Hmm, very interesting. Yes, this is pretty much what I want. I'll test it ASAP on my QA env.

Thanks a lot for the help and details. They could be very useful and save me quite some time.


On Thu, Aug 29, 2013 at 2:27 PM, Daniel Litzbach <Daniel.Litzbach@com-sys.de> wrote:

I see…

 

In my setup, the user exists in the DB, right. It has to exist for the agent to be able to work with the system. But the users have no passwords configured. All authentication is done via AD.

 

$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';

$Self->{'AuthModule::LDAP::Host1'} = xxx.xxx.xxx.xxx;

$Self->{'AuthModule::LDAP::BaseDN1'} = '[Bind-DN]';

 

$Self->{'AuthModule::LDAP::UID1'} = 'samaccountname';

$Self->{'AuthModule::LDAP::GroupDN1'} = '[Group-DN]';

$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';

$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

$Self->{'AuthModule::LDAP::SearchUserDN1'} = '[User-DN]';

$Self->{'AuthModule::LDAP::SearchUserPw1'} = '[User-Password]';

 

     $Self->{'UserSyncLDAPMap1'} =  {

     'UserEmail' => 'mail',

     'UserFirstname' => 'givenName',

     'UserLastname' => 'sn',

     'UserLogin' => 'sAMAccountName'

        };

 

$Self->{UserSyncLDAPMap};

$Self->{UserSyncLDAPGroups};

$Self->{'UserSyncLDAPGroupsDefination'};

$Self->{'UserSyncLDAPRolesDefination'};

$Self->{'UserSyncLDAPAttibuteGroupsDefination'};

$Self->{'UserSyncLDAPAttibuteRolesDefination'};

$Self->{'UserSyncLDAPGroupsDefination'};

 

The difference might be that I use “$Self->{'AuthModule1'}” in my setup, not “$Self->{'AuthModule'}”. I guess, the system then first checks the local database and if this is not successful, it checks the AD. Is this what you want?

 

Mit freundlichen Grüßen

Daniel Litzbach

Security Support Engineer

Com-Sys ...Connecting Technology To Success.

Communication Systems Ges. für Netzwerktechnik mbH
Im Geisbaum 17 B - D-63329 Egelsbach
Tel: 06103 5983 320 - Fax.: +49 6103 5983 655
E-Mail: Daniel.Litzbach@com-sys.de - Web: www.com-sys.de

Geschäftsführer: Detlef Heinzig
HRB 33354 - Amtsgericht Offenbach

Von: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] Im Auftrag von Bogdan Iosif
Gesendet: Donnerstag, 29. August 2013 13:13


An: User questions and discussions about OTRS.
Betreff: Re: [otrs] Using multiple databases as external backend?

 

For me this doesn't work. I tested it in the past and just now. After configuring LDAP as an agent backend, all auth attempts are performed against LDAP. It kind of makes sense because in Config.pm I have:

$Self->{AuthModule} = 'Kernel::System::Auth::LDAP';

instead of

$Self->{AuthModule} = 'Kernel::System::Auth::DB';

and no entries for settings like AuthModule::DB::*, only for AuthModule::LDAP::*

I don't understand how come that it works for you. Could it be that you only have the impression it works because your agent user actually also exists in your LDAP / AD or maybe it's configured with the same password in both your DB backend and LDAP?

When I try to login with a user from DB that is not in LDAP I get this in otrs.log (ignore XXX)

[Thu Aug 29 14:00:44 2013][Notice][Kernel::System::Auth::LDAP::Auth] User: TestAg1 authentication failed, no LDAP entry found!BaseDN='DC=XXX,DC=local', Filter='(sAMAccountName=TestAg1)', (REMOTE_ADDR: XXX).

 

 

On Thu, Aug 29, 2013 at 1:56 PM, Daniel Litzbach <Daniel.Litzbach@com-sys.de> wrote:

I guess it is, I also have a local user in our OTRS which is syncing with AD. That works fine.

 

Just try to add the local agent in the admin area and set a password.

 

Regards,

 

Daniel

 

Von: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] Im Auftrag von Bogdan Iosif
Gesendet: Donnerstag, 29. August 2013 12:51


An: User questions and discussions about OTRS.
Betreff: Re: [otrs] Using multiple databases as external backend?

 

That's somewhat correct. AFAIK, during login the credentials are first checked against LDAP and then, optionally, some of their details are synched from LDAP into DB, presumably so that the rest of the application still works by querying the DB for user details.

However, what I need is to have some users defined in DB, beside those from LDAP. For example I may need to grant temporary access to OTRS, as an agent, for an external contractor whom I don't want to include in Active Directory / LDAP for both security and licensing reasons. I don't know if this is currently possible.

/bogdan

 

On Thu, Aug 29, 2013 at 1:43 PM, Daniel Litzbach <Daniel.Litzbach@com-sys.de> wrote:

If I’m not completely wrong, the LDAP users actually are DB users that are synced from the LDAP to the DB. When logging in, the agent data is read from the DB and the credentials checked against LDAP, right?

 

Daniel

 

Von: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] Im Auftrag von Bogdan Iosif
Gesendet: Donnerstag, 29. August 2013 12:38
An: User questions and discussions about OTRS.
Betreff: Re: [otrs] Using multiple databases as external backend?

 

"you can use one Company Backend"

I take it to mean you can only use one backend for agents. Can anyone else confirm this please? I'm interested to know if I can use both DB and LDAP for agents.

 

On Thu, Aug 29, 2013 at 10:47 AM, Florian Edlhuber <florian.edlhuber@gmx.de> wrote:

Hi,

it is in http://doc.otrs.org/3.2/en/html/external-backends.html#multiple-customer-backend-example

You can use up to 10 Customer Information backends. But IIRC you can use one Company Backend.

Ciao
Flo

29.08.2013 09:42 - Stefan Michael Guenther schrieb:

Hello,

am I right in assuming, that it is only possible to have ONE external customer
user backend, but not more?

One of our clients has bought another company and if it is not possible to connect
both customer databases to OTRS, we would have to find a way to merge the two
database into an internal customer database for OTRS.

Regards,

Stefan
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs


---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

 


---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

 


---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

 


---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs