Re: [otrs] LDAP(AD) + UserSyncLDAPMap
I've tried to remove the group restriction just to test(even know I have to use it) but still same thing. Synchronization not working properly. The fields seem all correct. I can't find a typo or miss configuration with regards LDAP x AD. May it be caused because I have not implemented LDAP for Customers yet, only for agents or still maybe a bug on this version specifically ? Fernando ________________________________ From: Leong Tat Lee [mailto:leongtat3110@hotmail.com] Sent: 08 July 2009 09:51 To: Fernando Frediani (Qube) Subject: RE: [otrs] LDAP(AD) + UserSyncLDAPMap Probably i can post my configuration here. what my advice here is try to remove the group restriction. Get the most direct way to query against your AD 1st. You just nit to paste it to your config.pm $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'example.example.com.my'; $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=example,DC=com,DC=my'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=XXX,OU=XXX,DC=XXXX,DC=XXX,DC=com,DC=my'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'example.example.com.my'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=example,DC=com,DC=my'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=XXX,OU=XXX,DC=XXXX,DC=XXX,DC=com,DC=my';; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => ''example.example.com.my'; BaseDN => 'DC=example,DC=com,DC=my'; SSCOPE => 'sub', UserDN => 'CN=XXX,OU=XXX,DC=XXXX,DC=XXX,DC=com,DC=my';, UserPw => 'password', }, CustomerKey => 'sAMAccountName', CustomerID => '[customer_id]', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], #[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; # UserSyncLDAPMap # (map if agent should create/synced from LDAP to DB after login) $Self->{UserSyncLDAPMap} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # UserSyncLDAPGroups # (If "LDAP" was selected="selected" for AuthModule, you can specify # initial user groups for first login.) $Self->{UserSyncLDAPGroups} = [ 'users', ]; # UserTable $Self->{DatabaseUserTable} = 'users'; $Self->{DatabaseUserTableUserID} = 'id'; $Self->{DatabaseUserTableUserPW} = 'pw'; $Self->{DatabaseUserTableUser} = 'login'; ________________________________ Subject: RE: [otrs] LDAP(AD) + UserSyncLDAPMap Date: Wed, 8 Jul 2009 09:45:09 +0100 From: fernando.frediani@qubenet.co.uk To: leongtat3110@hotmail.com; otrs@otrs.org Hi, givanName, sn and mail are valid fields on LDAP(AD). According my configuration, I've posted below, and compared with many other examples I can't see a reason why it is not synchronizing. I've seen some people saying it worked from them in a previous version but when they upgraded it stopped to work. I was wondering if it a bug on version 2.3.4 and if anyone experienced the same problem. Thanks Fernando ________________________________ From: Leong Tat Lee [mailto:leongtat3110@hotmail.com] Sent: 08 July 2009 04:38 To: otrs@otrs.org; Fernando Frediani (Qube) Subject: RE: [otrs] LDAP(AD) + UserSyncLDAPMap ________________________________ Date: Tue, 7 Jul 2009 16:13:44 +0100 From: fernando.frediani@qubenet.co.uk To: otrs@otrs.org Subject: [otrs] LDAP(AD) + UserSyncLDAPMap Hi fernando, I have encounter this error before "Panic! No UserData". For your information if you were to use ldap to authenticate your user, you need to get them sync to the local database before they can login to the agent site. Below error i suspect it was the synchronisation issue. Try to browse to your ldap and check out on the field below such as givenName, sn, and mail. It will not work if one of the field i mention above is not preset at LDAP. As the sync process needed the info to create the authenticate user at the local DB. Hope this help. Thanks. Guys, I've trying to configure my OTRS (version 2.3.4) to authenticate Agents against a LDAP server (Active Directory actually) It works fine for users which were already registered at the DB before the LDAP config. It authenticates correctly only the users that belong to the OTRS_agents group and also set their permissions and groups depending if they belong to OTRS_agents. Problem I have is that If it is a new user created on AD it doesn't authenticate and get the famous message "Panic! No UserData". I have already tried to change some specific settings but it never does correct. I will put right below the settings I am not sure of and further below my full config with regards LDAP Authentication. Can someone give me a hand on it? $Self->{UserSyncLDAPMap} = { UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; Not sure if for version 2.3.4 the correct is "UserFirstname" or simply "Firstname" and the same for the others $Self->{UserSyncLDAPGroups} = [ 'users', ]; Is the "users" there the table at the DB where the data is being synced TO or the group on my AD where the data should be pulled out ? $Self->{'AuthModule::LDAP::GroupDN'}= 'cn=OTRS_agents,ou=Groups,ou=COMPANY,dc=subdomain,dc=domain,dc=net'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; Are the two last lines correct? "member" or "sAMAccountName" or "memberUid" And "DN" if I am using Active Directory. Below my full LDAP config: Thanks in advance. $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'hostname'; $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=COMPANY,dc=subdomain,dc=domain,dc=net'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::GroupDN'}= 'cn=OTRS_agents,ou=Groups,ou=COMPANY,dc=subdomain,dc=domain,dc=net'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'bind-user; $Self->{'AuthModule::LDAP::SearchUserPw'} = '*************'; $Self->{UserSyncLDAPMap} = { UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; $Self->{UserSyncLDAPGroups} = [ 'users', ]; # UserTable $Self->{DatabaseUserTable} = 'users'; $Self->{DatabaseUserTableUserID} = 'id'; $Self->{DatabaseUserTableUserPW} = 'pw'; $Self->{DatabaseUserTableUser} = 'login'; $Self->{'UserSyncLDAPGroupsDefinition'} = { 'cn=OTRS_agents,ou=Groups,ou=COMPANY,dc=subdomain,dc=domain,dc=net' => { 'users' => { rw => 1, }, 'faq' => { rw => 1, }, 'stats' => { rw => 1, }, }, }; $Self->{'UserSyncLDAPRolesDefination'} = { # LDAP group 'cn=OTRS_agents,ou=Groups,ou=COMPANY,dc=subdomain,dc=domain,dc=net' => { 'users' => 1, 'faq' => 1, 'stats' => 1, }, }; Qube Managed Services Limited:: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers Qube Managed Services Limited :: Company Number 6215769 Registered in England and Wales :: VAT Registration No: GB 933 8400 27 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person . P Please consider the environment - do you really need to print this email? ________________________________ Lauren found her dream laptop. Find the PC that's right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290 ________________________________ Windows Live(tm): Keep your life in sync. Check it out. <http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_06200 9>
Just to let you know I found what the problem was. Wasn't a bug or a typo as I suspected. On the AD it was missing fill an e-mail address for that user as it is mandatory field to register a new user in the DB. Once I've done that could login at the first time and the data was synced between LDAP and DB. Thanks for you time on trying to help. Working on Customers authentication now Fernando ________________________________ From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Fernando Frediani (Qube) Sent: 08 July 2009 13:39 To: otrs@otrs.org; Leong Tat Lee Subject: Re: [otrs] LDAP(AD) + UserSyncLDAPMap I've tried to remove the group restriction just to test(even know I have to use it) but still same thing. Synchronization not working properly. The fields seem all correct. I can't find a typo or miss configuration with regards LDAP x AD. May it be caused because I have not implemented LDAP for Customers yet, only for agents or still maybe a bug on this version specifically ? Fernando ________________________________ From: Leong Tat Lee [mailto:leongtat3110@hotmail.com] Sent: 08 July 2009 09:51 To: Fernando Frediani (Qube) Subject: RE: [otrs] LDAP(AD) + UserSyncLDAPMap Probably i can post my configuration here. what my advice here is try to remove the group restriction. Get the most direct way to query against your AD 1st. You just nit to paste it to your config.pm $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'example.example.com.my'; $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=example,DC=com,DC=my'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=XXX,OU=XXX,DC=XXXX,DC=XXX,DC=com,DC=my'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'example.example.com.my'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=example,DC=com,DC=my'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=XXX,OU=XXX,DC=XXXX,DC=XXX,DC=com,DC=my';; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => ''example.example.com.my'; BaseDN => 'DC=example,DC=com,DC=my'; SSCOPE => 'sub', UserDN => 'CN=XXX,OU=XXX,DC=XXXX,DC=XXX,DC=com,DC=my';, UserPw => 'password', }, CustomerKey => 'sAMAccountName', CustomerID => '[customer_id]', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], #[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; # UserSyncLDAPMap # (map if agent should create/synced from LDAP to DB after login) $Self->{UserSyncLDAPMap} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # UserSyncLDAPGroups # (If "LDAP" was selected="selected" for AuthModule, you can specify # initial user groups for first login.) $Self->{UserSyncLDAPGroups} = [ 'users', ]; # UserTable $Self->{DatabaseUserTable} = 'users'; $Self->{DatabaseUserTableUserID} = 'id'; $Self->{DatabaseUserTableUserPW} = 'pw'; $Self->{DatabaseUserTableUser} = 'login'; ________________________________ Subject: RE: [otrs] LDAP(AD) + UserSyncLDAPMap Date: Wed, 8 Jul 2009 09:45:09 +0100 From: fernando.frediani@qubenet.co.uk To: leongtat3110@hotmail.com; otrs@otrs.org Hi, givanName, sn and mail are valid fields on LDAP(AD). According my configuration, I've posted below, and compared with many other examples I can't see a reason why it is not synchronizing. I've seen some people saying it worked from them in a previous version but when they upgraded it stopped to work. I was wondering if it a bug on version 2.3.4 and if anyone experienced the same problem. Thanks Fernando ________________________________ From: Leong Tat Lee [mailto:leongtat3110@hotmail.com] Sent: 08 July 2009 04:38 To: otrs@otrs.org; Fernando Frediani (Qube) Subject: RE: [otrs] LDAP(AD) + UserSyncLDAPMap ________________________________ Date: Tue, 7 Jul 2009 16:13:44 +0100 From: fernando.frediani@qubenet.co.uk To: otrs@otrs.org Subject: [otrs] LDAP(AD) + UserSyncLDAPMap Hi fernando, I have encounter this error before "Panic! No UserData". For your information if you were to use ldap to authenticate your user, you need to get them sync to the local database before they can login to the agent site. Below error i suspect it was the synchronisation issue. Try to browse to your ldap and check out on the field below such as givenName, sn, and mail. It will not work if one of the field i mention above is not preset at LDAP. As the sync process needed the info to create the authenticate user at the local DB. Hope this help. Thanks. Guys, I've trying to configure my OTRS (version 2.3.4) to authenticate Agents against a LDAP server (Active Directory actually) It works fine for users which were already registered at the DB before the LDAP config. It authenticates correctly only the users that belong to the OTRS_agents group and also set their permissions and groups depending if they belong to OTRS_agents. Problem I have is that If it is a new user created on AD it doesn't authenticate and get the famous message "Panic! No UserData". I have already tried to change some specific settings but it never does correct. I will put right below the settings I am not sure of and further below my full config with regards LDAP Authentication. Can someone give me a hand on it? $Self->{UserSyncLDAPMap} = { UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; Not sure if for version 2.3.4 the correct is "UserFirstname" or simply "Firstname" and the same for the others $Self->{UserSyncLDAPGroups} = [ 'users', ]; Is the "users" there the table at the DB where the data is being synced TO or the group on my AD where the data should be pulled out ? $Self->{'AuthModule::LDAP::GroupDN'}= 'cn=OTRS_agents,ou=Groups,ou=COMPANY,dc=subdomain,dc=domain,dc=net'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; Are the two last lines correct? "member" or "sAMAccountName" or "memberUid" And "DN" if I am using Active Directory. Below my full LDAP config: Thanks in advance. $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'hostname'; $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=COMPANY,dc=subdomain,dc=domain,dc=net'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::GroupDN'}= 'cn=OTRS_agents,ou=Groups,ou=COMPANY,dc=subdomain,dc=domain,dc=net'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'bind-user; $Self->{'AuthModule::LDAP::SearchUserPw'} = '*************'; $Self->{UserSyncLDAPMap} = { UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; $Self->{UserSyncLDAPGroups} = [ 'users', ]; # UserTable $Self->{DatabaseUserTable} = 'users'; $Self->{DatabaseUserTableUserID} = 'id'; $Self->{DatabaseUserTableUserPW} = 'pw'; $Self->{DatabaseUserTableUser} = 'login'; $Self->{'UserSyncLDAPGroupsDefinition'} = { 'cn=OTRS_agents,ou=Groups,ou=COMPANY,dc=subdomain,dc=domain,dc=net' => { 'users' => { rw => 1, }, 'faq' => { rw => 1, }, 'stats' => { rw => 1, }, }, }; $Self->{'UserSyncLDAPRolesDefination'} = { # LDAP group 'cn=OTRS_agents,ou=Groups,ou=COMPANY,dc=subdomain,dc=domain,dc=net' => { 'users' => 1, 'faq' => 1, 'stats' => 1, }, }; Qube Managed Services Limited:: The Engineer's Choice for Co-Location, Internet Bandwidth, Design & Build, and Managed Servers Qube Managed Services Limited :: Company Number 6215769 Registered in England and Wales :: VAT Registration No: GB 933 8400 27 This e-mail and the information it contains are confidential. If you have received this e-mail in error please notify the sender immediately. You should not copy it for any purpose, or disclose its contents to any other person . P Please consider the environment - do you really need to print this email? ________________________________ Lauren found her dream laptop. Find the PC that's right for you. http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290 ________________________________ Windows Live(tm): Keep your life in sync. Check it out. <http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_06200 9>
participants (1)
-
Fernando Frediani (Qube)