[otrs] Re: Customer User Backend, Auth Backend and Customer Users

10 Nov 2004

      Hi all,

I have send this mail to the user mailling list but I think it's a
"bug" so I reply my comment into the dev mailling list :)
For people who are not on the user mailling list I leave the entire
original mail.

On Mon, 8 Nov 2004 17:20:55 +0100, Yann Richard  wrote:
...
Hi all,
First I apologize for my poor english !
I currently work on multiple customer id / Customer User <-> Groups.
I use an LDAP backend for authenticating my users and LDAP backend to
extract information about us.
In the Auth backend I use an LDAP group to know if someone is an
authorized customer/agent. I Use the LDAP's data backend to mapping
LDAP data to the OTRS user who are authenticated. For this part all is
very good ! (OTRS is the first product I see who really separate Auth
backend and User's data backend !)
The problem is:
    When I open ticket, I can't see it (I think the multiple Ids don't
work for my configuration. I have made no configuration in Customer
User <-> group. I can see the CustomerIds in the agent interface and
it is correctly set.
    When click on Customer User <-> group or Customer User, OTRS try
to list all LDAP user instead of list only users who belong to the
LDAP's group in Auth backend config.
I think it's because OTRS use the User's data backend to make this list.
In the User's data backend config there is no way to limit searches by
adding an LDAP group. There is only an AlwaysFilter. So there is an
undocumented option for this backend to restrict data backend with an
LDAP group ?
Thanks to the help ;)
Regards,
Yann
ps:
I use OTRS 1.3.2
Some extract of my config:
# --------------------------------------------------- #
    # customer authentication settings                    #
    # (enable what you need, auth against otrs db or      #
    # against a LDAP directory)                           #
    # --------------------------------------------------- #
# This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'xxx.xxx.fr';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'ou=People,dc=ldap,dc=xxx,dc=fr';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
    $Self->{'Customer::AuthModule::LDAP::GroupDN'} =
'cn=otrs-client,ou=Groupe,dc=ldap,dc=xxx,dc=fr';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
    # for non ldap posixGroups objectclass (full user dn)
    $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'someuser';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '****';
$Self->{'Customer::AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };
# CustomerUser
    # (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
        Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            # ldap host
            Host => 'xxx.xxx.fr',
            # ldap base dn
            BaseDN => 'ou=People,dc=ldap,dc=xxx,dc=fr',
            # search scope (one|sub)
            SSCOPE => 'one',
            # The following is valid but would only be necessary if the
            # anonymous user does NOT have permission to read from the
LDAP tree
            UserDN => 'cn=otrs,ou=System,dc=ldap,dc=xxx,dc=fr',
            UserPw => 'otrs',
            # in case you want to add always one filter to each ldap query, use
            # this option. e. g. AlwaysFilter => '(mail=*)' or
AlwaysFilter => '(objectclass=user)'
            AlwaysFilter => '(!(edupersonAffiliation=student))',
            # if your frontend is e. g. iso-8859-1 and the charset of your
            # ldap server is utf-8, use this options (if not, ignore it)
            SourceCharset => 'utf-8',
            DestCharset => 'iso-8859-1',
            # Net::LDAP new params (if needed - for more info see
perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
        },
        # customer uniq id
        CustomerKey => 'uid',
        # customer #
        CustomerID => 'uid',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['uid', 'displayName', 'cn', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 100,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        AdminSetPreferences => 0,
        Map => [
            # note: Login, Email and CustomerID needed!
            # var, frontend, storage, shown, required, storage-type
            [ 'UserSalutation', 'Civilité', 'supannCivilite', 1, 0, 'var' ],
            [ 'UserFirstname', 'Prénom', 'givenname', 1, 1, 'var' ],
            [ 'UserLastname', 'Nom', 'sn', 1, 1, 'var' ],
            [ 'UserLogin', 'Nom de connexion', 'uid', 1, 1, 'var' ],
            [ 'UserEmail', 'E-mail', 'mail', 1, 1, 'var' ],
            [ 'UserCustomerID', 'Identifiant', 'uid', 0, 1, 'var' ],
            [ 'UserPhone', 'Téléphone', 'telephonenumber', 1, 0, 'var' ],
            [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
            [ 'UserBuildingName', 'Batiment', 'buildingName', '1', '0', 'var' ],
            [ 'UserRoomNumber', 'Bureau', 'roomnumber', '1', '0', 'var' ],
            [ 'UserAffectation', 'Affectation', 'supannAffectation', '1', '0', 'var' ],
            [ 'UserAffiliation', 'Affiliation',
'supannPrimaryAffiliation', '1', '0', 'var' ],
            [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
            # var, frontend, storage, shown, required, storage-type, http-link
            [ 'UserCustomerIDs', 'CustomerIDs', 'attxxxaffectation',
1, 0, 'var' ],
        ],
    };
I have annonimized some fields for security reason.
Now I post here for this part of my email:
...
When click on Customer User <-> group or Customer User, OTRS try
to list all LDAP user instead of list only users who belong to the
LDAP's group in Auth backend config.
So, I have seen that in Kernel/System/CustomerUser/LDAP.pm and the
method CustomerUserList doesn't use the $Self->{AccessAttr} and
$Self->{GroupDN} to limit the user list who are displayed when
clicking in CustomerUser <-> Group.
So I think we must use the GroupDN attribute when it is set in Config
file (such as we do in Kernel/System/CustomerAuth/LDAP.pm in the Auth
method (line 142-180 for OTRS 1.3.2)

Do you think it's a "bug" and could be corrected (I can't make a patch
myselft because I begin in perl for the momment :))

Regards,

-- 
M. Yann Richard
yann.richard on gmail.com