Yes Gerald, as well as appending that index key to each of the fields within each Auth entry. That was the detail that was inconsistent in the examples I found through Google. Let me provide an edited copy of my configuration to help clarify. I changed the subject line to better match my particular scenario.
If any of the information is unclear, feel free to drop me a line.
Requirements
To build an OTRS system that validates agents in one domain, but allows customers from two separate Active Directory domains without modifying domain trusts. Users should be able to log in with either set of credentials.
Description
The below code has particular information one should pay attention to. The source of this code go into /opt/otrs/Kernel/Config.pm. In the code below, I am using Domain1 and Domain2. Customers are in either domain, but Agents are only in Domain1 in one particular OU. An LDAP inquiry user is configured in each domain. Also note that the variables within the secondary LDAP calls also have the index appended to them. For example, Notice the change to Host1 below.
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'dc.domain2.com';
Whereas, in Customer::AuthModule, the variable is referred to as Customer::AuthModule::LDAP::Host.
I also had other issues with making the LDAP calls, so instead of using the DN of the LDAP user, I used the simple email address. It is also easier to type and maintain, leaving me able to restructure Active Directory without breaking authentication. By structuring it at the root level of the LDAP tree, all users in either domain are allowed as customers using single sign-on.
I should clarify the definition of single sign-on is not the same as automatic login based on the credentials of the logged in user. It merely means that the same credentials used to log in to Windows will log you in to the support site. The user will still need to enter these to gain access to the site. I have not found a solution to auto-login as of yet.
Code
# ---------------------------------------------------- #
# LDAP Configuration Settings for Agents - Domain 1 #
# ---------------------------------------------------- #
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'dc.domain1.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Controllers,dc=domain1,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapuser@domain1.com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '************';
$Self->{'AuthModule::LDAP::GroupDN'} = 'ou=Agents,dc=domain1,dc=com';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub',
};
# ---------------------------------------------------- #
# User Configurations – Domain 1 #
# ---------------------------------------------------- #
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'dc.domain1.com';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain1,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'ldapuser@domain1.com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '************';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# ---------------------------------------------------- #
# User Configurations – Domain 1 #
# ---------------------------------------------------- #
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'dc.domain2.com';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=domain2,dc=com';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'ldapuser@domain2.com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = '************';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# ---------------------------------------------------- #
# LDAP Configuration Settings for Domain 1 Customers #
# ---------------------------------------------------- #
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc.domain1.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain1,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldapuser@domain1.com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '************';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{CustomerUser} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'dc.domain1.com',
BaseDN => 'DC=domain1,DC=com',
SSCOPE => 'sub',
UserDN => 'ldapuser@domain1.com',
UserPw => '************',
AlwaysFilter => '(objectclass=user)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
CacheTTL => 0,
Map => [
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
# ---------------------------------------------------- #
# LDAP Configuration Settings for Domain 2 Customers #
# ---------------------------------------------------- #
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'dc.domain2.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=domain2,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'ldapuser@domain2.com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = '************';
$Self->{'Customer::AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{CustomerUser1} = {
Name => 'LDAP Backend1',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'dc.domain2.com',
BaseDN => 'DC=domain2,DC=com',
SSCOPE => 'sub',
UserDN => 'ldapuser@domain2.com',
UserPw => '************',
AlwaysFilter => '(objectclass=user)',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
CacheTTL => 0,
Map => [
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
From: Gerald Young [mailto:crythias@gmail.com]
Sent: Thursday, August 29, 2013 8:34 AM
To: User questions and discussions about OTRS.
Subject: Re: [otrs] Using multiple databases as external backend?
The docs don't explicitly state this but the concept has been validated in practice and in the code. I realize this is a "take my word for it" thing, but it's pretty much as simple as appending a different index/number to each key of a separate set of Auth entries.
On Thu, Aug 29, 2013 at 7:54 AM, Marty Hillman <mhillman@equuscs.com> wrote:
Good morning Gerald – Can you point to a source for this? I need to authenticate against two AD’s using LDAP. I believe it is as simple as using the existing AuthModule and then adding AuthModule1 below it. I am looking for confirmation.
From: Gerald Young [mailto:crythias@gmail.com]
Sent: Thursday, August 29, 2013 6:27 AM
Customers, Companies, and Users (Agents) all can authenticate (Auth) and have demographics (Sync|CustomerUser/Map) at up to 11 different sources ('', 1 ..10) (a blank "index" counts as one of them).
On Thu, Aug 29, 2013 at 6:38 AM, Bogdan Iosif <bogdan.iosif@gmail.com> wrote:
"you can use one Company Backend"
I take it to mean you can only use one backend for agents. Can anyone else confirm this please? I'm interested to know if I can use both DB and LDAP for agents.
On Thu, Aug 29, 2013 at 10:47 AM, Florian Edlhuber <florian.edlhuber@gmx.de> wrote:
Hi,
it is in http://doc.otrs.org/3.2/en/html/external-backends.html#multiple-customer-backend-example
You can use up to 10 Customer Information backends. But IIRC you can use one Company Backend.
Ciao
Flo
29.08.2013 09:42 - Stefan Michael Guenther schrieb:
Hello,
am I right in assuming, that it is only possible to have ONE external customer
user backend, but not more?
One of our clients has bought another company and if it is not possible to connect
both customer databases to OTRS, we would have to find a way to merge the two
database into an internal customer database for OTRS.
Regards,
Stefan
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs