Gerald and Alvaro thank you for your time.
Unfortunately I haven’t been able to authenticate my customers through the
Active Directory yet and I have spend many hours trying to achieve it ☹
First of all I didn’t know that I had to put the same settings in
“FrontEnd::Customer:Auth” as Alvaro pointed out
but even that didn’t make a difference.
So is this absolutely necessary???
I am only asking because it’s not mentioned anywhere that besides “Config.pm”
we should change this as well.
The changes I ‘ve performed to “Config.pm” so far are the following:
A] Customer BackEnd
# CustomerUser1
# (customer ldap backend and settings)
$Self->{CustomerUser1} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'ad.example.com',
# ldap base dn
BaseDN => 'DC=example,DC=com',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => '[email protected]',
UserPw => '1234qwer',
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
AlwaysFilter =>
'(memberOf=CN=otrscustomers,CN=Users,DC=example,DC=com)',
# if the charset of your ldap server is iso-8859-7, use this:
SourceCharset => 'utf-8',
# Net::LDAP new params (if needed - for more info see perldoc
Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 2500,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add an ldap filter for valid users (expert setting)
CustomerUserValidFilter => '(!(userAccountControl=514))',
# administrator can't change customer preferences
AdminSetPreferences => 0,
# # cache time to live in sec. - cache any database queries
# CacheTTL => 0,
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required,
storage-type, http-link, readonly
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0
],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0
],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0
],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1,
'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0
],
[ 'UserCustomerID', 'CustomerID', 'mailNickname', 0, 1,
'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0,
'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var', '', 0
],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0
],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0
],
],
};
With the above settings I am able to see the customers specified at the
“otrscustomers” group in my Active Directory under
“Admin->Customer User”
But NOT under “Admin->Customers” which is still empty with only “Database
Backend” option available while “Customer User” has additionally “LDAP Data
Source”
Now moving on to authenticate customers from the ActiveDirectory I am putting
the following part :
B] Customer Auth Backend
# --------------------------------------------------- #
# authentication settings #
# (enable what you need, auth against otrs db, #
# against LDAP directory, against HTTP basic auth #
# or against Radius server) #
# --------------------------------------------------- #
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'ad.example.com';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=example,DC=com';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS
USER,CN=Users,DC=example,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = '1234qwer ';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
# or if you want to filter with a locigal OR-Expression, like AlwaysFilter
=> '(|(mail=*abc.com)(mail=*xyz.com))'
$Self->{'AuthModule::LDAP::AlwaysFilter1'} =
'(memberOf=CN=otrscustomers,CN=Users,DC=example,DC=com)';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params1'} = {
sscope => 'sub',
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthModule::LDAP::Die'} = 1;
Unfortunately with this I am getting the following in the GUI
“Panic, user authenticated but no user data can be found in OTRS DB!! Perhaps
the user is invalid.”
and the apache log show “Message: No UserID found for 'usersname'! “
I believe that I am missing the part where the customers are inserted on the
OTRS DB the first time they login.
So the question here is how do I insert the customers in OTRS DB the first time
the login??? Any ideas???
Regards,
George
From: otrs [mailto:[email protected]] On Behalf Of Alvaro Cordero
Sent: Friday, September 02, 2016 5:19 PM
To: User questions and discussions about OTRS.
Subject: Re: [otrs] Active Directory Configuration
Hello,
Along with the config in the file, you need in Sysconfig the change the
defaults to enable AD Authentication. Look in sysconfig for LDAP and you will
get FrontEnd::Customer:Auth, there you need to configure the same settings as
in your config file.
Regards
2016-09-02 5:59 GMT-06:00 Dimitrakakis Georgios
<[email protected]<mailto:[email protected]>>:
Hello!
Can someone explain a little bit more analytically how one can use AD to
authenticate users?
I read the “External Backends” section in the manual but a few things are not
clear to me.
So far I have managed to perform section 5.2.2
(https://otrs.github.io/doc/manual/admin/stable/en/html/external-backends.html#customer-backend-ldap)
which is to configure AD for customer backend.
When completed from the menu Admin->Customer Users I can see the people defined
on the AD to access OTRS.
Of course they are not able to authenticate. I am reading below section 5.3.2.2
(https://otrs.github.io/doc/manual/admin/stable/en/html/external-backends.html#customer-auth-backend-ldap)
but that doesn’t work with a “wrong password error” although the apache log
says “Cannot find ID for USERNAME”
What I am trying to understand here is if I need somehow before authenticating
to put the AD entries into the OTRS database so that it can retrieve the
“username” and then by using the next part to authenticate at the AD using that.
If someone could share its configuration would be very nice.
In general what I am trying to achieve is not to have any users on OTRS DB and
do everything from AD. For the moment I have configured two AD groups one for
Agents and one for Customers. Ideally OTRS should be able to distinguish
between those and allow login accordingly. So if you have any configuration
that you can share it will be much appreciated.
Best regards,
G.
______________________________________________________________________________
Το περιεχόμενο αυτού του ηλεκτρονικού μηνύματος και τυχόν συνημμένα αρχεία
είναι εμπιστευτικά. Απευθύνεται μόνο στους αναφερόμενους παραλήπτες. Αν λάβατε
αυτό το μήνυμα εκ παραδρομής, παρακαλείσθε να επικοινωνήσετε αμέσως με τον
αποστολέα του μηνύματος ή τον διαχειριστή του συστήματος και να μην αποκαλύψετε
σε κανένα το περιεχόμενο. Οι απόψεις που εκφράζονται ανήκουν στον συγγραφέα και
δεν εκφράζουν κατ' ανάγκη τις απόψεις της Παγκρήτιας Συνεταιριστικής Τράπεζας.
The contents of this email and any attachments are confidential. It is intended
for the named recipients only. If you have received this email in error please
notify the system administrator or the sender immediately and do not disclose
the contents to anyone. Any views or opinions presented are of the author and
not necessarily represent those of Pancretan Cooperative Bank
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs
--
Alvaro Cordero Retana
Consultor de Tecnologias
Tel: 22585757 ext 123
Email: [email protected]<mailto:[email protected]>
[Η εικόνα καταργήθηκε από τον αποστολέα.]
______________________________________________________________________________
Το περιεχόμενο αυτού του ηλεκτρονικού μηνύματος και τυχόν συνημμένα αρχεία
είναι εμπιστευτικά. Απευθύνεται μόνο στους αναφερόμενους παραλήπτες. Αν λάβατε
αυτό το μήνυμα εκ παραδρομής, παρακαλείσθε να επικοινωνήσετε αμέσως με τον
αποστολέα του μηνύματος ή τον διαχειριστή του συστήματος και να μην αποκαλύψετε
σε κανένα το περιεχόμενο. Οι απόψεις που εκφράζονται ανήκουν στον συγγραφέα και
δεν εκφράζουν κατ' ανάγκη τις απόψεις της Παγκρήτιας Συνεταιριστικής Τράπεζας.
The contents of this email and any attachments are confidential. It is intended
for the named recipients only. If you have received this email in error please
notify the system administrator or the sender immediately and do not disclose
the contents to anyone. Any views or opinions presented are of the author and
not necessarily represent those of Pancretan Cooperative Bank
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs
