[SOLVED] New installation and customization
Moderator: crythias
[SOLVED] New installation and customization
Hi All,
i'm a newbie of OTRS but at first sight it seems to be the solution i need in order to achieve my goal to migrate from older help desk system to a new one.
A quick premise: my company is provider and customer at the same time, so this is an internal ITSM for us.
My requirements are:
- 4 line of services offered to my end-users;
- some of end-users coulb be an agent too (for example i'm an agent for network security related issue but i'm an end-user for a service request about hardware/software purchase or travelling stuff);
- all of my end-user must be authenticate with AD credentials;
- agents belonging to a specific group/queue must not allow to see other requests;
I'm starting to read admin guide and i'm wondering if:
- agents belonging to same group (for example VMware support) should be defined as a group in AD or just into otrs?
I'm going to start to configure my OTRS!
Thanks guys!!
i'm a newbie of OTRS but at first sight it seems to be the solution i need in order to achieve my goal to migrate from older help desk system to a new one.
A quick premise: my company is provider and customer at the same time, so this is an internal ITSM for us.
My requirements are:
- 4 line of services offered to my end-users;
- some of end-users coulb be an agent too (for example i'm an agent for network security related issue but i'm an end-user for a service request about hardware/software purchase or travelling stuff);
- all of my end-user must be authenticate with AD credentials;
- agents belonging to a specific group/queue must not allow to see other requests;
I'm starting to read admin guide and i'm wondering if:
- agents belonging to same group (for example VMware support) should be defined as a group in AD or just into otrs?
I'm going to start to configure my OTRS!
Thanks guys!!
Last edited by ruzzetto on 03 May 2017, 16:21, edited 1 time in total.
-
- Znuny wizard
- Posts: 392
- Joined: 30 Dec 2010, 14:35
- Znuny Version: 6.0.x and 5.0.x
- Real Name: Giulio Soleni
- Company: IKS srl
Re: New installation and customization
Hi,
configuration of Agents and Customers pulled from AD are done within /opt/otrs/Kernel/Config.pm file, and you do not have to confuse the OTRS permissions on queues and services with the authentication provided to selected groups of users in AD.
Generally speaking you need to configure two separate sections of Config.pm for the Agent authentication and for the customer authentication and, even if you are talking of the same set of users, I'd suggest you to define two separate groups in your AD, one called e.g "OTRS_Agents" whose members will be authenticated as OTRS agents, and one named e.g. "OTRS_Customers" whose members will be authenticated as OTRS Customers.
That said, you need also to define a technical user in your AD to let OTRS access and browse the directory.
As a suggestion: do not replace the definition of database OTRS internal users with the authentication of users from your AD ... to let both the sources active you just have to put a number at the end of any "$Self" reference in the modules used to authenticate users and customers.
So for example you will have:
and not just $Self->{'AuthModule'} and so on, which are used within the Defaults.pm (MIND NOT TO TOUCH THAT FILE) to define the database authentication modules.
Finally just a remark: you may notice that customers users taken from AD will populate your OTRS consoles as soon as you complete the configuration of Config.pm file, while it's necessary for agents to login to the web console at least a first time, before you may see them appear on the admin console.
Please make your tests and should you find any trouble, post hereby your /opt/otrs/Kernel/Config.pm file so that community may check the details of your configuration.
HTH
Giulio
configuration of Agents and Customers pulled from AD are done within /opt/otrs/Kernel/Config.pm file, and you do not have to confuse the OTRS permissions on queues and services with the authentication provided to selected groups of users in AD.
Generally speaking you need to configure two separate sections of Config.pm for the Agent authentication and for the customer authentication and, even if you are talking of the same set of users, I'd suggest you to define two separate groups in your AD, one called e.g "OTRS_Agents" whose members will be authenticated as OTRS agents, and one named e.g. "OTRS_Customers" whose members will be authenticated as OTRS Customers.
That said, you need also to define a technical user in your AD to let OTRS access and browse the directory.
As a suggestion: do not replace the definition of database OTRS internal users with the authentication of users from your AD ... to let both the sources active you just have to put a number at the end of any "$Self" reference in the modules used to authenticate users and customers.
So for example you will have:
Code: Select all
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'yourdomaincontroller.whateverdomain.whateversuffix';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=whateverdomain,DC=whateversuffix';
[...]
Finally just a remark: you may notice that customers users taken from AD will populate your OTRS consoles as soon as you complete the configuration of Config.pm file, while it's necessary for agents to login to the web console at least a first time, before you may see them appear on the admin console.
Please make your tests and should you find any trouble, post hereby your /opt/otrs/Kernel/Config.pm file so that community may check the details of your configuration.
HTH
Giulio
OTRS 6.0.x on CentOS 7.x with MariaDB 10.2.x database connected to an Active Directory for Agents and Customers.
ITSM and FAQ modules installed.
ITSM and FAQ modules installed.
Re: New installation and customization
Hi,
i'm trying step by step to configure otrs for LDAP. Now i modified the file /Kernel/Config/Default.pm with these values:
-----------------------------------------------------------------------------
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'MYLDAP';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=MYCOMPANY,dc=lan';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=Domain Users,ou=Groups,ou=XXXX,dc=XXXXX,dc=lan';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'MYCOMPANY\user';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'MYPASSWORD';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
# $Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 636,
timeout => 120,
async => 0,
version => 3,
# };
My LDAP works with SSL over port 636.
Are there other parameters to configure?
Thanks
i'm trying step by step to configure otrs for LDAP. Now i modified the file /Kernel/Config/Default.pm with these values:
-----------------------------------------------------------------------------
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'MYLDAP';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=MYCOMPANY,dc=lan';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=Domain Users,ou=Groups,ou=XXXX,dc=XXXXX,dc=lan';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'MYCOMPANY\user';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'MYPASSWORD';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
# $Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 636,
timeout => 120,
async => 0,
version => 3,
# };
My LDAP works with SSL over port 636.
Are there other parameters to configure?
Thanks
Re: New installation and customization
Never modify the Defaults.pm!
Please read the admin manual carefully.
You have to adjust the line
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'ldaps://MYLDAP';
Please read the admin manual carefully.
You have to adjust the line
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'ldaps://MYLDAP';
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
"Testing": ((OTRS Community Edition)) and git Master
Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
Re: New installation and customization
[EDIT]
thanks, as other member already suggested me i restored the original Default.pm and modified /Kernel/Config.pm.... adjusted with ldaps://myldap but now it returns me an error:
ERROR: OTRS-CGI-82 Perl: 5.16.3 OS: linux Time: Thu Apr 20 12:55:26 2017
Message: Can't connect to ldaps://myldap: Connection refused
RemoteAddress: myremoteclientIP
RequestURI: /otrs/customer.pl
Traceback (19350):
Module: Kernel::System::CustomerAuth::LDAP::Auth Line: 174
Module: Kernel::System::CustomerAuth::Auth Line: 135
Module: Kernel::System::Web::InterfaceCustomer::Run Line: 227
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_customer_2epl::handler Line: 40
Module: (eval) (v1.99) Line: 207
Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
Module: ModPerl::Registry::handler (v1.99) Line: 32
---------------------------
Tried to configure LDAP over standard port 389 first and it seems it lookups the right user but return and error:
Message: Search failed! base='CN=Domain Users,OU=Users,DC=MYCOMPANY,DC=LAN', filter='(member=CN=My Name,OU=My OU,OU=My company,DC=MYCOMPANY,DC=LAN)', 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=MYCOMPANY,DC=LAN'
thanks, as other member already suggested me i restored the original Default.pm and modified /Kernel/Config.pm.... adjusted with ldaps://myldap but now it returns me an error:
ERROR: OTRS-CGI-82 Perl: 5.16.3 OS: linux Time: Thu Apr 20 12:55:26 2017
Message: Can't connect to ldaps://myldap: Connection refused
RemoteAddress: myremoteclientIP
RequestURI: /otrs/customer.pl
Traceback (19350):
Module: Kernel::System::CustomerAuth::LDAP::Auth Line: 174
Module: Kernel::System::CustomerAuth::Auth Line: 135
Module: Kernel::System::Web::InterfaceCustomer::Run Line: 227
Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_customer_2epl::handler Line: 40
Module: (eval) (v1.99) Line: 207
Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
Module: ModPerl::Registry::handler (v1.99) Line: 32
---------------------------
Tried to configure LDAP over standard port 389 first and it seems it lookups the right user but return and error:
Message: Search failed! base='CN=Domain Users,OU=Users,DC=MYCOMPANY,DC=LAN', filter='(member=CN=My Name,OU=My OU,OU=My company,DC=MYCOMPANY,DC=LAN)', 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=MYCOMPANY,DC=LAN'
Re: New installation and customization
i still have problem with AD integration. while customer user is ok (but not on LDAPS) i tried to configure agent side and i cannot login. this is my configuration:
Code: Select all
# AGENT CONFIGURATION
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'myldap';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=my,dc=ldap';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=OTRS Agents,OU=Groups,OU=xxxxxxxxx,DC=my,DC=ldap';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=otrs account,OU=Service Accounts,OU=xxxxxx,OU=xxxxxxxxxxx,DC=my,DC=ldap';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'mypassword';
$Self->{'AuthModule::LDAP::UserLowerCase1'} = 0;
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Now sync data with OTRS DB
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'myldap';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=my,dc=ldap';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=otrs account,OU=Service Accounts,OU=xxxx,OU=xxxxxxxx,DC=my,DC=ldap';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'mypassword';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
#UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
'users',
];
-
- Administrator
- Posts: 3968
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: New installation and customization
Please double check all DNs for proper spelling
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: New installation and customization
@root i checked with my microsoft sysadmin and i capture sessions with tcpdump too. Active directory responds correctly and find the right user. If you want i can upload capture.
Thanks,
Fabio
Thanks,
Fabio
-
- Administrator
- Posts: 3968
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: New installation and customization
I only referred to the error message ("DSID-03100238, problem 2001") that indicates a possibly wrong DN.
What are the members of the group? Users or other groups? Nested group are not supported by OTRS.
And:
read this carefully:
What are the members of the group? Users or other groups? Nested group are not supported by OTRS.
And:
read this carefully:
The search base (base='CN=Domain Users,OU=Users,DC=MYCOMPANY,DC=LAN') does not match the filter.Search failed! base='CN=Domain Users,OU=Users,DC=MYCOMPANY,DC=LAN', filter='(member=CN=My Name,OU=My OU,OU=My company,DC=MYCOMPANY,DC=LAN)',
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: New installation and customization
hi root you're referring to an old errror message about customer authentication. Now the issue is about agent authentication, indeed i did not receive that error message
-
- Administrator
- Posts: 3968
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: New installation and customization
Ok, and no error message?
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: New installation and customization
sure,
"AH01215: Message: No UserID found for 'myusername'!"
i suppose it could be a autosync issue.....could be?
i'm getting crazy, tried to change any parameters but it does not work
"AH01215: Message: No UserID found for 'myusername'!"
i suppose it could be a autosync issue.....could be?
i'm getting crazy, tried to change any parameters but it does not work
-
- Administrator
- Posts: 3968
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: New installation and customization
Looks like that there's no agent with the login myusername. Configure fix the sync or add the user first manually to confirm the LDAP authenticationruzzetto wrote: "AH01215: Message: No UserID found for 'myusername'!"
i suppose it could be a autosync issue.....could be?
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: New installation and customization
Apologize it was my fault..."UserAttr" was typed "UserAttri" and I was getting crazy....now it works
Thanks for your helpful and precious patient.
Have a great weekend
Fabio
Thanks for your helpful and precious patient.
Have a great weekend
Fabio