[otrs] child domain auth (multiple baseDN)
228 views
Skip to first unread message
Eddie
Apr 2, 2012, 11:19:14 AM4/2/12
to ot...@otrs.org
Trying to set otrs so users from child domain can open tickets. By changing the Active Directory port from 389 to 3268 (global catalog port) and changing auth:uid to "userPrincipalName" , I can get users from the child domain to authenticate using "user...@childdomain.parentdomain.com" at the login page. The user authenticates but otrs cant find/create a record for them with the following error:
Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.
Apr 2 11:09:56 otrs OTRS-CGI-10[7503]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: admini...@childdomain.parentdomain.com (CN=Administrator,CN=Users,DC=childdomain,DC=parentdomain,DC=com) authentication ok (REMOTE_ADDR: 10.10.10.6).
Apr 2 11:09:56 otrs OTRS-CGI-10[7503]: [Error][Kernel::System::CustomerUser::SetPreferences][Line:504]: No such user 'admini...@childdomain.parentdomain.com'!
Is this because otrs cant find the user under the baseDN?
current baseDN: dc=parentdomain,dc=com
is it posible to specify multiple baseDN like:
baseDN= dc=parentdomain,dc=com;dc=childdomain,dc=parentdomain,dc=com
How can I get users from the child domain to be able to use otrs to open tickets?
Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.
Apr 2 11:09:56 otrs OTRS-CGI-10[7503]: [Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: admini...@childdomain.parentdomain.com (CN=Administrator,CN=Users,DC=childdomain,DC=parentdomain,DC=com) authentication ok (REMOTE_ADDR: 10.10.10.6).
Apr 2 11:09:56 otrs OTRS-CGI-10[7503]: [Error][Kernel::System::CustomerUser::SetPreferences][Line:504]: No such user 'admini...@childdomain.parentdomain.com'!
Is this because otrs cant find the user under the baseDN?
current baseDN: dc=parentdomain,dc=com
is it posible to specify multiple baseDN like:
baseDN= dc=parentdomain,dc=com;dc=childdomain,dc=parentdomain,dc=com
How can I get users from the child domain to be able to use otrs to open tickets?
Alvaro Cordero
Apr 2, 2012, 12:08:36 PM4/2/12
to User questions and discussions about OTRS.
Hello Eddie,
--
Consultor de Tecnologias
Gridshield Monitoreo de Redes e
Infraestructura.
2258-5757 ext 123
alv...@gridshield.net
www.gridshield.net
Have you specified which fields are being sincronized into de local database. If the autentication suceds, the next step is to create a local copy of the agent, If that does not happen you will always get that
Check if you are missing the UseSync area. For more info Check Manual on Chapter 11.
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
___________________________
Alvaro Cordero RetanaConsultor de Tecnologias
Gridshield Monitoreo de Redes e
Infraestructura.
2258-5757 ext 123
alv...@gridshield.net
www.gridshield.net
Eddie
Apr 2, 2012, 12:58:50 PM4/2/12
to User questions and discussions about OTRS.
On Mon, Apr 2, 2012 at 12:08 PM, Alvaro Cordero <alv...@gridshield.net> wrote:
Hello Eddie,Have you specified which fields are being sincronized into de local database. If the autentication suceds, the next step is to create a local copy of the agent, If that does not happen you will always get thatCheck if you are missing the UseSync area. For more info Check Manual on Chapter 11.$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', };
Thanks, but that section looks the same here.
One thing I noticed is that if I tried to change Customer::AuthModule::LDAP::UID using the SysConfig web interface the change wouldnt save. I had it set to sAMAccountName and was trying to change it to userPrincipalName so users can specify their domains but after saving it would revert back to sAMAccountName. Went to Config.pm and search/replaced all instances of sAMAccountName with userPrincipalName. Maybe it changed something it shouldnt. Im going to revert this virtual machine to a snapshot I took just before the changes to LDAP. Does it mean anything when the web interface wont save a change but wont give any error?
Alvaro Cordero
Apr 2, 2012, 4:31:58 PM4/2/12
to User questions and discussions about OTRS.
I don't think so... The webchanges won't be saved based on the privileges of Apache, It might have been changed depending on the user you used to edit the file manually.
So, you problem was that the search dn was wrong?
Now it looks to me that you are confusing one thing, If you are using customer auth module, you shouldn't get the errors for Agent, since customer's won't syncronize. Or if you are trying to configure this for user agents, then you shouldn't use CustomerAuth Module.
Regards
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Eddie
Apr 2, 2012, 9:13:03 PM4/2/12
to User questions and discussions about OTRS.
On Mon, Apr 2, 2012 at 4:31 PM, Alvaro Cordero <alv...@gridshield.net> wrote:
I don't think so... The webchanges won't be saved based on the privileges of Apache, It might have been changed depending on the user you used to edit the file manually.
Weird as changes made to other fields on that page were saving correctly but the UID field kept reverting back
So, you problem was that the search dn was wrong?Now it looks to me that you are confusing one thing, If you are using customer auth module, you shouldn't get the errors for Agent, since customer's won't syncronize. Or if you are trying to configure this for user agents, then you shouldn't use CustomerAuth Module.
The problem Im trying to solve is to have customers from a child domain being able to log in trough the web interface and manage their tickets. Closest I can get is by changing the LDAP port to 3268 so it "sees" accounts on the child domain but OTRS is not able to use them with the error:
Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator.
For Agents its working for accounts on the parent domain without any problems.
Maybe Im using the wrong approach for getting a child domain working but all I could find while searching was other people asking for something similar with child domains but no real answers on how to accomplish it. I'll be very grateful for any links to documentation or some pointers on how to accomplish this
I guess as a plan B I can have users from the child domain opening tickets via email if nothing else works
Maybe Im using the wrong approach for getting a child domain working but all I could find while searching was other people asking for something similar with child domains but no real answers on how to accomplish it. I'll be very grateful for any links to documentation or some pointers on how to accomplish this
I guess as a plan B I can have users from the child domain opening tickets via email if nothing else works
Sune T. Tougaard
Apr 3, 2012, 2:13:31 AM4/3/12
to User questions and discussions about OTRS.
How about ”just” adding yet another customer authentication (and data) backend pointing at the child domain?
http://doc.otrs.org/3.1/en/html/auth-backends.html#customer-auth-backends
http://doc.otrs.org/3.1/en/html/customer-user-backend.html#multiple-customer-backends
--
/Sune T.
Reply all
Reply to author
Forward
0 new messages