Hi all, First I apologize for my poor english ! I currently work on multiple customer id / Customer User <-> Groups. I use an LDAP backend for authenticating my users and LDAP backend to extract information about us. In the Auth backend I use an LDAP group to know if someone is an authorized customer/agent. I Use the LDAP's data backend to mapping LDAP data to the OTRS user who are authenticated. For this part all is very good ! (OTRS is the first product I see who really separate Auth backend and User's data backend !) The problem is: When I open ticket, I can't see it (I think the multiple Ids don't work for my configuration. I have made no configuration in Customer User <-> group. I can see the CustomerIds in the agent interface and it is correctly set. When click on Customer User <-> group or Customer User, OTRS try to list all LDAP user instead of list only users who belong to the LDAP's group in Auth backend config. I think it's because OTRS use the User's data backend to make this list. In the User's data backend config there is no way to limit searches by adding an LDAP group. There is only an AlwaysFilter. So there is an undocumented option for this backend to restrict data backend with an LDAP group ? Thanks to the help ;) Regards, Yann ps: I use OTRS 1.3.2 Some extract of my config: # --------------------------------------------------- # # customer authentication settings # # (enable what you need, auth against otrs db or # # against a LDAP directory) # # --------------------------------------------------- # # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'xxx.xxx.fr'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=People,dc=ldap,dc=xxx,dc=fr'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrs-client,ou=Groupe,dc=ldap,dc=xxx,dc=fr'; $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member'; # for non ldap posixGroups objectclass (full user dn) $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'someuser'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '****'; $Self->{'Customer::AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # CustomerUser # (customer user ldap backend and settings) $Self->{CustomerUser} = { Name => 'LDAP Backend', Module => 'Kernel::System::CustomerUser::LDAP', Params => { # ldap host Host => 'xxx.xxx.fr', # ldap base dn BaseDN => 'ou=People,dc=ldap,dc=xxx,dc=fr', # search scope (one|sub) SSCOPE => 'one', # The following is valid but would only be necessary if the # anonymous user does NOT have permission to read from the LDAP tree UserDN => 'cn=otrs,ou=System,dc=ldap,dc=xxx,dc=fr', UserPw => 'otrs', # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' AlwaysFilter => '(!(edupersonAffiliation=student))', # if your frontend is e. g. iso-8859-1 and the charset of your # ldap server is utf-8, use this options (if not, ignore it) SourceCharset => 'utf-8', DestCharset => 'iso-8859-1', # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) Params => { port => 389, timeout => 120, async => 0, version => 3, }, }, # customer uniq id CustomerKey => 'uid', # customer # CustomerID => 'uid', CustomerUserListFields => ['cn', 'mail'], CustomerUserSearchFields => ['uid', 'displayName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 100, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], AdminSetPreferences => 0, Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type [ 'UserSalutation', 'Civilité', 'supannCivilite', 1, 0, 'var' ], [ 'UserFirstname', 'Prénom', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Nom', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Nom de connexion', 'uid', 1, 1, 'var' ], [ 'UserEmail', 'E-mail', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'Identifiant', 'uid', 0, 1, 'var' ], [ 'UserPhone', 'Téléphone', 'telephonenumber', 1, 0, 'var' ], [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], [ 'UserBuildingName', 'Batiment', 'buildingName', '1', '0', 'var' ], [ 'UserRoomNumber', 'Bureau', 'roomnumber', '1', '0', 'var' ], [ 'UserAffectation', 'Affectation', 'supannAffectation', '1', '0', 'var' ], [ 'UserAffiliation', 'Affiliation', 'supannPrimaryAffiliation', '1', '0', 'var' ], [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], # var, frontend, storage, shown, required, storage-type, http-link [ 'UserCustomerIDs', 'CustomerIDs', 'attxxxaffectation', 1, 0, 'var' ], ], }; I have annonimized some fields for security reason. -- M. Yann Richard yann.richard on gmail.com