Customer group membership via LDAP

[beverrm]

I am trying to configure our new OTRS installation so that our customers get their group memberships automatically based upon their AD group memberships. I can login as a customer with my AD username, but it is not updating my group memberships as I would expect based on my config. Relevent configuration is listed below.

Code: Select all

  $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host1'} = 'my.domain.local';
  $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=my,dc=domain,dc=local';
  $Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';

  $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=otrs,OU=ServiceAccounts,DC=my,DC=domain,DC=local';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'password';

    $Self->{CustomerUser1} = {
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
      Host => 'my.domain.local',
      BaseDN => 'dc=my,dc=domain,dc=local',
      SSCOPE => 'sub',
      UserDN =>'CN=otrs,OU=ServiceAccounts,DC=my,DC=domain,DC=local',
      UserPw => 'password',
      AlwaysFilter => '(objectclass=user)'
    },
# customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
      #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
      #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  };

#### The above works fine, all my customers are in OTRS.

Code: Select all

    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
        'CN=Domain Users,CN=Users,DC=my,DC=domain,DC=local' => {
            'Purchasing' => {
                rw => 1,
                ro => 1,
            },
        }
    };

#### I started small for troubleshooting purposes. My user does not get added to the purchasing group, and does not see the queues that it should see if it were added. I have tried using $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition1'}, $Self->{'Customer::AuthSyncModule::LDAP::UserSyncGroupsDefinition'}, and $Self->{'Customer::AuthSyncModule::LDAP::UserSyncGroupsDefinition1'} as well and they obviously did not work.


I am sure that I am missing something simple. I just am not sure what, and at this point I have stared at Config.pm and Defaults.pm for so long I have probably glossed over it many times.

[umeyer]

Hi

Did you managed to use your Customer group membership with LDAP?

I'm planning to do the same in my Company and it would be great to know if it's even possible.

[newb]

Anyone yet? I tried to do that too but i didn't make it!

[crythias]

It's not a feature of OTRS to do this. At the best you get "CustomerGroupAlwaysGroups" *if* customer Groups are enabled, and this applies to every customer, so .. yeah.

You may want to read my how-to on customer groups. Customer Groups may not be necessary to assign via LDAP for *customers*... well, maybe. The only real reason you'd need that is queue access. If you're considering that, remember that (again, my opinion) queues are what [type of] agent is going to handle a customer request. If you think of queues as "who" instead of "what", you're going to have a harder time working with OTRS.

Don't mess with customer groups unless you know you want to have customer-based queues (limit the queues available to a customer). If that is on your mind, you may want to take a look at ACLs based upon CustomerID or optionally, any field you're tracking ldap. You'll want to modify Config.pm to cover that entry. There are examples in Defaults.pm. Copy relevant entries to Config.pm.

I don't have the time I used to have to be able to answer questions as much any more, so please excuse me if I don't appear to answer right off.

Also, please don't PM me with requests. I can't fit that in my signature, but unless you want to hire me, I can't provide private help.

[jlima]

Hi
I have about 3000 customers registered in different branches of my LDAP and I need to, automatically, associate them to their groups using the LDAP branch as a criteria.
What beverrm described is a match to my needs.
Are there any developments on this subject? any new feature? any workaround?
best regards,
jlima

[crythias]

no. Customers should not generally be in groups.

[jlima]

Hi crythias and thanks for your fast reply

The only real reason you'd need that is queue access.

that's the case. I want to limit the queues of each customer according to his profile. The profile is determined by the ldap branch where otrs validated his login.

If you're considering that, remember that (again, my opinion) queues are what [type of] agent is going to handle a customer request.

OK. I agree with you.

Don't mess with customer groups unless you know you want to have customer-based queues (limit the queues available to a customer). If that is on your mind, you may want to take a look at ACLs based upon CustomerID or optionally, any field you're tracking ldap. You'll want to modify Config.pm to cover that entry. There are examples in Defaults.pm. Copy relevant entries to Config.pm.

CustomerID is not an option and I don't have any ldap field that allows me to identify group members. What I need is to use ldap branch to identify them. Is there any way I can do it?

should I start with CustomerGroupAlwaysGroups including all groups and then using ACLs to discard groups that don't apply to each profile?
Or should I start with CustomerGroupAlwaysGroups = 'users' and then add the goups that apply to each profile?
Should this be done in config.pm in each $Self->{CustomerUser2} section? and how do I reference the baseDN against which he was validated?

any other direction you can point me?
thanks
jlima

[crythias]

I don't have any ldap field that allows me to identify group members

Sure you do. I'm sure there's an available ldap attribute that you can assign for ACL use.

[jlima]

I meant "any field already in use and with data". The thing is that I don't want to edit each and every customer record.
And I'm not that comfortable with LDAP.
jlima

[jlima]

crythias, assuming I get an LDAP field, how can I use it to associate customers with groups?
thanks in advance for your help
jlima

[crythias]

1) Map a field/attribute in Config.pm
2) http://otrs.github.io/doc/manual/admin/ ... -reference
Basically, any CustomerUser mapped field can be a "Property" and then "Possible" Queues ...

[jlima]

THANKS !!

I've already made some changes in the mappings to reflect my LDAP properties BUT I haven't created any entry in this table.
in mapping there are three entities: var, frontend and storage
Storage refers to the LDAP property, What about the other two? Do I need to declare them elsewhere or are they created on the spot?

jlima

[crythias]

Code: Select all

 # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly, http-link-target, link class(es)

var: as referenced how OTRS uses it.
frontend: label (displayed as ...)
storage: fieldname/attribute in source location (sAMAccountName, mail, custom1)
the rest should be reasonably self-explanatory and if not should be found in the forum.