu',
SSCOPE => 'sub',
UserDN =>'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu',
UserPw => 'xxxxxxx',
},

# customer unique id
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '@southplainscollege.edu',
CustomerUserSearchListLimit => 25000,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Ende LDAP binding #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent and Customer Auth using Active Directory

Post by root »

Hi Van,

The 1 after the Agent Authentication just says it's the second mechanism which is tried when an agent logins in. The default is the built in database (without any number), after that the configuration with the appendix 1, then with 2 (up to 1o) if they exist.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Re: Agent and Customer Auth using Active Directory

Post by jvhowell »

Sorry for the delayed response on this post.
I am still having problems with the customer logon.
I have removed the Agent LDAP and have only the Customer LDAP configured.
I am seeing LADP information in the Admin - Customer User section but I do not see any information in Admin - Customer
Could this be a mapping problem?

Below is the LDAP Auth section my current Config.pm file.
I have the Customer::AuthModule::LDAP configured in System Configuration.

______________________________________________________________________

$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'reesedc.southplainscollege.edu';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=southplainscollege,dc=edu';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
#$Self->{'AuthModule::LDAP::GroupDN1'} = '';
#$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
#$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'XXXXX';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter1'} = '(&(mail=*)(extensionAttribute5=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix1'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'reesedc.southplainscollege.edu';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=southplainscollege,dc=edu';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'XXXXXXX';

$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
AgentID => 'employeeID',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [ 'users', ];

# CustomerUser
# (customer ldap backend and settings)
$Self->{CustomerUser} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'reesedc.southplainscollege.edu',
# ldap base dn
BaseDN => 'DC=southplainscollege,DC=edu',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu',
UserPw => 'XXXXXX',

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
AlwaysFilter => '(objectClass=user)',

# if both your frontend and your LDAP are unicode, use this:
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
# if your frontend is unicode and the charset of your
# ldap server is iso-8859-1, use these options.
# SourceCharset => 'iso-8859-1',
# DestCharset => 'utf-8',

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},

# customer unique id
CustomerKey => 'sAMAccountName',

# customer #
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['sAMAccountName','cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 4000,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],

# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,

# add an ldap filter for valid users (expert setting)
#CustomerUserValidFilter => '(&(mail=*)(extensionAttribute5=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',

# administrator can't change customer preferences
AdminSetPreferences => 0,

# cache time to live in sec. - cache any database queries
CacheTTL => 0,
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'employeeID', 0, 1, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent and Customer Auth using Active Directory

Post by root »

jvhowell wrote: 12 Oct 2018, 19:39 Sorry for the delayed response on this post.
I am seeing LADP information in the Admin - Customer User section but I do not see any information in Admin - Customer
Could this be a mapping problem?
Hi,

For each entity (CustomerUser and Customer) you have separate configurations with mappings in OTRS.
Unfortunately there is no LDAP backend for Customer, only DB.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Re: Agent and Customer Auth using Active Directory

Post by jvhowell »

Ive been doing some additional reading and found that out. thanks for the confirmation.
I realize i didn't make myself clear I cannot logon to customer.pl using any of the accounts in Customer User.
What is the problem?
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent and Customer Auth using Active Directory

Post by root »

Hi,
jvhowell wrote: 13 Oct 2018, 15:22 Ive been doing some additional reading and found that out. thanks for the confirmation.
I realize i didn't make myself clear I cannot logon to customer.pl using any of the accounts in Customer User.
What is the problem?
I think you understand it wrong. Compare the Customer to an organization like a department or a compnay. And the CustomerUser belongs to a Customer and can login of course.

I recommend to configure CustomerAuth and CustomerUser, empty the log, set the LogLevel to debug and try one login. There will probably a reason to see why you can't login.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
jvhowell
Znuny newbie
Posts: 22
Joined: 12 Oct 2012, 01:54
Znuny Version: 6.0.25-01
Real Name: Van Howell
Company: South Plains College

Re: Agent and Customer Auth using Active Directory

Post by jvhowell »

I set the logging level to Debug. The log file showed that there is no user in LDAP. I noticed in the search section that the sAMAccount name contained the domain part. (example, @domainname.com) It was commented out in my config file but it was in Customer::AuthModule::LDAP configuration in System Configuration. I disabled this attribute and it now works.

Thanks for your help.
Post Reply