Hmm, very interesting. Yes, this is pretty much what I want. I'll test it ASAP on my QA env.
Thanks a lot for the help and details. They could be very useful and save me quite some time. On Thu, Aug 29, 2013 at 2:27 PM, Daniel Litzbach <[email protected] > wrote: > I see…**** > > ** ** > > In my setup, the user exists in the DB, right. It has to exist for the > agent to be able to work with the system. But the users have no passwords > configured. All authentication is done via AD.**** > > ** ** > > $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';**** > > $Self->{'AuthModule::LDAP::Host1'} = xxx.xxx.xxx.xxx;**** > > $Self->{'AuthModule::LDAP::BaseDN1'} = '[Bind-DN]';**** > > ** ** > > $Self->{'AuthModule::LDAP::UID1'} = 'samaccountname';**** > > $Self->{'AuthModule::LDAP::GroupDN1'} = '[Group-DN]';**** > > $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member'; **** > > $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';**** > > $Self->{'AuthModule::LDAP::SearchUserDN1'} = '[User-DN]';**** > > $Self->{'AuthModule::LDAP::SearchUserPw1'} = '[User-Password]';**** > > ** ** > > $Self->{'UserSyncLDAPMap1'} = {**** > > 'UserEmail' => 'mail',**** > > 'UserFirstname' => 'givenName',**** > > 'UserLastname' => 'sn',**** > > 'UserLogin' => 'sAMAccountName'**** > > };**** > > ** ** > > $Self->{UserSyncLDAPMap};**** > > $Self->{UserSyncLDAPGroups};**** > > $Self->{'UserSyncLDAPGroupsDefination'};**** > > $Self->{'UserSyncLDAPRolesDefination'};**** > > $Self->{'UserSyncLDAPAttibuteGroupsDefination'};**** > > $Self->{'UserSyncLDAPAttibuteRolesDefination'};**** > > $Self->{'UserSyncLDAPGroupsDefination'};**** > > ** ** > > The difference might be that I use “$Self->{'AuthModule1'}” in my setup, > not “$Self->{'AuthModule'}”. I guess, the system then first checks the > local database and if this is not successful, it checks the AD. Is this > what you want?**** > > ** ** > > Mit freundlichen Grüßen > > *Daniel Litzbach* > > Security Support Engineer > > Com-Sys ...Connecting Technology To Success. > > Communication Systems Ges. für Netzwerktechnik mbH > Im Geisbaum 17 B - D-63329 Egelsbach > Tel: 06103 5983 320 - Fax.: +49 6103 5983 655 > E-Mail: [email protected] - Web: www.com-sys.de > > Geschäftsführer: Detlef Heinzig > HRB 33354 - Amtsgericht Offenbach**** > > *Von:* [email protected] [mailto:[email protected]] *Im Auftrag > von *Bogdan Iosif > *Gesendet:* Donnerstag, 29. August 2013 13:13 > > *An:* User questions and discussions about OTRS. > *Betreff:* Re: [otrs] Using multiple databases as external backend?**** > > ** ** > > For me this doesn't work. I tested it in the past and just now. After > configuring LDAP as an agent backend, all auth attempts are performed > against LDAP. It kind of makes sense because in Config.pm I have: > > $Self->{AuthModule} = 'Kernel::System::Auth::LDAP';**** > > instead of > > $Self->{AuthModule} = 'Kernel::System::Auth::DB';**** > > and no entries for settings like AuthModule::DB::*, only for > AuthModule::LDAP::***** > > I don't understand how come that it works for you. Could it be that you > only have the impression it works because your agent user actually also > exists in your LDAP / AD or maybe it's configured with the same password in > both your DB backend and LDAP?**** > > When I try to login with a user from DB that is not in LDAP I get this in > otrs.log (ignore XXX) > > [Thu Aug 29 14:00:44 2013][Notice][Kernel::System::Auth::LDAP::Auth] User: > TestAg1 authentication failed, no LDAP entry > found!BaseDN='DC=XXX,DC=local', Filter='(sAMAccountName=TestAg1)', > (REMOTE_ADDR: XXX).**** > > ** ** > > ** ** > > On Thu, Aug 29, 2013 at 1:56 PM, Daniel Litzbach < > [email protected]> wrote:**** > > I guess it is, I also have a local user in our OTRS which is syncing with > AD. That works fine.**** > > **** > > Just try to add the local agent in the admin area and set a password.**** > > **** > > Regards,**** > > **** > > Daniel**** > > **** > > *Von:* [email protected] [mailto:[email protected]] *Im Auftrag > von *Bogdan Iosif > *Gesendet:* Donnerstag, 29. August 2013 12:51**** > > > *An:* User questions and discussions about OTRS. > *Betreff:* Re: [otrs] Using multiple databases as external backend?**** > > **** > > That's somewhat correct. AFAIK, during login the credentials are first > checked against LDAP and then, optionally, some of their details are > synched from LDAP into DB, presumably so that the rest of the application > still works by querying the DB for user details. > > However, what I need is to have some users defined in DB, beside those > from LDAP. For example I may need to grant temporary access to OTRS, as an > agent, for an external contractor whom I don't want to include in Active > Directory / LDAP for both security and licensing reasons. I don't know if > this is currently possible.**** > > /bogdan**** > > **** > > On Thu, Aug 29, 2013 at 1:43 PM, Daniel Litzbach < > [email protected]> wrote:**** > > If I’m not completely wrong, the LDAP users actually are DB users that are > synced from the LDAP to the DB. When logging in, the agent data is read > from the DB and the credentials checked against LDAP, right?**** > > **** > > Daniel**** > > **** > > *Von:* [email protected] [mailto:[email protected]] *Im Auftrag > von *Bogdan Iosif > *Gesendet:* Donnerstag, 29. August 2013 12:38 > *An:* User questions and discussions about OTRS. > *Betreff:* Re: [otrs] Using multiple databases as external backend?**** > > **** > > "you can use one Company Backend"**** > > I take it to mean you can only use one backend for agents. Can anyone else > confirm this please? I'm interested to know if I can use both DB and LDAP > for agents.**** > > **** > > On Thu, Aug 29, 2013 at 10:47 AM, Florian Edlhuber < > [email protected]> wrote:**** > > Hi, > > it is in > http://doc.otrs.org/3.2/en/html/external-backends.html#multiple-customer-backend-example > > You can use up to 10 Customer Information backends. But IIRC you can use > one Company Backend. > > Ciao > Flo > > 29.08.2013 09:42 - Stefan Michael Guenther schrieb: **** > > Hello, > > am I right in assuming, that it is only possible to have ONE external > customer > user backend, but not more? > > One of our clients has bought another company and if it is not possible to > connect > both customer databases to OTRS, we would have to find a way to merge the > two > database into an internal customer database for OTRS. > > Regards, > > Stefan > --------------------------------------------------------------------- > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs**** > > > --------------------------------------------------------------------- > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs**** > > **** > > > --------------------------------------------------------------------- > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs**** > > **** > > > --------------------------------------------------------------------- > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs**** > > ** ** > > --------------------------------------------------------------------- > OTRS mailing list: otrs - Webpage: http://otrs.org/ > Archive: http://lists.otrs.org/pipermail/otrs > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs >
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
