AuthModule is not for Customer
On Sep 5, 2016 5:57 AM, "Dimitrakakis Georgios" <
[email protected]> wrote:
> Gerald and Alvaro thank you for your time.
>
>
>
> Unfortunately I haven’t been able to authenticate my customers through the
> Active Directory yet and I have spend many hours trying to achieve it L
>
>
>
> First of all I didn’t know that I had to put the same settings in
> “FrontEnd::Customer:Auth” as Alvaro pointed out
>
> but even that didn’t make a difference.
>
> So is this absolutely necessary???
>
> I am only asking because it’s not mentioned anywhere that besides
> “Config.pm” we should change this as well.
>
>
>
> The changes I ‘ve performed to “Config.pm” so far are the following:
>
>
>
> A] Customer BackEnd
>
>
>
> # CustomerUser1
>
> # (customer ldap backend and settings)
>
> $Self->{CustomerUser1} = {
>
> Name => 'LDAP Data Source',
>
> Module => 'Kernel::System::CustomerUser::LDAP',
>
> Params => {
>
> # ldap host
>
> Host => 'ad.example.com',
>
> # ldap base dn
>
> BaseDN => 'DC=example,DC=com',
>
> # search scope (one|sub)
>
> SSCOPE => 'sub',
>
> # The following is valid but would only be necessary if the
>
> # anonymous user does NOT have permission to read from the LDAP
> tree
>
> UserDN => '[email protected]',
>
> UserPw => '1234qwer',
>
> # in case you want to add always one filter to each ldap query, use
>
> # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
> '(objectclass=user)'
>
> AlwaysFilter => '(memberOf=CN=otrscustomers,
> CN=Users,DC=example,DC=com)',
>
> # if the charset of your ldap server is iso-8859-7, use this:
>
> SourceCharset => 'utf-8',
>
>
>
> # Net::LDAP new params (if needed - for more info see perldoc
> Net::LDAP)
>
> Params => {
>
> port => 389,
>
> timeout => 120,
>
> async => 0,
>
> version => 3,
>
> },
>
> },
>
> # customer unique id
>
> CustomerKey => 'sAMAccountName',
>
> # customer #
>
> CustomerID => 'mail',
>
> CustomerUserListFields => ['cn', 'mail'],
>
> CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
>
> CustomerUserSearchPrefix => '',
>
> CustomerUserSearchSuffix => '*',
>
> CustomerUserSearchListLimit => 2500,
>
> CustomerUserPostMasterSearchFields => ['mail'],
>
> CustomerUserNameFields => ['givenname', 'sn'],
>
> # show not own tickets in customer panel, CompanyTickets
>
> CustomerUserExcludePrimaryCustomerID => 0,
>
> # add an ldap filter for valid users (expert setting)
>
> CustomerUserValidFilter => '(!(userAccountControl=514))',
>
> # administrator can't change customer preferences
>
> AdminSetPreferences => 0,
>
> # # cache time to live in sec. - cache any database queries
>
> # CacheTTL => 0,
>
> Map => [
>
> # note: Login, Email and CustomerID are mandatory!
>
> # var, frontend, storage, shown (1=always,2=lite), required,
> storage-type, http-link, readonly
>
> [ 'UserTitle', 'Title', 'title', 1, 0, 'var',
> '', 0 ],
>
> [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var',
> '', 0 ],
>
> [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var',
> '', 0 ],
>
> [ 'UserLogin', 'Username', 'sAMAccountName', 1,
> 1, 'var', '', 0 ],
>
> [ 'UserEmail', 'Email', 'mail', 1, 1, 'var',
> '', 0 ],
>
> [ 'UserCustomerID', 'CustomerID', 'mailNickname', 0, 1,
> 'var', '', 0 ],
>
> # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0,
> 'var', '', 0 ],
>
> [ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var',
> '', 0 ],
>
> [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var',
> '', 0 ],
>
> [ 'UserComment', 'Comment', 'description', 1, 0, 'var',
> '', 0 ],
>
> ],
>
> };
>
>
>
>
>
> With the above settings I am able to see the customers specified at the
> “otrscustomers” group in my Active Directory under
>
>
>
> “Admin->Customer User”
>
>
>
> But NOT under “Admin->Customers” which is still empty with only “Database
> Backend” option available while “Customer User” has additionally “LDAP Data
> Source”
>
>
>
> Now moving on to authenticate customers from the ActiveDirectory I am
> putting the following part :
>
>
>
> B] Customer Auth Backend
>
>
>
> # --------------------------------------------------- #
>
> # authentication settings #
>
> # (enable what you need, auth against otrs db, #
>
> # against LDAP directory, against HTTP basic auth #
>
> # or against Radius server) #
>
> # --------------------------------------------------- #
>
>
>
> # This is an example configuration for an LDAP auth. backend.
>
> # (take care that Net::LDAP is installed!)
>
> $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
>
> $Self->{'AuthModule::LDAP::Host1'} = 'ad.example.com';
>
> $Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=example,DC=com';
>
> $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
>
>
>
> # The following is valid but would only be necessary if the
>
> # anonymous user do NOT have permission to read from the LDAP tree
>
> $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS
> USER,CN=Users,DC=example,DC=com';
>
> $Self->{'AuthModule::LDAP::SearchUserPw1'} = '1234qwer ';
>
>
>
> # in case you want to add always one filter to each ldap query, use
>
> # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
> '(objectclass=user)'
>
> # or if you want to filter with a locigal OR-Expression, like
> AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))'
>
> $Self->{'AuthModule::LDAP::AlwaysFilter1'} =
> '(memberOf=CN=otrscustomers,CN=Users,DC=example,DC=com)';
>
>
>
> # Net::LDAP new params (if needed - for more info see perldoc
> Net::LDAP)
>
> $Self->{'AuthModule::LDAP::Params1'} = {
>
> sscope => 'sub',
>
> port => 389,
>
> timeout => 120,
>
> async => 0,
>
> version => 3,
>
> };
>
>
>
> # Die if backend can't work, e. g. can't connect to server.
>
> $Self->{'AuthModule::LDAP::Die'} = 1;
>
>
>
>
>
>
>
> Unfortunately with this I am getting the following in the GUI
>
>
>
> “Panic, user authenticated but no user data can be found in OTRS DB!!
> Perhaps the user is invalid.”
>
>
>
> and the apache log show “Message: No UserID found for 'usersname'! “
>
>
>
> I believe that I am missing the part where the customers are inserted on
> the OTRS DB the first time they login.
>
>
>
> So the question here is how do I insert the customers in OTRS DB the first
> time the login??? Any ideas???
>
>
>
> Regards,
>
>
>
> George
>
>
>
>
>
>
>
>
>
> *From:* otrs [mailto:[email protected]
> <[email protected]>] *On Behalf Of *Alvaro Cordero
> *Sent:* Friday, September 02, 2016 5:19 PM
> *To:* User questions and discussions about OTRS.
> *Subject:* Re: [otrs] Active Directory Configuration
>
>
>
> Hello,
>
>
>
> Along with the config in the file, you need in Sysconfig the change the
> defaults to enable AD Authentication. Look in sysconfig for LDAP and you
> will get FrontEnd::Customer:Auth, there you need to configure the same
> settings as in your config file.
>
>
>
> Regards
>
>
>
> 2016-09-02 5:59 GMT-06:00 Dimitrakakis Georgios <
> [email protected]>:
>
> Hello!
>
>
>
> Can someone explain a little bit more analytically how one can use AD to
> authenticate users?
>
>
>
> I read the “External Backends” section in the manual but a few things are
> not clear to me.
>
>
>
> So far I have managed to perform section 5.2.2 (
> https://otrs.github.io/doc/manual/admin/stable/en/html/
> external-backends.html#customer-backend-ldap) which is to configure AD
> for customer backend.
>
>
>
> When completed from the menu Admin->Customer Users I can see the people
> defined on the AD to access OTRS.
>
>
>
> Of course they are not able to authenticate. I am reading below section
> 5.3.2.2 (https://otrs.github.io/doc/manual/admin/stable/en/html/
> external-backends.html#customer-auth-backend-ldap)
>
> but that doesn’t work with a “wrong password error” although the apache
> log says “Cannot find ID for USERNAME”
>
>
>
> What I am trying to understand here is if I need somehow before
> authenticating to put the AD entries into the OTRS database so that it can
> retrieve the “username” and then by using the next part to authenticate at
> the AD using that.
>
>
>
> If someone could share its configuration would be very nice.
>
>
>
> In general what I am trying to achieve is not to have any users on OTRS DB
> and do everything from AD. For the moment I have configured two AD groups
> one for Agents and one for Customers. Ideally OTRS should be able to
> distinguish between those and allow login accordingly. So if you have any
> configuration that you can share it will be much appreciated.
>
>
>
> Best regards,
>
>
>
> G.
>
>
>
> ____________________________________________________________
> __________________
> Το περιεχόμενο αυτού του ηλεκτρονικού μηνύματος και τυχόν συνημμένα αρχεία
> είναι εμπιστευτικά. Απευθύνεται μόνο στους αναφερόμενους παραλήπτες. Αν
> λάβατε αυτό το μήνυμα εκ παραδρομής, παρακαλείσθε να επικοινωνήσετε αμέσως
> με τον αποστολέα του μηνύματος ή τον διαχειριστή του συστήματος και να μην
> αποκαλύψετε σε κανένα το περιεχόμενο. Οι απόψεις που εκφράζονται ανήκουν
> στον συγγραφέα και δεν εκφράζουν κατ' ανάγκη τις απόψεις της Παγκρήτιας
> Συνεταιριστικής Τράπεζας.
>
> The contents of this email and any attachments are confidential. It is
> intended for the named recipients only. If you have received this email in
> error please notify the system administrator or the sender immediately and
> do not disclose the contents to anyone. Any views or opinions presented are
> of the author and not necessarily represent those of Pancretan Cooperative
> Bank
>
>
> ---------------------------------------------------------------------
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs
>
>
>
>
>
> --
>
>
> *Alvaro Cordero Retana Consultor de Tecnologias*
>
> *Tel: 22585757 ext 123*
>
> *Email:* [email protected]
> [image: Η εικόνα καταργήθηκε από τον αποστολέα.]
>
> ____________________________________________________________
> __________________
> Το περιεχόμενο αυτού του ηλεκτρονικού μηνύματος και τυχόν συνημμένα αρχεία
> είναι εμπιστευτικά. Απευθύνεται μόνο στους αναφερόμενους παραλήπτες. Αν
> λάβατε αυτό το μήνυμα εκ παραδρομής, παρακαλείσθε να επικοινωνήσετε αμέσως
> με τον αποστολέα του μηνύματος ή τον διαχειριστή του συστήματος και να μην
> αποκαλύψετε σε κανένα το περιεχόμενο. Οι απόψεις που εκφράζονται ανήκουν
> στον συγγραφέα και δεν εκφράζουν κατ' ανάγκη τις απόψεις της Παγκρήτιας
> Συνεταιριστικής Τράπεζας.
>
> The contents of this email and any attachments are confidential. It is
> intended for the named recipients only. If you have received this email in
> error please notify the system administrator or the sender immediately and
> do not disclose the contents to anyone. Any views or opinions presented are
> of the author and not necessarily represent those of Pancretan Cooperative
> Bank
>
> ---------------------------------------------------------------------
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs
>
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs
