[otrs] customer user sync from AD

Darshak Modi

unread,

Jan 30, 2014, 7:01:29 AM1/30/14

to User questions and discussions about OTRS.

Hello,

We are seeing the customers currently added to AD are unable to login into OTRS as they get errors.
Is there a way OTRS sync with AD ?

Also for some users, I get Authentication OK, but no such user.
Can someone help ?

Alvaro Cordero

unread,

Jan 31, 2014, 10:09:59 AM1/31/14

to User questions and discussions about OTRS.

Hello, Customer auth, needs to be configured in Config.pm and also in sysconfig via de Moduel FrontEnd::Customer::Auth, there you need to set the authentication mode to LDAP, otherwise it will happen what you describe.

Regards

2014-01-30 Darshak Modi <darsha...@elitecore.com>

---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

--
___________________________
Alvaro Cordero Retana
Consultor de Tecnologias
Gridshield Monitoreo de Redes e
Infraestructura.
2258-5757 ext 123
alv...@gridshield.net
www.gridshield.net

Darshak Modi

unread,

Feb 5, 2014, 11:26:19 PM2/5/14

to ot...@otrs.org

Thanks for input. But it is already set to LDAP.
This happens only to new customers created in AD.

Gerald Young

unread,

Feb 6, 2014, 7:20:17 AM2/6/14

to User questions and discussions about OTRS.

Summary:

> Newly added-to-AD customers are unable to login to OTRS as they get errors

(what errors?)

> Is there a way OTRS sync with AD?

Not for customers. And it's unnecessary, as OTRS, properly configured according to the docs for backends, will directly query AD.

>Also for some users, I get Authentication OK, but no such user.

Is this the same or different error as part 1?

Note that you will want to have both Customer Auth and CustomerUser backend connections to AD.

Please read the docs and, if it helps at all, my troubleshooting LDAP post: http://forums.otterhub.org/viewtopic.php?f=60&t=16543

Also, make sure your multiple backends are consistently numbered.

Marty Hillman

unread,

Feb 6, 2014, 10:45:47 AM2/6/14

to ot...@otrs.org

I had a similar problem in my configuration. It sounds like it is not able to authenticate to do the required LDAP calls. Make sure you have an LDAP inquiry user created in the domain that can make the necessary queries for customers.

We have two AD domains. I had to configure two separate entries in the Config.pm. Also, you have to make sure that the users are being created under the DN for the LDAP search. Notice that the BaseDN is the root of my domain and the SSCOPE is set to ‘sub’. This allows me to have ALL members of each domain as customers. Each domain has an LDAP inquiry user account created.

For an example, here is the relevant redacted portion of my Config.pm. This has been working for me for months. It queries all users in two domains to add them as customers.

# ---------------------------------------------------- #

# User Configurations #

# ---------------------------------------------------- #

# First domain #

# ---------------------------------------------------- #

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';

$Self->{'AuthSyncModule::LDAP::Host'} = 'domaincontroller.domain1.com';

$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain1,dc=com';

$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';

$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'ldapinquiryuser@domain1.com';

$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {

UserFirstname => 'givenName',

UserLastname => 'sn',

UserEmail => 'mail',

};

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [

'users',

];

# ---------------------------------------------------- #

# Second Domain #

# ---------------------------------------------------- #

$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';

$Self->{'AuthSyncModule::LDAP::Host1'} = 'domaincontroller.domain2.com';

$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=domain2,dc=com';

$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';

$Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'DN';

$Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';

$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'ldapinquiryuser@domain2.com';

$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'password';

$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {

UserFirstname => 'givenName',

UserLastname => 'sn',

UserEmail => 'mail',

};

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [

'users',

];

# ---------------------------------------------------- #

# LDAP Configuration Settings for Customers #

# ---------------------------------------------------- #

# First domain #

# ---------------------------------------------------- #

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

$Self->{'Customer::AuthModule::LDAP::Host'} = 'domaincontroller.domain1.com';

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain1,dc=com';

$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldapinquiryuser@domain1.com';

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

$Self->{'Customer::AuthModule::LDAP::Params'} = {

port => 389,

timeout => 120,

async => 0,

version => 3,

};

$Self->{CustomerUser} = {

Name => 'LDAP Backend',

Module => 'Kernel::System::CustomerUser::LDAP',

Params => {

Host => 'domaincontroller.domain1.com',

BaseDN => 'DC=domain1,DC=com',

SSCOPE => 'sub',

UserDN => 'ldapinquiryuser@domain1.com',

UserPw => 'password',

AlwaysFilter => '(objectclass=user)',

SourceCharset => 'utf-8',

DestCharset => 'utf-8',

},

CustomerKey => 'sAMAccountName',

CustomerID => 'mail',

CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],

CustomerUserSearchPrefix => '',

CustomerUserSearchSuffix => '*',

CustomerUserSearchListLimit => 250,

CustomerUserPostMasterSearchFields => ['mail'],

CustomerUserNameFields => ['givenname', 'sn'],

CustomerUserExcludePrimaryCustomerID => 0,

AdminSetPreferences => 0,

CacheTTL => 0,

Map => [

[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],

[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],

[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],

[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],

[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],

],

};

# ---------------------------------------------------- #

# Second domain #

# ---------------------------------------------------- #

$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';

$Self->{'Customer::AuthModule::LDAP::Host1'} = 'domaincontroller.domain2.com';

$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=domain2,dc=com';

$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';

$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN';

$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';

$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'ldapinquiryuser@domain2.com';

$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'password';

$Self->{'Customer::AuthModule::LDAP::Params1'} = {

port => 389,

timeout => 120,

async => 0,

version => 3,

};

$Self->{CustomerUser1} = {

Name => 'LDAP Backend1',

Module => 'Kernel::System::CustomerUser::LDAP',

Params => {

Host => 'domaincontroller.domain2.com',

BaseDN => 'DC=domain2,DC=com',

SSCOPE => 'sub',

UserDN => 'ldapinquiryuser@domain2.com',

UserPw => 'password',

AlwaysFilter => '(objectclass=user)',

SourceCharset => 'utf-8',

DestCharset => 'utf-8',

},

CustomerKey => 'sAMAccountName',

CustomerID => 'mail',

CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],

CustomerUserSearchPrefix => '',

CustomerUserSearchSuffix => '*',

CustomerUserSearchListLimit => 250,

CustomerUserPostMasterSearchFields => ['mail'],

CustomerUserNameFields => ['givenname', 'sn'],

CustomerUserExcludePrimaryCustomerID => 0,

AdminSetPreferences => 0,

CacheTTL => 0,

Map => [

[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],

[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],

[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],

[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],

[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],

],

};

Reply all

Reply to author

Forward