Agent and Customer Auth using Active Directory

Moderator: crythias

Post Reply
jvhowell
OTRS newbie
Posts: 19
Joined: 12 Oct 2012, 01:54
OTRS Version?: 3.1.6
Real Name: Van Howell
Company: Lubbock Christian University

Agent and Customer Auth using Active Directory

Post by jvhowell » 12 Jul 2018, 23:27

Been working on this problem for weeks now. I've been through multiple different HowTo's and am currently using the sample from the OTRS site.
I can authenticate Agents, with the user manually entered into ORTS but I cannot authenticate Customers. I do not want to have to enter each customer into the OTRS DB. I would like to be able to authenticate Customers using only AD.

Would it be worth while just dumping this config and using the System Configuration feature in OTRS 6?

This is the LDAP part of my config.

# This is an example configuration for using an MS AD backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = LEVDC.xxxxx.xxx';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=xxx';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=HelpdeskAgents,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=xxxxx,DC=xxx;
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'OTRS-LDAP@xxxxx.xxx';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxx';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'LEVDC.xxxxx.xxx';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=xxx';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'OTRS-LDAP@xxxxx.xxx';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# AuthSyncModule::LDAP::UserSyncGroupsDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# groups to otrs groups, define the following.)
$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
# ldap group
'CN=HelpdeskAdmins,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=xxxxx,DC=xxx' => {
# otrs group
'admin' => {
# permission
rw => 1,
ro => 1,
},
},
'CN=HelpdeskAgents,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=xxxxx,DC=xxx' => {
'users' => {
move_into => 1,
},
}
};

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# LDAP binding for Customer #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #


$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'LEVDC.xxxxx.xxx';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=xxx';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=xxxxx,DC=xxx';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxxx';
#
# LDAP/AD Backend
#
$Self->{CustomerUser1} = {
Name => ‘Active Directory or LDAP',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'LEVDC.southplainscollege.edu',
BaseDN => 'OU=SPC,DC=xxxxx,DC=xxx',
SSCOPE => 'sub',
UserDN =>'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=xxxxx,DC=xxx',
UserPw => 'xxxxxxx',
},
# customer unique id
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};

# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Ende LDAP binding #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #

wurzel
OTRS guru
Posts: 2493
Joined: 08 Jul 2010, 22:25
OTRS Version?: 6.0.x

Re: Agent and Customer Auth using Active Directory

Post by wurzel » 13 Jul 2018, 07:22

Hi,

config looks fine. Without having a look in your logs, there is not much to help.

Flo
    ((OTRS)) Community Edition 6.0.x, LAMP LIVE auf Debian 9
    OTRS 6 Managed Silver

    -- Ich beantworte keine Forums-Fragen PN - No PN please

    I won't answer to unfriendly users any more. A greeting and regards are just polite.

    root
    Moderator
    Posts: 1256
    Joined: 18 Dec 2007, 12:23
    OTRS Version?: 4/5/6
    Real Name: Roy Kaldung
    Company: Znuny Inc.
    Contact:

    Re: Agent and Customer Auth using Active Directory

    Post by root » 13 Jul 2018, 09:57

    Hi Van,

    There should be any related entry in the log like wurzel wrote. So far your Config looks good.

    - Roy
    OTRS 4/5/6 CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

    You need professional services? Check out https://www.znuny.com/

    jvhowell
    OTRS newbie
    Posts: 19
    Joined: 12 Oct 2012, 01:54
    OTRS Version?: 3.1.6
    Real Name: Van Howell
    Company: Lubbock Christian University

    Re: Agent and Customer Auth using Active Directory

    Post by jvhowell » 13 Jul 2018, 15:14

    When I try a customer logon this is the error I get in /var/log/messages

    Jul 13 08:08:36 otrs OTRS-CGI-95[32931]: [Error][Kernel::System::User::UserLookup][Line:968]: No UserID found for 'ttesthowell2734'!

    And these messages in /var/log/httpd/error_log

    [Fri Jul 13 08:08:36.622806 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: , referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
    [Fri Jul 13 08:08:36.622840 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: RemoteAddress: 10.1.131.8, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
    [Fri Jul 13 08:08:36.622866 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: RequestURI: /otrs/index.pl, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
    [Fri Jul 13 08:08:36.622870 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: , referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
    [Fri Jul 13 08:08:36.622890 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: Traceback (32931): , referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
    [Fri Jul 13 08:08:36.622935 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: Module: Kernel::System::User::UserLookup Line: 968, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
    [Fri Jul 13 08:08:36.622976 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: Module: Kernel::System::Auth::Auth Line: 245, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
    [Fri Jul 13 08:08:36.623028 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: Module: Kernel::System::Web::InterfaceAgent::Run Line: 248, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
    [Fri Jul 13 08:08:36.623072 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: Module: /opt/otrs/bin/cgi-bin/index.pl Line: 40, referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;
    [Fri Jul 13 08:08:36.623077 2018] [cgi:error] [pid 64968] [client 10.1.131.8:52153] AH01215: , referer: http://otrs.southplainscollege.edu/otrs ... 2gz5lCHUoT;

    root
    Moderator
    Posts: 1256
    Joined: 18 Dec 2007, 12:23
    OTRS Version?: 4/5/6
    Real Name: Roy Kaldung
    Company: Znuny Inc.
    Contact:

    Re: Agent and Customer Auth using Active Directory

    Post by root » 13 Jul 2018, 15:28

    Hi Van,

    That's the webserver log. OTRS is logging via Syslog or in a custom file (see SysConfig LogModule, LogModule::LogFile) or check the System Log in the admin area.

    - Roy
    OTRS 4/5/6 CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

    You need professional services? Check out https://www.znuny.com/

    jvhowell
    OTRS newbie
    Posts: 19
    Joined: 12 Oct 2012, 01:54
    OTRS Version?: 3.1.6
    Real Name: Van Howell
    Company: Lubbock Christian University

    Re: Agent and Customer Auth using Active Directory

    Post by jvhowell » 13 Jul 2018, 16:58

    This is the message from System Log

    Fri Jul 13 08:08:36 2018 error OTRS-CGI-95 No UserID found for 'ttesthowell2734'!

    root
    Moderator
    Posts: 1256
    Joined: 18 Dec 2007, 12:23
    OTRS Version?: 4/5/6
    Real Name: Roy Kaldung
    Company: Znuny Inc.
    Contact:

    Re: Agent and Customer Auth using Active Directory

    Post by root » 13 Jul 2018, 17:04

    jvhowell wrote:
    13 Jul 2018, 16:58
    This is the message from System Log

    Fri Jul 13 08:08:36 2018 error OTRS-CGI-95 No UserID found for 'ttesthowell2734'!
    Hi Van,

    This message is related to an agent login. The message for CustomerUser woud be like "No such user.."

    There must be another message in the OTRS log after an customer tries to login via /otrs/customer.pl

    - Roy
    OTRS 4/5/6 CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

    You need professional services? Check out https://www.znuny.com/

    jvhowell
    OTRS newbie
    Posts: 19
    Joined: 12 Oct 2012, 01:54
    OTRS Version?: 3.1.6
    Real Name: Van Howell
    Company: Lubbock Christian University

    Re: Agent and Customer Auth using Active Directory

    Post by jvhowell » 13 Jul 2018, 17:13

    Thats the only message related to the logon.
    If I were to add a GroupDN for customers would that help?
    Also, can I add more than one GroupDN. My customers will be in one of two groups. "Faculty and Staff" or "Students Security"

    jvhowell
    OTRS newbie
    Posts: 19
    Joined: 12 Oct 2012, 01:54
    OTRS Version?: 3.1.6
    Real Name: Van Howell
    Company: Lubbock Christian University

    Re: Agent and Customer Auth using Active Directory

    Post by jvhowell » 13 Jul 2018, 17:14

    Also, what if I use only the Customer LDAP Authentication and eliminate the Agent. Since I have to put the Agent into OTRS anyway it seems pointless to use AD. I have a small number of agents to work with.

    root
    Moderator
    Posts: 1256
    Joined: 18 Dec 2007, 12:23
    OTRS Version?: 4/5/6
    Real Name: Roy Kaldung
    Company: Znuny Inc.
    Contact:

    Re: Agent and Customer Auth using Active Directory

    Post by root » 13 Jul 2018, 17:15

    I woud start without any group restrictions first. Do you really use customer.pl to check the customer login?

    - Roy
    OTRS 4/5/6 CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

    You need professional services? Check out https://www.znuny.com/

    root
    Moderator
    Posts: 1256
    Joined: 18 Dec 2007, 12:23
    OTRS Version?: 4/5/6
    Real Name: Roy Kaldung
    Company: Znuny Inc.
    Contact:

    Re: Agent and Customer Auth using Active Directory

    Post by root » 13 Jul 2018, 18:29

    jvhowell wrote:
    13 Jul 2018, 17:14
    Also, what if I use only the Customer LDAP Authentication and eliminate the Agent. Since I have to put the Agent into OTRS anyway it seems pointless to use AD. I have a small number of agents to work with.
    Hi,

    You can do both or the one or other. I prefer alway both to keep it simple for everyone to use the same password (and authentication backend). They don't interfere each other.

    - Roy
    OTRS 4/5/6 CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

    You need professional services? Check out https://www.znuny.com/

    jvhowell
    OTRS newbie
    Posts: 19
    Joined: 12 Oct 2012, 01:54
    OTRS Version?: 3.1.6
    Real Name: Van Howell
    Company: Lubbock Christian University

    Re: Agent and Customer Auth using Active Directory

    Post by jvhowell » 13 Jul 2018, 18:32

    OK, I commented out the GroupDN and the rights assignment in the Sync section.
    I can now logon with the customer account but I think it is connected as an agent. (not sure, new to this software)

    Why would this happen?

    The AD account I am using is not a member of the HelpDeskAgent group so I would think it would skip that section and attempt to connect using the Customer Auth section.

    jvhowell
    OTRS newbie
    Posts: 19
    Joined: 12 Oct 2012, 01:54
    OTRS Version?: 3.1.6
    Real Name: Van Howell
    Company: Lubbock Christian University

    Re: Agent and Customer Auth using Active Directory

    Post by jvhowell » 13 Jul 2018, 18:42

    When I look at Admin, Agents I see the ttesthowell2734 user listed there. I also have 250+ Customer Users listed. How were these created?

    root
    Moderator
    Posts: 1256
    Joined: 18 Dec 2007, 12:23
    OTRS Version?: 4/5/6
    Real Name: Roy Kaldung
    Company: Znuny Inc.
    Contact:

    Re: Agent and Customer Auth using Active Directory

    Post by root » 13 Jul 2018, 18:45

    jvhowell wrote:
    13 Jul 2018, 18:42
    When I look at Admin, Agents I see the ttesthowell2734 user listed there. I also have 250+ Customer Users listed. How were these created?
    CustomerUsers from LDAP/Active Directory were not created, just referenced.

    - Roy
    OTRS 4/5/6 CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

    You need professional services? Check out https://www.znuny.com/

    jvhowell
    OTRS newbie
    Posts: 19
    Joined: 12 Oct 2012, 01:54
    OTRS Version?: 3.1.6
    Real Name: Van Howell
    Company: Lubbock Christian University

    Re: Agent and Customer Auth using Active Directory

    Post by jvhowell » 13 Jul 2018, 21:32

    I pasted the config from a notes file I was working on. I noticed that there is one change I have made in the production Config.pm file.
    I have added the 1 after the modules for Agent Auth but I do not have a number with the Customer Auth. Will this make a difference?

    Below is a copy of the section from the Production Config.pm

    # This is an example configuration for using an MS AD backend
    $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = 'LEVDC.southplainscollege.edu';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=southplainscollege,DC=edu';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    # $Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=HelpdeskAgents,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu';
    # $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    # $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxxx';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter1'} = '(objectclass=user)';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params1'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    };

    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'LEVDC.southplainscollege.edu';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'DC=southplainscollege,DC=edu';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'xxxxxxx';
    $Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';
    $Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'DN';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname => 'sn',
    UserEmail => 'mail',
    };

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
    'users',
    ];
    # AuthSyncModule::LDAP::UserSyncGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs groups, define the following.)
    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition1'} = {
    # ldap group
    'CN=HelpdeskAdmins,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu' => {
    # otrs group
    'admin' => {
    # permission
    rw => 1,
    ro => 1,
    },
    },
    'CN=HelpdeskAgents,OU=Departments,OU=Distribution Lists,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu' => {
    'users' => {
    move_into => 1,
    },
    }
    };

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    # #
    # LDAP binding for Customer #
    # #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #


    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'LEVDC.southplainscollege.edu';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=southplainscollege,DC=edu';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxx';
    #
    # LDAP/AD Backend
    #
    $Self->{CustomerUser1} = {
    Name => 'Active Directory or LDAP',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
    Host => 'LEVDC.southplainscollege.edu',
    BaseDN => 'DC=southplainscollege,DC=edu',
    SSCOPE => 'sub',
    UserDN =>'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu',
    UserPw => 'xxxxxxx',
    },

    # customer unique id
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '@southplainscollege.edu',
    CustomerUserSearchListLimit => 25000,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
    # note: Login, Email and CustomerID needed!
    # var, frontend, storage, shown, required, storage-type
    #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
    [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
    #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
    #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
    };

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    # #
    # Ende LDAP binding #
    # #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

    root
    Moderator
    Posts: 1256
    Joined: 18 Dec 2007, 12:23
    OTRS Version?: 4/5/6
    Real Name: Roy Kaldung
    Company: Znuny Inc.
    Contact:

    Re: Agent and Customer Auth using Active Directory

    Post by root » 19 Jul 2018, 11:27

    Hi Van,

    The 1 after the Agent Authentication just says it's the second mechanism which is tried when an agent logins in. The default is the built in database (without any number), after that the configuration with the appendix 1, then with 2 (up to 1o) if they exist.

    - Roy
    OTRS 4/5/6 CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

    You need professional services? Check out https://www.znuny.com/

    jvhowell
    OTRS newbie
    Posts: 19
    Joined: 12 Oct 2012, 01:54
    OTRS Version?: 3.1.6
    Real Name: Van Howell
    Company: Lubbock Christian University

    Re: Agent and Customer Auth using Active Directory

    Post by jvhowell » 12 Oct 2018, 19:39

    Sorry for the delayed response on this post.
    I am still having problems with the customer logon.
    I have removed the Agent LDAP and have only the Customer LDAP configured.
    I am seeing LADP information in the Admin - Customer User section but I do not see any information in Admin - Customer
    Could this be a mapping problem?

    Below is the LDAP Auth section my current Config.pm file.
    I have the Customer::AuthModule::LDAP configured in System Configuration.

    ______________________________________________________________________

    $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = 'reesedc.southplainscollege.edu';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=southplainscollege,dc=edu';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    #$Self->{'AuthModule::LDAP::GroupDN1'} = '';
    #$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    #$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'XXXXX';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter1'} = '(&(mail=*)(extensionAttribute5=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))';

    # in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix1'} = '';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params1'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    };

    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'reesedc.southplainscollege.edu';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=southplainscollege,dc=edu';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'XXXXXXX';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname => 'sn',
    UserEmail => 'mail',
    AgentID => 'employeeID',
    };

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [ 'users', ];

    # CustomerUser
    # (customer ldap backend and settings)
    $Self->{CustomerUser} = {
    Name => 'LDAP Data Source',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
    # ldap host
    Host => 'reesedc.southplainscollege.edu',
    # ldap base dn
    BaseDN => 'DC=southplainscollege,DC=edu',
    # search scope (one|sub)
    SSCOPE => 'sub',
    # The following is valid but would only be necessary if the
    # anonymous user does NOT have permission to read from the LDAP tree
    UserDN => 'CN=OTRS-LDAP,OU=Service Accounts,OU=SPC,DC=southplainscollege,DC=edu',
    UserPw => 'XXXXXX',

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    AlwaysFilter => '(objectClass=user)',

    # if both your frontend and your LDAP are unicode, use this:
    SourceCharset => 'utf-8',
    DestCharset => 'utf-8',
    # if your frontend is unicode and the charset of your
    # ldap server is iso-8859-1, use these options.
    # SourceCharset => 'iso-8859-1',
    # DestCharset => 'utf-8',

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    Params => {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    },
    },

    # customer unique id
    CustomerKey => 'sAMAccountName',

    # customer #
    CustomerID => 'sAMAccountName',
    CustomerUserListFields => ['sAMAccountName','cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 4000,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],

    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,

    # add an ldap filter for valid users (expert setting)
    #CustomerUserValidFilter => '(&(mail=*)(extensionAttribute5=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',

    # administrator can't change customer preferences
    AdminSetPreferences => 0,

    # cache time to live in sec. - cache any database queries
    CacheTTL => 0,
    Map => [
    # note: Login, Email and CustomerID are mandatory!
    # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
    [ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
    [ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
    [ 'UserCustomerID', 'CustomerID', 'employeeID', 0, 1, 'var', '', 0 ],
    # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
    [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
    [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
    ],
    };

    root
    Moderator
    Posts: 1256
    Joined: 18 Dec 2007, 12:23
    OTRS Version?: 4/5/6
    Real Name: Roy Kaldung
    Company: Znuny Inc.
    Contact:

    Re: Agent and Customer Auth using Active Directory

    Post by root » 13 Oct 2018, 06:32

    jvhowell wrote:
    12 Oct 2018, 19:39
    Sorry for the delayed response on this post.
    I am seeing LADP information in the Admin - Customer User section but I do not see any information in Admin - Customer
    Could this be a mapping problem?
    Hi,

    For each entity (CustomerUser and Customer) you have separate configurations with mappings in OTRS.
    Unfortunately there is no LDAP backend for Customer, only DB.

    - Roy
    OTRS 4/5/6 CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

    You need professional services? Check out https://www.znuny.com/

    jvhowell
    OTRS newbie
    Posts: 19
    Joined: 12 Oct 2012, 01:54
    OTRS Version?: 3.1.6
    Real Name: Van Howell
    Company: Lubbock Christian University

    Re: Agent and Customer Auth using Active Directory

    Post by jvhowell » 13 Oct 2018, 15:22

    Ive been doing some additional reading and found that out. thanks for the confirmation.
    I realize i didn't make myself clear I cannot logon to customer.pl using any of the accounts in Customer User.
    What is the problem?

    root
    Moderator
    Posts: 1256
    Joined: 18 Dec 2007, 12:23
    OTRS Version?: 4/5/6
    Real Name: Roy Kaldung
    Company: Znuny Inc.
    Contact:

    Re: Agent and Customer Auth using Active Directory

    Post by root » 14 Oct 2018, 08:10

    Hi,
    jvhowell wrote:
    13 Oct 2018, 15:22
    Ive been doing some additional reading and found that out. thanks for the confirmation.
    I realize i didn't make myself clear I cannot logon to customer.pl using any of the accounts in Customer User.
    What is the problem?
    I think you understand it wrong. Compare the Customer to an organization like a department or a compnay. And the CustomerUser belongs to a Customer and can login of course.

    I recommend to configure CustomerAuth and CustomerUser, empty the log, set the LogLevel to debug and try one login. There will probably a reason to see why you can't login.

    - Roy
    OTRS 4/5/6 CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

    You need professional services? Check out https://www.znuny.com/

    jvhowell
    OTRS newbie
    Posts: 19
    Joined: 12 Oct 2012, 01:54
    OTRS Version?: 3.1.6
    Real Name: Van Howell
    Company: Lubbock Christian University

    Re: Agent and Customer Auth using Active Directory

    Post by jvhowell » 15 Oct 2018, 02:41

    I set the logging level to Debug. The log file showed that there is no user in LDAP. I noticed in the search section that the sAMAccount name contained the domain part. (example, @domainname.com) It was commented out in my config file but it was in Customer::AuthModule::LDAP configuration in System Configuration. I disabled this attribute and it now works.

    Thanks for your help.

    Post Reply