Gerald and Alvaro thank you for your time. Unfortunately I haven’t been able to authenticate my customers through the Active Directory yet and I have spend many hours trying to achieve it ☹
First of all I didn’t know that I had to put the same settings in “FrontEnd::Customer:Auth” as Alvaro pointed out but even that didn’t make a difference. So is this absolutely necessary??? I am only asking because it’s not mentioned anywhere that besides “Config.pm” we should change this as well. The changes I ‘ve performed to “Config.pm” so far are the following: A] Customer BackEnd # CustomerUser1 # (customer ldap backend and settings) $Self->{CustomerUser1} = { Name => 'LDAP Data Source', Module => 'Kernel::System::CustomerUser::LDAP', Params => { # ldap host Host => 'ad.example.com', # ldap base dn BaseDN => 'DC=example,DC=com', # search scope (one|sub) SSCOPE => 'sub', # The following is valid but would only be necessary if the # anonymous user does NOT have permission to read from the LDAP tree UserDN => 'otrsu...@example.com', UserPw => '1234qwer', # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' AlwaysFilter => '(memberOf=CN=otrscustomers,CN=Users,DC=example,DC=com)', # if the charset of your ldap server is iso-8859-7, use this: SourceCharset => 'utf-8', # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) Params => { port => 389, timeout => 120, async => 0, version => 3, }, }, # customer unique id CustomerKey => 'sAMAccountName', # customer # CustomerID => 'mail', CustomerUserListFields => ['cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 2500, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], # show not own tickets in customer panel, CompanyTickets CustomerUserExcludePrimaryCustomerID => 0, # add an ldap filter for valid users (expert setting) CustomerUserValidFilter => '(!(userAccountControl=514))', # administrator can't change customer preferences AdminSetPreferences => 0, # # cache time to live in sec. - cache any database queries # CacheTTL => 0, Map => [ # note: Login, Email and CustomerID are mandatory! # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly [ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ], [ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ], [ 'UserCustomerID', 'CustomerID', 'mailNickname', 0, 1, 'var', '', 0 ], # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ], [ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var', '', 0 ], [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ], [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ], ], }; With the above settings I am able to see the customers specified at the “otrscustomers” group in my Active Directory under “Admin->Customer User” But NOT under “Admin->Customers” which is still empty with only “Database Backend” option available while “Customer User” has additionally “LDAP Data Source” Now moving on to authenticate customers from the ActiveDirectory I am putting the following part : B] Customer Auth Backend # --------------------------------------------------- # # authentication settings # # (enable what you need, auth against otrs db, # # against LDAP directory, against HTTP basic auth # # or against Radius server) # # --------------------------------------------------- # # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host1'} = 'ad.example.com'; $Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=example,DC=com'; $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS USER,CN=Users,DC=example,DC=com'; $Self->{'AuthModule::LDAP::SearchUserPw1'} = '1234qwer '; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' # or if you want to filter with a locigal OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))' $Self->{'AuthModule::LDAP::AlwaysFilter1'} = '(memberOf=CN=otrscustomers,CN=Users,DC=example,DC=com)'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params1'} = { sscope => 'sub', port => 389, timeout => 120, async => 0, version => 3, }; # Die if backend can't work, e. g. can't connect to server. $Self->{'AuthModule::LDAP::Die'} = 1; Unfortunately with this I am getting the following in the GUI “Panic, user authenticated but no user data can be found in OTRS DB!! Perhaps the user is invalid.” and the apache log show “Message: No UserID found for 'usersname'! “ I believe that I am missing the part where the customers are inserted on the OTRS DB the first time they login. So the question here is how do I insert the customers in OTRS DB the first time the login??? Any ideas??? Regards, George From: otrs [mailto:otrs-boun...@lists.otrs.org] On Behalf Of Alvaro Cordero Sent: Friday, September 02, 2016 5:19 PM To: User questions and discussions about OTRS. Subject: Re: [otrs] Active Directory Configuration Hello, Along with the config in the file, you need in Sysconfig the change the defaults to enable AD Authentication. Look in sysconfig for LDAP and you will get FrontEnd::Customer:Auth, there you need to configure the same settings as in your config file. Regards 2016-09-02 5:59 GMT-06:00 Dimitrakakis Georgios <gdimitraka...@pancretabank.gr<mailto:gdimitraka...@pancretabank.gr>>: Hello! Can someone explain a little bit more analytically how one can use AD to authenticate users? I read the “External Backends” section in the manual but a few things are not clear to me. So far I have managed to perform section 5.2.2 (https://otrs.github.io/doc/manual/admin/stable/en/html/external-backends.html#customer-backend-ldap) which is to configure AD for customer backend. When completed from the menu Admin->Customer Users I can see the people defined on the AD to access OTRS. Of course they are not able to authenticate. I am reading below section 5.3.2.2 (https://otrs.github.io/doc/manual/admin/stable/en/html/external-backends.html#customer-auth-backend-ldap) but that doesn’t work with a “wrong password error” although the apache log says “Cannot find ID for USERNAME” What I am trying to understand here is if I need somehow before authenticating to put the AD entries into the OTRS database so that it can retrieve the “username” and then by using the next part to authenticate at the AD using that. If someone could share its configuration would be very nice. In general what I am trying to achieve is not to have any users on OTRS DB and do everything from AD. For the moment I have configured two AD groups one for Agents and one for Customers. Ideally OTRS should be able to distinguish between those and allow login accordingly. So if you have any configuration that you can share it will be much appreciated. Best regards, G. ______________________________________________________________________________ Το περιεχόμενο αυτού του ηλεκτρονικού μηνύματος και τυχόν συνημμένα αρχεία είναι εμπιστευτικά. Απευθύνεται μόνο στους αναφερόμενους παραλήπτες. Αν λάβατε αυτό το μήνυμα εκ παραδρομής, παρακαλείσθε να επικοινωνήσετε αμέσως με τον αποστολέα του μηνύματος ή τον διαχειριστή του συστήματος και να μην αποκαλύψετε σε κανένα το περιεχόμενο. Οι απόψεις που εκφράζονται ανήκουν στον συγγραφέα και δεν εκφράζουν κατ' ανάγκη τις απόψεις της Παγκρήτιας Συνεταιριστικής Τράπεζας. The contents of this email and any attachments are confidential. It is intended for the named recipients only. If you have received this email in error please notify the system administrator or the sender immediately and do not disclose the contents to anyone. Any views or opinions presented are of the author and not necessarily represent those of Pancretan Cooperative Bank --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs -- Alvaro Cordero Retana Consultor de Tecnologias Tel: 22585757 ext 123 Email: alv...@gridshield.net<mailto:alv...@gridshield.net> [Η εικόνα καταργήθηκε από τον αποστολέα.] ______________________________________________________________________________ Το περιεχόμενο αυτού του ηλεκτρονικού μηνύματος και τυχόν συνημμένα αρχεία είναι εμπιστευτικά. Απευθύνεται μόνο στους αναφερόμενους παραλήπτες. Αν λάβατε αυτό το μήνυμα εκ παραδρομής, παρακαλείσθε να επικοινωνήσετε αμέσως με τον αποστολέα του μηνύματος ή τον διαχειριστή του συστήματος και να μην αποκαλύψετε σε κανένα το περιεχόμενο. Οι απόψεις που εκφράζονται ανήκουν στον συγγραφέα και δεν εκφράζουν κατ' ανάγκη τις απόψεις της Παγκρήτιας Συνεταιριστικής Τράπεζας. The contents of this email and any attachments are confidential. It is intended for the named recipients only. If you have received this email in error please notify the system administrator or the sender immediately and do not disclose the contents to anyone. Any views or opinions presented are of the author and not necessarily represent those of Pancretan Cooperative Bank
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs