My Config.pm appears to be configured correctly, but it does not work. I have looked at the articles in your links along with dozens of others. All of them have the exact same configuration as what I posted in my initial email unless there is a character somewhere I am missing. I copied and pasted the configurations changing my DN, CN, OU, DC in accordance with my AD structure. It is obviously authenticating, so I am fairly certain I did it right. The sAMAccountName and mail settings have been changed various times to try to get it working. Until just before I posted my message, they were both set to 'mail'. One user wrote that the Customer::Auth page needed to be modified in SysConfig. http://deckerix.com/blog/configura-tu-otrs-con-soporte-ldap/ I did this as well and verified the settings in ZZZauto.pm.

From how I read your email ("OTRS will not populate your customer_user database"), I am going to have to hand enter 500 user accounts for the potential employees that can enter tickets or they will not be able to use the system. If I understand you correctly, that is a project killer.

If the system can create the agent accounts based on settings in the Config.pm file, why would it not be able to do so with customers? From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Leonardo Certuche Sent: Tuesday, March 19, 2013 2:03 PM To: User questions and discussions about OTRS. Subject: Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." Hello Marty, OTRS will not populate your customer_user database once integrated with an LDAP/AD. It will check if the user exists on 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com' and then it will confirm the password. If it matches, it will let the customer log in. What you are facing probably has to do with the fact that first you associate CustomerID with one thing: CustomerID => 'sAMAccountName', And then you map it with another: [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], Have you tried the following entries? https://www.google.com.co/search?q=site%3Aforums.otterhub.org+%22Authenticat... Leonardo Certuche www.itconsultores.com.cohttp://www.itconsultores.com.co Medellín, Colombia On 19 March 2013 13:41, Marty Hillman mailto:mhillman@equuscs.com> wrote: I have Googled and screwed around with Config.pm for hours. The configuration is creating agents in the database appropriately, but it is not creating users in the customer database. I am using this as in internal system only, so there is no outside access. I want any user to be able to use their AD credentials to log on. If there is not an account in OTRS, it should create one for them. Anyone have any thoughts on what I am overlooking? Here is my /opt/otrs/Kernel/Config.pm. I copied and pasted from several Google results and modified for my own information. It does validate the password is correct for the customer, but does not add them to the database if they don't exist. # ---------------------------------------------------- # # http://wiki.otterhub.org/index.php?title=Using_OTRS_with_Active_Directory_as... # # ---------------------------------------------------- # # This is an example configuration for using an MS AD backend $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = '172.16.10.21'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group OTRS_Agents to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Corp_Admin_MIS,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # Bind credentials to log into AD $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = ''; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # Now sync data with OTRS DB $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = '172.16.10.21'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com'; $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ]; # ---------------------------------------------------- # # Customer authentication section # # ---------------------------------------------------- # $Self->{'SecureMode'} = '1'; # The name to be used for this server when constructing URLs in email $Self-> {'FQDN'} = 'otrsdev.domain.comhttp://otrsdev.domain.com'; #Enable LDAP authentication for Customers / Users $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = '172.16.10.21'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)'; $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = ''; # $Self->{'AuthModule::LDAP::Die'} = 1; #CustomerUser #(customer user database backend and settings) $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => '172.16.10.21', BaseDN => 'DC=domain,DC=com', async => 0, port => 389, sscope => 'sub', timeout => 120, version => 3, UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; UserPw => 'password', }, # Unique customer key/id CustomerKey => 'sAMAccountName', CustomerID => 'sAMAccountName', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; # ---------------------------------------------------- # --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

LDAP is a query against an external source, not a sync to the database. Everything (customer or agent authentication or demographics) does NOT have to exist in OTRS. That's why there is ability for external backends. What you think "should" happen -- and isn't happening -- is intentional and proper. That's what the "Map" is for in CustomerUser. It tells OTRS what fields your external back end uses for fields that OTRS uses. On Tue, Mar 19, 2013 at 4:06 PM, Marty Hillman wrote:

Come to think of it, if it does not add the customers to the database, the feature is pretty worthless. Why validate against LDAP/AD at all for customers if everything has to exist in the database? That would just be adding useless complexity.****

** **

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Marty Hillman *Sent:* Tuesday, March 19, 2013 3:00 PM

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

** **

My Config.pm appears to be configured correctly, but it does not work. I have looked at the articles in your links along with dozens of others. All of them have the exact same configuration as what I posted in my initial email unless there is a character somewhere I am missing. I copied and pasted the configurations changing my DN, CN, OU, DC in accordance with my AD structure. It is obviously authenticating, so I am fairly certain I did it right. The sAMAccountName and mail settings have been changed various times to try to get it working. Until just before I posted my message, they were both set to ‘mail’.****

** **

One user wrote that the Customer::Auth page needed to be modified in SysConfig. http://deckerix.com/blog/configura-tu-otrs-con-soporte-ldap/ I did this as well and verified the settings in ZZZauto.pm.****

** **

From how I read your email (“OTRS will not populate your customer_user database”), I am going to have to hand enter 500 user accounts for the potential employees that can enter tickets or they will not be able to use the system. If I understand you correctly, that is a project killer.*** *

** **

If the system can create the agent accounts based on settings in the Config.pm file, why would it not be able to do so with customers?****

** **

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Leonardo Certuche *Sent:* Tuesday, March 19, 2013 2:03 PM *To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

** **

Hello Marty,****

** **

OTRS will not populate your customer_user database once integrated with an LDAP/AD. It will check if the user exists on 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com' and then it will confirm the password. If it matches, it will let the customer log in.****

** **

What you are facing probably has to do with the fact that first you associate CustomerID with one thing:****

** **

CustomerID => 'sAMAccountName',****

** **

And then you map it with another:****

** **

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

** **

Have you tried the following entries?****

** **

https://www.google.com.co/search?q=site%3Aforums.otterhub.org+%22Authenticat... ****

****

Leonardo Certuche www.itconsultores.com.co Medellín, Colombia****

** **

On 19 March 2013 13:41, Marty Hillman wrote:****

I have Googled and screwed around with Config.pm for hours. The configuration is creating agents in the database appropriately, but it is not creating users in the customer database. I am using this as in internal system only, so there is no outside access. I want any user to be able to use their AD credentials to log on. If there is not an account in OTRS, it should create one for them. ****

****

Anyone have any thoughts on what I am overlooking? Here is my /opt/otrs/Kernel/Config.pm. I copied and pasted from several Google results and modified for my own information. It does validate the password is correct for the customer, but does not add them to the database if they don’t exist.****

****

# ---------------------------------------------------- #****

# http://wiki.otterhub.org/index.php?title=Using_OTRS_with_Active_Directory_as... ****

# ---------------------------------------------------- #****

****

# This is an example configuration for using an MS AD backend****

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';****

$Self->{'AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';****

$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';****

****

# Check if the user is allowed to auth in a posixGroup****

# (e. g. user needs to be in a group OTRS_Agents to use otrs)****

$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Corp_Admin_MIS,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';****

$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';****

****

# Bind credentials to log into AD****

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';****

****

# in case you want to add always one filter to each ldap query, use*** *

# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'****

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';****

****

# in case you want to add a suffix to each login name, then****

# you can use this option. e. g. user just want to use user but****

# in your ldap directory exists user@domain.****

#$Self->{'AuthModule::LDAP::UserSuffix'} = '';****

****

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)****

$Self->{'AuthModule::LDAP::Params'} = {****

port => 389,****

timeout => 120,****

async => 0,****

version => 3,****

};****

****

# Now sync data with OTRS DB****

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';****

$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';****

$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';****

****

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {****

# DB -> LDAP****

UserFirstname => 'givenName',****

UserLastname => 'sn',****

UserEmail => 'mail',****

};****

****

# AuthSyncModule::LDAP::UserSyncInitialGroups****

# (sync following group with rw permission after initial create of first agent****

# login)****

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [****

'users',****

];****

****

# ---------------------------------------------------- #****

# Customer authentication section #****

# ---------------------------------------------------- #****

****

$Self->{'SecureMode'} = '1';****

# The name to be used for this server when constructing URLs in email****

$Self-> {'FQDN'} = 'otrsdev.domain.com';****

****

#Enable LDAP authentication for Customers / Users****

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; ****

$Self->{'Customer::AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=com';*** *

$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';****

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';****

$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';****

$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '';****

# $Self->{'AuthModule::LDAP::Die'} = 1;****

****

#CustomerUser****

#(customer user database backend and settings)****

$Self->{CustomerUser} = {****

Module => 'Kernel::System::CustomerUser::LDAP',****

Params => {****

Host => '172.16.10.21',****

BaseDN => 'DC=domain,DC=com',****

async => 0,****

port => 389,****

sscope => 'sub',****

timeout => 120,****

version => 3,****

UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';* ***

UserPw => 'password',****

},****

****

# Unique customer key/id****

CustomerKey => 'sAMAccountName',****

CustomerID => 'sAMAccountName',****

CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchPrefix => '',****

CustomerUserSearchSuffix => '*',****

CustomerUserSearchListLimit => 250,****

CustomerUserPostMasterSearchFields => ['mail'],****

CustomerUserNameFields => ['givenname', 'sn'],****

Map => [****

# note: Login, Email and CustomerID needed!****

# var, frontend, storage, shown, required, storage-type****

#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],****

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],*** *

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],****

[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],****

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],****

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],****

#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],** **

#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],****

],****

};****

****

****

# ---------------------------------------------------- #****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

My view of "does not work" means that I can successfully authenticate the user using LDAP, but it tells me tough luck because the user does not exist in the internal DB. (see the subject line). If it does not need to see the customer backend, awesome. I was trying to get everything to authenticate with LDAP. That WAS the goal. I could care less about the database in this instance. But that is not what the error message is telling me. It tells me it needs both. 1. If I use a correct user name and password, I get the error in the subject line telling me that authentication succeeded, but it will still not log in because the customer is not in the database. 2. If I use a correct user name and bad password, I receive a "Login Failed! Your user name or password was entered incorrectly." This tells me that it is reading LDAP correctly and verifying the password properly; HOWEVER, I never get beyond the "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." Why do I need to care about the customer backend? Per your statement "the lower case Params should be with in another Params hash", I have revised that section as such (based on the information in the link you provided). #CustomerUser #(customer user database backend and settings) $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => '172.16.10.21', BaseDN => 'DC=domain,DC=com', SSCOPE => 'sub', UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com', UserPw => 'password', Params { async => 0, port => 389, timeout => 120, version => 3, }, }, From: Gerald Young [mailto:crythias@gmail.com] Sent: Tuesday, March 19, 2013 3:39 PM To: User questions and discussions about OTRS. Subject: Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." http://forums.otterhub.org/viewtopic.php?f=60&t=16543 Please indicate what your view of "does not work" means in terms that can be addressed. If "does not work" means it doesn't populate customer_user table, it is working. If "does not work" accompanies an error of some sort, please provide the error. Most commonly, the error is roughly: "Customer Authentication succeeded but customer does not exist in database", which, admittedly, is confusing. If you've entered any information on how to obtain Customer demographics (CustomerUser) in SysConfig, it could possibly clobber your Config.pm settings. I will tell you that CustomerUser is missing Name => 'My Data Source' sscope should be SSCOPE the lower case Params should be with in another Params hash. http://doc.otrs.org/3.1/en/html/customer-user-backend.html#customer-backend-... On Tue, Mar 19, 2013 at 4:25 PM, Gerald Young mailto:crythias@gmail.com> wrote: LDAP is a query against an external source, not a sync to the database. Everything (customer or agent authentication or demographics) does NOT have to exist in OTRS. That's why there is ability for external backends. What you think "should" happen -- and isn't happening -- is intentional and proper. That's what the "Map" is for in CustomerUser. It tells OTRS what fields your external back end uses for fields that OTRS uses. On Tue, Mar 19, 2013 at 4:06 PM, Marty Hillman mailto:mhillman@equuscs.com> wrote: Come to think of it, if it does not add the customers to the database, the feature is pretty worthless. Why validate against LDAP/AD at all for customers if everything has to exist in the database? That would just be adding useless complexity. From: otrs-bounces@otrs.orgmailto:otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.orgmailto:otrs-bounces@otrs.org] On Behalf Of Marty Hillman Sent: Tuesday, March 19, 2013 3:00 PM To: User questions and discussions about OTRS. Subject: Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." My Config.pm appears to be configured correctly, but it does not work. I have looked at the articles in your links along with dozens of others. All of them have the exact same configuration as what I posted in my initial email unless there is a character somewhere I am missing. I copied and pasted the configurations changing my DN, CN, OU, DC in accordance with my AD structure. It is obviously authenticating, so I am fairly certain I did it right. The sAMAccountName and mail settings have been changed various times to try to get it working. Until just before I posted my message, they were both set to 'mail'. One user wrote that the Customer::Auth page needed to be modified in SysConfig. http://deckerix.com/blog/configura-tu-otrs-con-soporte-ldap/ I did this as well and verified the settings in ZZZauto.pm.

From how I read your email ("OTRS will not populate your customer_user database"), I am going to have to hand enter 500 user accounts for the potential employees that can enter tickets or they will not be able to use the system. If I understand you correctly, that is a project killer.

If the system can create the agent accounts based on settings in the Config.pm file, why would it not be able to do so with customers? From: otrs-bounces@otrs.orgmailto:otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.orgmailto:otrs-bounces@otrs.org] On Behalf Of Leonardo Certuche Sent: Tuesday, March 19, 2013 2:03 PM To: User questions and discussions about OTRS. Subject: Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." Hello Marty, OTRS will not populate your customer_user database once integrated with an LDAP/AD. It will check if the user exists on 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com' and then it will confirm the password. If it matches, it will let the customer log in. What you are facing probably has to do with the fact that first you associate CustomerID with one thing: CustomerID => 'sAMAccountName', And then you map it with another: [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], Have you tried the following entries? https://www.google.com.co/search?q=site%3Aforums.otterhub.org+%22Authenticat... Leonardo Certuche www.itconsultores.com.cohttp://www.itconsultores.com.co Medellín, Colombia On 19 March 2013 13:41, Marty Hillman mailto:mhillman@equuscs.com> wrote: I have Googled and screwed around with Config.pm for hours. The configuration is creating agents in the database appropriately, but it is not creating users in the customer database. I am using this as in internal system only, so there is no outside access. I want any user to be able to use their AD credentials to log on. If there is not an account in OTRS, it should create one for them. Anyone have any thoughts on what I am overlooking? Here is my /opt/otrs/Kernel/Config.pm. I copied and pasted from several Google results and modified for my own information. It does validate the password is correct for the customer, but does not add them to the database if they don't exist. # ---------------------------------------------------- # # http://wiki.otterhub.org/index.php?title=Using_OTRS_with_Active_Directory_as... # # ---------------------------------------------------- # # This is an example configuration for using an MS AD backend $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = '172.16.10.21'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group OTRS_Agents to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Corp_Admin_MIS,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # Bind credentials to log into AD $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = ''; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # Now sync data with OTRS DB $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = '172.16.10.21'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com'; $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ]; # ---------------------------------------------------- # # Customer authentication section # # ---------------------------------------------------- # $Self->{'SecureMode'} = '1'; # The name to be used for this server when constructing URLs in email $Self-> {'FQDN'} = 'otrsdev.domain.comhttp://otrsdev.domain.com'; #Enable LDAP authentication for Customers / Users $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = '172.16.10.21'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)'; $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = ''; # $Self->{'AuthModule::LDAP::Die'} = 1; #CustomerUser #(customer user database backend and settings) $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => '172.16.10.21', BaseDN => 'DC=domain,DC=com', async => 0, port => 389, sscope => 'sub', timeout => 120, version => 3, UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; UserPw => 'password', }, # Unique customer key/id CustomerKey => 'sAMAccountName', CustomerID => 'sAMAccountName', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; # ---------------------------------------------------- # --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

"found in the customer backend" does not necessarily mean database. It means "backend" as in, what did you configure for "CustomerUser"? There should, theoretically, be additional information in the System Log within OTRS. On Tue, Mar 19, 2013 at 5:48 PM, Gerald Young wrote:

You still need a Name =>

On Tue, Mar 19, 2013 at 5:02 PM, Marty Hillman wrote:

...

My view of “does not work” means that I can successfully authenticate the user using LDAP, but it tells me tough luck because the user does not exist in the internal DB. (see the subject line). If it does not need to see the customer backend, awesome. I was trying to get everything to authenticate with LDAP. That WAS the goal. I could care less about the database in this instance. But that is not what the error message is telling me. It tells me it needs both.****

** **

**1. **If I use a correct user name and password, I get the error in the subject line telling me that authentication succeeded, but it will still not log in because the customer is not in the database.****

**2. **If I use a correct user name and bad password, I receive a “Login Failed! Your user name or password was entered incorrectly.”****

** **

This tells me that it is reading LDAP correctly and verifying the password properly; HOWEVER, I never get beyond the "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." Why do I need to care about the customer backend?****

****

Per your statement “the lower case Params should be with in another Params hash”, I have revised that section as such (based on the information in the link you provided).****

** **

#CustomerUser****

#(customer user database backend and settings)****

$Self->{CustomerUser} = {****

Module => 'Kernel::System::CustomerUser::LDAP',****

Params => {****

Host => '172.16.10.21’,****

BaseDN => 'DC=domain,DC=com',****

SSCOPE => 'sub',****

UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com', ****

UserPw => 'password',****

Params {****

async => 0,****

port => 389,****

timeout => 120,****

version => 3,****

},****

},****

** **

** **

*From:* Gerald Young [mailto:crythias@gmail.com] *Sent:* Tuesday, March 19, 2013 3:39 PM

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

** **

http://forums.otterhub.org/viewtopic.php?f=60&t=16543****

** **

Please indicate what your view of "does not work" means in terms that can be addressed. If "does not work" means it doesn't populate customer_user table, it is working. If "does not work" accompanies an error of some sort, please provide the error. Most commonly, the error is roughly: "Customer Authentication succeeded but customer does not exist in database", which, admittedly, is confusing. If you've entered any information on how to obtain Customer demographics (CustomerUser) in SysConfig, it could possibly clobber your Config.pm settings. ****

** **

I will tell you that CustomerUser is missing ****

Name => 'My Data Source'****

** **

sscope should be SSCOPE****

** **

the lower case Params should be with in another Params hash.****

** **

http://doc.otrs.org/3.1/en/html/customer-user-backend.html#customer-backend-... ****

** **

On Tue, Mar 19, 2013 at 4:25 PM, Gerald Young wrote: ****

LDAP is a query against an external source, not a sync to the database. * ***

** **

Everything (customer or agent authentication or demographics) does NOT have to exist in OTRS. That's why there is ability for external backends. What you think "should" happen -- and isn't happening -- is intentional and proper.****

** **

That's what the "Map" is for in CustomerUser. It tells OTRS what fields your external back end uses for fields that OTRS uses.****

** **

On Tue, Mar 19, 2013 at 4:06 PM, Marty Hillman wrote:****

Come to think of it, if it does not add the customers to the database, the feature is pretty worthless. Why validate against LDAP/AD at all for customers if everything has to exist in the database? That would just be adding useless complexity.****

****

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Marty Hillman *Sent:* Tuesday, March 19, 2013 3:00 PM****

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

****

My Config.pm appears to be configured correctly, but it does not work. I have looked at the articles in your links along with dozens of others. All of them have the exact same configuration as what I posted in my initial email unless there is a character somewhere I am missing. I copied and pasted the configurations changing my DN, CN, OU, DC in accordance with my AD structure. It is obviously authenticating, so I am fairly certain I did it right. The sAMAccountName and mail settings have been changed various times to try to get it working. Until just before I posted my message, they were both set to ‘mail’.****

****

One user wrote that the Customer::Auth page needed to be modified in SysConfig. http://deckerix.com/blog/configura-tu-otrs-con-soporte-ldap/ I did this as well and verified the settings in ZZZauto.pm.****

****

From how I read your email (“OTRS will not populate your customer_user database”), I am going to have to hand enter 500 user accounts for the potential employees that can enter tickets or they will not be able to use the system. If I understand you correctly, that is a project killer.** **

****

If the system can create the agent accounts based on settings in the Config.pm file, why would it not be able to do so with customers?****

****

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Leonardo Certuche *Sent:* Tuesday, March 19, 2013 2:03 PM *To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

****

Hello Marty,****

****

OTRS will not populate your customer_user database once integrated with an LDAP/AD. It will check if the user exists on 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com' and then it will confirm the password. If it matches, it will let the customer log in.****

****

What you are facing probably has to do with the fact that first you associate CustomerID with one thing:****

****

CustomerID => 'sAMAccountName',****

****

And then you map it with another:****

****

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

****

Have you tried the following entries?****

****

https://www.google.com.co/search?q=site%3Aforums.otterhub.org+%22Authenticat... ****

****

Leonardo Certuche www.itconsultores.com.co Medellín, Colombia****

****

On 19 March 2013 13:41, Marty Hillman wrote:****

I have Googled and screwed around with Config.pm for hours. The configuration is creating agents in the database appropriately, but it is not creating users in the customer database. I am using this as in internal system only, so there is no outside access. I want any user to be able to use their AD credentials to log on. If there is not an account in OTRS, it should create one for them. ****

****

Anyone have any thoughts on what I am overlooking? Here is my /opt/otrs/Kernel/Config.pm. I copied and pasted from several Google results and modified for my own information. It does validate the password is correct for the customer, but does not add them to the database if they don’t exist.****

****

# ---------------------------------------------------- #****

# http://wiki.otterhub.org/index.php?title=Using_OTRS_with_Active_Directory_as... ****

# ---------------------------------------------------- #****

****

# This is an example configuration for using an MS AD backend****

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';****

$Self->{'AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';****

$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';****

****

# Check if the user is allowed to auth in a posixGroup****

# (e. g. user needs to be in a group OTRS_Agents to use otrs)****

$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Corp_Admin_MIS,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';****

$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';****

****

# Bind credentials to log into AD****

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';****

****

# in case you want to add always one filter to each ldap query, use** **

# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'****

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';****

****

# in case you want to add a suffix to each login name, then****

# you can use this option. e. g. user just want to use user but****

# in your ldap directory exists user@domain.****

#$Self->{'AuthModule::LDAP::UserSuffix'} = '';****

****

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)****

$Self->{'AuthModule::LDAP::Params'} = {****

port => 389,****

timeout => 120,****

async => 0,****

version => 3,****

};****

****

# Now sync data with OTRS DB****

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';****

$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';****

$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';****

****

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {****

# DB -> LDAP****

UserFirstname => 'givenName',****

UserLastname => 'sn',****

UserEmail => 'mail',****

};****

****

# AuthSyncModule::LDAP::UserSyncInitialGroups****

# (sync following group with rw permission after initial create of first agent****

# login)****

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [****

'users',****

];****

****

# ---------------------------------------------------- #****

# Customer authentication section #****

# ---------------------------------------------------- #****

****

$Self->{'SecureMode'} = '1';****

# The name to be used for this server when constructing URLs in email****

$Self-> {'FQDN'} = 'otrsdev.domain.com';****

****

#Enable LDAP authentication for Customers / Users****

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';****

$Self->{'Customer::AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=com';** **

$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';****

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';****

$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';****

$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '';****

# $Self->{'AuthModule::LDAP::Die'} = 1;****

****

#CustomerUser****

#(customer user database backend and settings)****

$Self->{CustomerUser} = {****

Module => 'Kernel::System::CustomerUser::LDAP',****

Params => {****

Host => '172.16.10.21',****

BaseDN => 'DC=domain,DC=com',****

async => 0,****

port => 389,****

sscope => 'sub',****

timeout => 120,****

version => 3,****

UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; ****

UserPw => 'password',****

},****

****

# Unique customer key/id****

CustomerKey => 'sAMAccountName',****

CustomerID => 'sAMAccountName',****

CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchPrefix => '',****

CustomerUserSearchSuffix => '*',****

CustomerUserSearchListLimit => 250,****

CustomerUserPostMasterSearchFields => ['mail'],****

CustomerUserNameFields => ['givenname', 'sn'],****

Map => [****

# note: Login, Email and CustomerID needed!****

# var, frontend, storage, shown, required, storage-type****

#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],****

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],** **

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],****

[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],****

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],****

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],****

#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],* ***

#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],*** *

],****

};****

****

****

# ---------------------------------------------------- #****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

** **

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

All I can say is this works for me: $Self->{CustomerUser1} = { Name => 'LDAP Backend', Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => 'ipaddress', BaseDN => 'DC=domain,DC=domain', SSCOPE => 'sub', UserDN => 'user', UserPw => 'password', SourceCharset => 'utf-8', DestCharset => 'utf-8', }, CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], CustomerUserExcludePrimaryCustomerID => 0, AdminSetPreferences => 0, CacheTTL => 0, Map => [ [ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ], [ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ], [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ], [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ], ], }; Which is the same as yours, only I'm using a different index (CustomerUser1) so I can use both database and LDAP. On Wed, Mar 20, 2013 at 1:18 PM, Marty Hillman wrote:

Gerald – Going back through last night’s emails.****

** **

The latest code has them nested. Even adding ****

*Name => ‘LDAP Datasource’,* ****

to Params does not seem to change things. And SSCOPE is now upper case.** **

** **

I do see when looking at customers in the admin panel that LDAP Datasource is now a selection, but it did not add the user to that group.****

** **

*From:* Gerald Young [mailto:crythias@gmail.com] *Sent:* Tuesday, March 19, 2013 3:39 PM

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

** **

http://forums.otterhub.org/viewtopic.php?f=60&t=16543****

** **

Please indicate what your view of "does not work" means in terms that can be addressed. If "does not work" means it doesn't populate customer_user table, it is working. If "does not work" accompanies an error of some sort, please provide the error. Most commonly, the error is roughly: "Customer Authentication succeeded but customer does not exist in database", which, admittedly, is confusing. If you've entered any information on how to obtain Customer demographics (CustomerUser) in SysConfig, it could possibly clobber your Config.pm settings. ****

** **

I will tell you that CustomerUser is missing ****

Name => 'My Data Source'****

** **

sscope should be SSCOPE****

** **

the lower case Params should be with in another Params hash.****

** **

http://doc.otrs.org/3.1/en/html/customer-user-backend.html#customer-backend-... ****

** **

On Tue, Mar 19, 2013 at 4:25 PM, Gerald Young wrote:* ***

LDAP is a query against an external source, not a sync to the database. ** **

** **

Everything (customer or agent authentication or demographics) does NOT have to exist in OTRS. That's why there is ability for external backends. What you think "should" happen -- and isn't happening -- is intentional and proper.****

** **

That's what the "Map" is for in CustomerUser. It tells OTRS what fields your external back end uses for fields that OTRS uses.****

** **

On Tue, Mar 19, 2013 at 4:06 PM, Marty Hillman wrote:****

Come to think of it, if it does not add the customers to the database, the feature is pretty worthless. Why validate against LDAP/AD at all for customers if everything has to exist in the database? That would just be adding useless complexity.****

****

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Marty Hillman *Sent:* Tuesday, March 19, 2013 3:00 PM****

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

****

My Config.pm appears to be configured correctly, but it does not work. I have looked at the articles in your links along with dozens of others. All of them have the exact same configuration as what I posted in my initial email unless there is a character somewhere I am missing. I copied and pasted the configurations changing my DN, CN, OU, DC in accordance with my AD structure. It is obviously authenticating, so I am fairly certain I did it right. The sAMAccountName and mail settings have been changed various times to try to get it working. Until just before I posted my message, they were both set to ‘mail’.****

****

One user wrote that the Customer::Auth page needed to be modified in SysConfig. http://deckerix.com/blog/configura-tu-otrs-con-soporte-ldap/ I did this as well and verified the settings in ZZZauto.pm.****

****

From how I read your email (“OTRS will not populate your customer_user database”), I am going to have to hand enter 500 user accounts for the potential employees that can enter tickets or they will not be able to use the system. If I understand you correctly, that is a project killer.*** *

****

If the system can create the agent accounts based on settings in the Config.pm file, why would it not be able to do so with customers?****

****

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Leonardo Certuche *Sent:* Tuesday, March 19, 2013 2:03 PM *To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

****

Hello Marty,****

****

OTRS will not populate your customer_user database once integrated with an LDAP/AD. It will check if the user exists on 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com' and then it will confirm the password. If it matches, it will let the customer log in.****

****

What you are facing probably has to do with the fact that first you associate CustomerID with one thing:****

****

CustomerID => 'sAMAccountName',****

****

And then you map it with another:****

****

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

****

Have you tried the following entries?****

****

https://www.google.com.co/search?q=site%3Aforums.otterhub.org+%22Authenticat... ****

****

Leonardo Certuche www.itconsultores.com.co Medellín, Colombia****

****

On 19 March 2013 13:41, Marty Hillman wrote:****

I have Googled and screwed around with Config.pm for hours. The configuration is creating agents in the database appropriately, but it is not creating users in the customer database. I am using this as in internal system only, so there is no outside access. I want any user to be able to use their AD credentials to log on. If there is not an account in OTRS, it should create one for them. ****

****

Anyone have any thoughts on what I am overlooking? Here is my /opt/otrs/Kernel/Config.pm. I copied and pasted from several Google results and modified for my own information. It does validate the password is correct for the customer, but does not add them to the database if they don’t exist.****

****

# ---------------------------------------------------- #****

# http://wiki.otterhub.org/index.php?title=Using_OTRS_with_Active_Directory_as... ****

# ---------------------------------------------------- #****

****

# This is an example configuration for using an MS AD backend****

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';****

$Self->{'AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';****

$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';****

****

# Check if the user is allowed to auth in a posixGroup****

# (e. g. user needs to be in a group OTRS_Agents to use otrs)****

$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Corp_Admin_MIS,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';****

$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';****

****

# Bind credentials to log into AD****

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';****

****

# in case you want to add always one filter to each ldap query, use*** *

# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'****

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';****

****

# in case you want to add a suffix to each login name, then****

# you can use this option. e. g. user just want to use user but****

# in your ldap directory exists user@domain.****

#$Self->{'AuthModule::LDAP::UserSuffix'} = '';****

****

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)****

$Self->{'AuthModule::LDAP::Params'} = {****

port => 389,****

timeout => 120,****

async => 0,****

version => 3,****

};****

****

# Now sync data with OTRS DB****

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';****

$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';****

$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';****

****

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {****

# DB -> LDAP****

UserFirstname => 'givenName',****

UserLastname => 'sn',****

UserEmail => 'mail',****

};****

****

# AuthSyncModule::LDAP::UserSyncInitialGroups****

# (sync following group with rw permission after initial create of first agent****

# login)****

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [****

'users',****

];****

****

# ---------------------------------------------------- #****

# Customer authentication section #****

# ---------------------------------------------------- #****

****

$Self->{'SecureMode'} = '1';****

# The name to be used for this server when constructing URLs in email****

$Self-> {'FQDN'} = 'otrsdev.domain.com';****

****

#Enable LDAP authentication for Customers / Users****

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; ****

$Self->{'Customer::AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=com';*** *

$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';****

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';****

$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';****

$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '';****

# $Self->{'AuthModule::LDAP::Die'} = 1;****

****

#CustomerUser****

#(customer user database backend and settings)****

$Self->{CustomerUser} = {****

Module => 'Kernel::System::CustomerUser::LDAP',****

Params => {****

Host => '172.16.10.21',****

BaseDN => 'DC=domain,DC=com',****

async => 0,****

port => 389,****

sscope => 'sub',****

timeout => 120,****

version => 3,****

UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';* ***

UserPw => 'password',****

},****

****

# Unique customer key/id****

CustomerKey => 'sAMAccountName',****

CustomerID => 'sAMAccountName',****

CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchPrefix => '',****

CustomerUserSearchSuffix => '*',****

CustomerUserSearchListLimit => 250,****

CustomerUserPostMasterSearchFields => ['mail'],****

CustomerUserNameFields => ['givenname', 'sn'],****

Map => [****

# note: Login, Email and CustomerID needed!****

# var, frontend, storage, shown, required, storage-type****

#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],****

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],*** *

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],****

[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],****

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],****

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],****

#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],** **

#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],****

],****

};****

****

****

# ---------------------------------------------------- #****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

** **

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

"Am I supposed to manually add Customers, or should they be added much like Agents are?" Neither. They should be queried from your LDAP/Active Directory. Which means the DB should be empty and you should be able to search against your LDAP/AD. There is a problem querying your LDAP/AD for Customers. I don't know *why*, but there usually is some sort of error message in OTRS System Log that tells you why. All we know for sure is that "No such user 'mhillman'!" tells us your sAMAccountName isn't (necessarily) mhillman. (Could that be true?) On Wed, Mar 20, 2013 at 3:42 PM, Marty Hillman wrote:

I commented out mine and added yours with my DN settings. I get the same error. When looking in the backend, I now have a choice on Customersscreenof Database Backend or LDAP Backend(under the Add Customer button), but there are no customers listed in either selection. ****

** **

Previous emails have me a little confused. I promise I will stop asking. Am I supposed to manually add Customers, or should they be added much like Agents are? I would assume that if they do not exist, the system should add them based on the LDAP settings being parsed.****

** **

BTW, Using OTRS 3.2.3 on Ubuntu 12.04 LTS Server against a Windows 2003 LDAP, if that makes any difference.****

** **

** **

** **

*From:* Gerald Young [mailto:crythias@gmail.com] *Sent:* Wednesday, March 20, 2013 1:38 PM

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

** **

All I can say is this works for me:****

$Self->{CustomerUser1} = {****

Name => 'LDAP Backend',****

Module => 'Kernel::System::CustomerUser::LDAP',****

Params => {****

Host => 'ipaddress',****

BaseDN => 'DC=domain,DC=domain',****

SSCOPE => 'sub',****

UserDN => 'user',****

UserPw => 'password',****

SourceCharset => 'utf-8',****

DestCharset => 'utf-8',****

},****

CustomerKey => 'sAMAccountName',****

CustomerID => 'mail',****

CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],****

CustomerUserSearchPrefix => '',****

CustomerUserSearchSuffix => '*',****

CustomerUserSearchListLimit => 250,****

CustomerUserPostMasterSearchFields => ['mail'],****

CustomerUserNameFields => ['givenname', 'sn'],****

CustomerUserExcludePrimaryCustomerID => 0,****

AdminSetPreferences => 0,****

CacheTTL => 0,****

Map => [****

[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],****

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],****

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],****

[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],****

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],****

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],****

[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],****

[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],****

[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],****

],****

};****

** **

Which is the same as yours, only I'm using a different index (CustomerUser1) so I can use both database and LDAP.****

** **

On Wed, Mar 20, 2013 at 1:18 PM, Marty Hillman wrote:****

Gerald – Going back through last night’s emails.****

****

The latest code has them nested. Even adding ****

*Name => ‘LDAP Datasource’,* ****

to Params does not seem to change things. And SSCOPE is now upper case.** **

****

I do see when looking at customers in the admin panel that LDAP Datasource is now a selection, but it did not add the user to that group.****

****

*From:* Gerald Young [mailto:crythias@gmail.com] *Sent:* Tuesday, March 19, 2013 3:39 PM****

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

****

http://forums.otterhub.org/viewtopic.php?f=60&t=16543****

****

Please indicate what your view of "does not work" means in terms that can be addressed. If "does not work" means it doesn't populate customer_user table, it is working. If "does not work" accompanies an error of some sort, please provide the error. Most commonly, the error is roughly: "Customer Authentication succeeded but customer does not exist in database", which, admittedly, is confusing. If you've entered any information on how to obtain Customer demographics (CustomerUser) in SysConfig, it could possibly clobber your Config.pm settings. ****

****

I will tell you that CustomerUser is missing ****

Name => 'My Data Source'****

****

sscope should be SSCOPE****

****

the lower case Params should be with in another Params hash.****

****

http://doc.otrs.org/3.1/en/html/customer-user-backend.html#customer-backend-... ****

****

On Tue, Mar 19, 2013 at 4:25 PM, Gerald Young wrote:* ***

LDAP is a query against an external source, not a sync to the database. ** **

****

Everything (customer or agent authentication or demographics) does NOT have to exist in OTRS. That's why there is ability for external backends. What you think "should" happen -- and isn't happening -- is intentional and proper.****

****

That's what the "Map" is for in CustomerUser. It tells OTRS what fields your external back end uses for fields that OTRS uses.****

****

On Tue, Mar 19, 2013 at 4:06 PM, Marty Hillman wrote:****

Come to think of it, if it does not add the customers to the database, the feature is pretty worthless. Why validate against LDAP/AD at all for customers if everything has to exist in the database? That would just be adding useless complexity.****

****

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Marty Hillman *Sent:* Tuesday, March 19, 2013 3:00 PM****

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

****

My Config.pm appears to be configured correctly, but it does not work. I have looked at the articles in your links along with dozens of others. All of them have the exact same configuration as what I posted in my initial email unless there is a character somewhere I am missing. I copied and pasted the configurations changing my DN, CN, OU, DC in accordance with my AD structure. It is obviously authenticating, so I am fairly certain I did it right. The sAMAccountName and mail settings have been changed various times to try to get it working. Until just before I posted my message, they were both set to ‘mail’.****

****

One user wrote that the Customer::Auth page needed to be modified in SysConfig. http://deckerix.com/blog/configura-tu-otrs-con-soporte-ldap/ I did this as well and verified the settings in ZZZauto.pm.****

****

From how I read your email (“OTRS will not populate your customer_user database”), I am going to have to hand enter 500 user accounts for the potential employees that can enter tickets or they will not be able to use the system. If I understand you correctly, that is a project killer.*** *

****

If the system can create the agent accounts based on settings in the Config.pm file, why would it not be able to do so with customers?****

****

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Leonardo Certuche *Sent:* Tuesday, March 19, 2013 2:03 PM *To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

****

Hello Marty,****

****

OTRS will not populate your customer_user database once integrated with an LDAP/AD. It will check if the user exists on 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com' and then it will confirm the password. If it matches, it will let the customer log in.****

****

What you are facing probably has to do with the fact that first you associate CustomerID with one thing:****

****

CustomerID => 'sAMAccountName',****

****

And then you map it with another:****

****

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

****

Have you tried the following entries?****

****

https://www.google.com.co/search?q=site%3Aforums.otterhub.org+%22Authenticat... ****

****

Leonardo Certuche www.itconsultores.com.co Medellín, Colombia****

****

On 19 March 2013 13:41, Marty Hillman wrote:****

I have Googled and screwed around with Config.pm for hours. The configuration is creating agents in the database appropriately, but it is not creating users in the customer database. I am using this as in internal system only, so there is no outside access. I want any user to be able to use their AD credentials to log on. If there is not an account in OTRS, it should create one for them. ****

****

Anyone have any thoughts on what I am overlooking? Here is my /opt/otrs/Kernel/Config.pm. I copied and pasted from several Google results and modified for my own information. It does validate the password is correct for the customer, but does not add them to the database if they don’t exist.****

****

# ---------------------------------------------------- #****

# http://wiki.otterhub.org/index.php?title=Using_OTRS_with_Active_Directory_as... ****

# ---------------------------------------------------- #****

****

# This is an example configuration for using an MS AD backend****

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';****

$Self->{'AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';****

$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';****

****

# Check if the user is allowed to auth in a posixGroup****

# (e. g. user needs to be in a group OTRS_Agents to use otrs)****

$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Corp_Admin_MIS,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';****

$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';****

****

# Bind credentials to log into AD****

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';****

****

# in case you want to add always one filter to each ldap query, use*** *

# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'****

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';****

****

# in case you want to add a suffix to each login name, then****

# you can use this option. e. g. user just want to use user but****

# in your ldap directory exists user@domain.****

#$Self->{'AuthModule::LDAP::UserSuffix'} = '';****

****

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)****

$Self->{'AuthModule::LDAP::Params'} = {****

port => 389,****

timeout => 120,****

async => 0,****

version => 3,****

};****

****

# Now sync data with OTRS DB****

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';****

$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';****

$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';****

****

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {****

# DB -> LDAP****

UserFirstname => 'givenName',****

UserLastname => 'sn',****

UserEmail => 'mail',****

};****

****

# AuthSyncModule::LDAP::UserSyncInitialGroups****

# (sync following group with rw permission after initial create of first agent****

# login)****

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [****

'users',****

];****

****

# ---------------------------------------------------- #****

# Customer authentication section #****

# ---------------------------------------------------- #****

****

$Self->{'SecureMode'} = '1';****

# The name to be used for this server when constructing URLs in email****

$Self-> {'FQDN'} = 'otrsdev.domain.com';****

****

#Enable LDAP authentication for Customers / Users****

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; ****

$Self->{'Customer::AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=com';*** *

$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';****

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';****

$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';****

$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '';****

# $Self->{'AuthModule::LDAP::Die'} = 1;****

****

#CustomerUser****

#(customer user database backend and settings)****

$Self->{CustomerUser} = {****

Module => 'Kernel::System::CustomerUser::LDAP',****

Params => {****

Host => '172.16.10.21',****

BaseDN => 'DC=domain,DC=com',****

async => 0,****

port => 389,****

sscope => 'sub',****

timeout => 120,****

version => 3,****

UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';* ***

UserPw => 'password',****

},****

****

# Unique customer key/id****

CustomerKey => 'sAMAccountName',****

CustomerID => 'sAMAccountName',****

CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchPrefix => '',****

CustomerUserSearchSuffix => '*',****

CustomerUserSearchListLimit => 250,****

CustomerUserPostMasterSearchFields => ['mail'],****

CustomerUserNameFields => ['givenname', 'sn'],****

Map => [****

# note: Login, Email and CustomerID needed!****

# var, frontend, storage, shown, required, storage-type****

#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],****

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],*** *

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],****

[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],****

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],****

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],****

#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],** **

#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],****

],****

};****

****

****

# ---------------------------------------------------- #****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

There's not enough other information available for me to assist at this time. I've configured this and helped others configure it on multiple occasions, and have no other information that I can provide via the mailing list. It *could* be a bug in 3.2.3 (don't know) but at the moment, unless I'm looking right at your config, I don't know what else to say. On Wed, Mar 20, 2013 at 4:31 PM, Marty Hillman wrote:

Nope. Not true. I just ran LDIFDE against the server that I am querying for LDAP. For my user account, I have the following (edited for security). Based on the contents, I even commented out items in the map and left only UserFirstName, UserLastName, UserLogin, UserEmail, UserCustomerID.****

** **

dn: CN=Marty Hillman,OU=Users,OU=Corporate,OU=xxxxxxxx,OU=xxxxxxxx,OU=xxxxxxxx,DC=xxxxxxxxx,DC=com ****

changetype: add****

objectClass: top****

objectClass: person****

objectClass: organizationalPerson****

objectClass: user****

cn: Marty Hillman****

sn: Hillman****

c: US****

l: Minnetonka****

st: MN****

title: Infrastructure Manager****

description: IT Infrastructure Manager****

postalCode: 55343****

givenName: Marty****

distinguishedName: ****

CN=Marty Hillman,OU=Users,OU=Corporate,OU=xxxxxxxx,OU=xxxxxxxx,OU=xxxxxxxx,DC=xxxxxxxx,DC=com ****

instanceType: 4****

whenCreated: 20130219201501.0Z****

whenChanged: 20130313151527.0Z****

displayName: Marty Hillman****

uSNCreated: XXXXXXXXXXX****

memberOf: ****

*** Lots of groups deleted *******

uSNChanged: XXXXXXXXXXX****

co: UNITED STATES****

department: MIS****

company: Equus Computer Systems, Inc.****

homeMTA: ****

*** Exchange settings *******

proxyAddresses: smtp:xxxxxxxxxxxxx****

proxyAddresses: smtp: xxxxxxxxxxxxx ****

proxyAddresses: smtp: xxxxxxxxxxxxx****

proxyAddresses: smtp: xxxxxxxxxxxxx****

proxyAddresses: smtp: xxxxxxxxxxxxx****

proxyAddresses: smtp: xxxxxxxxxxxxx****

proxyAddresses: SMTP:mhillman@equuscs.com****

proxyAddresses: XXXXXXXXXXXXXXXXXXXXXXX****

homeMDB: ****

*** Exchange Settings *******

mDBUseDefaults: TRUE****

mailNickname: mhillman****

name: Marty Hillman****

objectGUID:: xxxxxxxxxxxxxxxxxxxxx****

userAccountControl: XXXXXXXXXXXXX****

badPwdCount: 0****

codePage: 0****

countryCode: 840****

homeDirectory: \\xxxxxxxxxxxxx\xxxxxxxxxx****

homeDrive: H:****

badPasswordTime: XXXXXXXXXXXXXXXXXX****

lastLogoff: 0****

lastLogon: XXXXXXXXXXXXXXXXXXXXXX****

scriptPath: smsls****

logonHours:: ////////////////////////////****

pwdLastSet: XXXXXXXXXXXXXXXXXX****

primaryGroupID: XXXXXXX****

userParameters:: ****

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx****

objectSid:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx****

adminCount: 1****

accountExpires: 0****

logonCount: 249****

sAMAccountName: mhillman****

sAMAccountType: xxxxxxxxx****

showInAddressBook: ****

*** Exchange Settings *******

userPrincipalName: mhillman@equuscs.com****

objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=equuscs,DC=com****

mSMQSignCertificates:: ****

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX****

mSMQDigests:: XXXXXXXXXXXXXXXXXXXXXXXXXXX****

msNPAllowDialin: FALSE****

lastLogonTimestamp: 130075656959202436****

textEncodedORAddress: XXXXXXXXXXXXXXXXXXXXXXXXX****

mail: mhillman@equuscs.com****

msExchHomeServerName: ****

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX****

msExchMailboxSecurityDescriptor:: ****

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX****

msExchUserAccountControl: 0****

msExchMailboxGuid:: XXXXXXXXXXXXXXXXXXXXXXX****

msExchPoliciesIncluded: ****

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX****

msExchUserCulture: en-US****

msExchVersion: XXXXXXXXXXXXXXXXXXX****

msExchMobileMailboxFlags: 1****

msExchRecipientDisplayType: 1073741824****

msExchRecipientTypeDetails: 1****

** **

** **

*From:* Gerald Young [mailto:crythias@gmail.com] *Sent:* Wednesday, March 20, 2013 3:04 PM

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] FW: "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." ****

** **

"Am I supposed to manually add Customers, or should they be added much like Agents are?"****

Neither. They should be queried from your LDAP/Active Directory. Which means the DB should be empty and you should be able to search against your LDAP/AD.****

** **

There is a problem querying your LDAP/AD for Customers. I don't know *why*, but there usually is some sort of error message in OTRS System Log that tells you why. ****

All we know for sure is that "No such user 'mhillman'!" tells us your sAMAccountName isn't (necessarily) mhillman. ****

** **

(Could that be true?)****

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

I've set this on 2.7, 3.0, and 3.1. It *should* work on 3.2 or else there'd have been some wailing and gnashing of teeth and immediate bugfixes. It doesn't look like the code has been changed appreciably in a while, just some code cleanup. On Wed, Mar 20, 2013 at 4:40 PM, Marty Hillman wrote:

That poses one question for me. What version are you using where it works? Then I promise to drop this particular issue.****

** **

But again, Thanks for all of your help. You have all been teaching me more than I ever thought I wanted to know about perl and OTRS. ;-)****

** **

*From:* Gerald Young [mailto:crythias@gmail.com] *Sent:* Wednesday, March 20, 2013 3:36 PM

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] FW: "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." ****

** **

There's not enough other information available for me to assist at this time. I've configured this and helped others configure it on multiple occasions, and have no other information that I can provide via the mailing list. It *could* be a bug in 3.2.3 (don't know) but at the moment, unless I'm looking right at your config, I don't know what else to say.****

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

:) :) Great! :) :) but I don't know how you could auth for one and not for CustomerUser. On Wed, Mar 20, 2013 at 5:49 PM, Marty Hillman wrote:

I got it fixed, and I am pretty sure I know what the error was. There are some special characters that you can use in a password that it does not like at all in the Config.pm file. The password I had selected for the test account had an @ symbol in it. When I changed the password to one that was a mixture of cases and numbers, it seems to be working just fine. The Customer page in the admin file is populated with all sorts of AD users now.****

** **

*From:* Gerald Young [mailto:crythias@gmail.com] *Sent:* Wednesday, March 20, 2013 3:56 PM

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] FW: "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." ****

** **

I've set this on 2.7, 3.0, and 3.1. It *should* work on 3.2 or else there'd have been some wailing and gnashing of teeth and immediate bugfixes. ****

** **

It doesn't look like the code has been changed appreciably in a while, just some code cleanup. ****

** **

On Wed, Mar 20, 2013 at 4:40 PM, Marty Hillman wrote:****

That poses one question for me. What version are you using where it works? Then I promise to drop this particular issue.****

****

But again, Thanks for all of your help. You have all been teaching me more than I ever thought I wanted to know about perl and OTRS. ;-)****

****

*From:* Gerald Young [mailto:crythias@gmail.com] *Sent:* Wednesday, March 20, 2013 3:36 PM****

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] FW: "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." ****

****

There's not enough other information available for me to assist at this time. I've configured this and helped others configure it on multiple occasions, and have no other information that I can provide via the mailing list. It *could* be a bug in 3.2.3 (don't know) but at the moment, unless I'm looking right at your config, I don't know what else to say.****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

Authentication and authorization are two different things (one is "can you access this system", the other is "what are you allowed to do"). I agree that on first authentication, OTRS should create a stub record in the database for the authorized entity, but I actually think the "no privileges until explicitly assigned" is a good thing in that you don't accidentally disclose things that that customer has no business seeing. I think the compromise approach would be to use the authorization exit to check whether the customer is in the database and then add a default entry from a site-assigned template (queue access, permissions, etc). From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Marty Hillman Sent: Tuesday, March 19, 2013 4:06 PM To: User questions and discussions about OTRS. Subject: Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." Come to think of it, if it does not add the customers to the database, the feature is pretty worthless. Why validate against LDAP/AD at all for customers if everything has to exist in the database? That would just be adding useless complexity.

No. I do this all the time. Sso, even. On Mar 20, 2013 9:16 AM, "Marty Hillman" wrote:

Ok. I am going to start over from scratch with a fresh Config.pm and report back. Brand new day. The ultimate goal would be for the site to automatically log the user in based on the context of the user logged in to the workstation. This would allow me to embed the customer.pl page (more specifically a new ticket form) directly into SharePoint (gasp!) so that we have full integration within our intranet. Again, there will be no access for non-employees as this is exclusively internal facing. Am I being too unrealistic?****

** **

Thanks for all of the pointers everyone. I will use these links to try again and let you know.****

** **

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *David Boyes *Sent:* Wednesday, March 20, 2013 12:09 AM *To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

** **

Authentication and authorization are two different things (one is “can you access this system”, the other is “what are you allowed to do”). I agree that on first authentication, OTRS should create a stub record in the database for the authorized entity, but I actually think the “no privileges until explicitly assigned” is a good thing in that you don’t accidentally disclose things that that customer has no business seeing. ****

** **

I think the compromise approach would be to use the authorization exit to check whether the customer is in the database and then add a default entry from a site-assigned template (queue access, permissions, etc). ****

** **

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Marty Hillman *Sent:* Tuesday, March 19, 2013 4:06 PM *To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

** **

Come to think of it, if it does not add the customers to the database, the feature is pretty worthless. Why validate against LDAP/AD at all for customers if everything has to exist in the database? That would just be adding useless complexity.****

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

I've done this... it works nicely. On Wed, Mar 20, 2013 at 10:54 AM, David Boyes wrote:

** **

Ok. I am going to start over from scratch with a fresh Config.pm and report back. Brand new day. The ultimate goal would be for the site to automatically log the user in based on the context of the user logged in to the workstation. ****

** **

Adding GSSAPI support to OTRS has been on my to-do list for quite a while. That would allow security and identity tokens (like the Kerberos 5 principal and service tickets that Windows uses) to be securely passed from lots of different authentication sources w/o special code for each. ****

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

http://forums.otterhub.org/viewtopic.php?f=81&t=15422 On Wed, Mar 20, 2013 at 11:20 AM, David Boyes wrote:

** **

** **

I've done this... it works nicely.****

** **

Goody! Is the code committed? I’ll have some VERY happy people here if it is. ****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

It's not GSSAPI? OK. With as many GSS errors as I got trying to get this thing to work, I could have sworn it was. Oh, well. You and Google may differ but the result is, as you say, the same mod_kerb uses GSSAPI, so if you figure out something different, please let me know. On Wed, Mar 20, 2013 at 11:46 AM, David Boyes wrote:

That’s not GSSAPI. That’s using mod_kerb to supply the user information via basic mode. Not the same animal, although it produces a similar-looking effect. ****

** **

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Gerald Young *Sent:* Wednesday, March 20, 2013 11:33 AM

*To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

** **

http://forums.otterhub.org/viewtopic.php?f=81&t=15422****

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

Hello Marting, Have you also check CustomerAuth option in Sysconfig. You need to configure both place (Config.pm) and Sysconfig options so the customers can loging and get into OTRS. The option FrontEnd::Customer::Auth is what I am talking about. 2013/3/19 Marty Hillman

My Config.pm appears to be configured correctly, but it does not work. I have looked at the articles in your links along with dozens of others. All of them have the exact same configuration as what I posted in my initial email unless there is a character somewhere I am missing. I copied and pasted the configurations changing my DN, CN, OU, DC in accordance with my AD structure. It is obviously authenticating, so I am fairly certain I did it right. The sAMAccountName and mail settings have been changed various times to try to get it working. Until just before I posted my message, they were both set to ‘mail’.****

** **

One user wrote that the Customer::Auth page needed to be modified in SysConfig. http://deckerix.com/blog/configura-tu-otrs-con-soporte-ldap/ I did this as well and verified the settings in ZZZauto.pm.****

** **

From how I read your email (“OTRS will not populate your customer_user database”), I am going to have to hand enter 500 user accounts for the potential employees that can enter tickets or they will not be able to use the system. If I understand you correctly, that is a project killer.*** *

** **

If the system can create the agent accounts based on settings in the Config.pm file, why would it not be able to do so with customers?****

** **

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Leonardo Certuche *Sent:* Tuesday, March 19, 2013 2:03 PM *To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."****

** **

Hello Marty,****

** **

OTRS will not populate your customer_user database once integrated with an LDAP/AD. It will check if the user exists on 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com' and then it will confirm the password. If it matches, it will let the customer log in.****

** **

What you are facing probably has to do with the fact that first you associate CustomerID with one thing:****

** **

CustomerID => 'sAMAccountName',****

** **

And then you map it with another:****

** **

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

** **

Have you tried the following entries?****

** **

https://www.google.com.co/search?q=site%3Aforums.otterhub.org+%22Authenticat... ****

****

Leonardo Certuche www.itconsultores.com.co Medellín, Colombia****

** **

On 19 March 2013 13:41, Marty Hillman wrote:****

I have Googled and screwed around with Config.pm for hours. The configuration is creating agents in the database appropriately, but it is not creating users in the customer database. I am using this as in internal system only, so there is no outside access. I want any user to be able to use their AD credentials to log on. If there is not an account in OTRS, it should create one for them. ****

****

Anyone have any thoughts on what I am overlooking? Here is my /opt/otrs/Kernel/Config.pm. I copied and pasted from several Google results and modified for my own information. It does validate the password is correct for the customer, but does not add them to the database if they don’t exist.****

****

# ---------------------------------------------------- #****

# http://wiki.otterhub.org/index.php?title=Using_OTRS_with_Active_Directory_as... ****

# ---------------------------------------------------- #****

****

# This is an example configuration for using an MS AD backend****

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';****

$Self->{'AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';****

$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';****

****

# Check if the user is allowed to auth in a posixGroup****

# (e. g. user needs to be in a group OTRS_Agents to use otrs)****

$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Corp_Admin_MIS,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';****

$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';****

****

# Bind credentials to log into AD****

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';****

****

# in case you want to add always one filter to each ldap query, use*** *

# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'****

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';****

****

# in case you want to add a suffix to each login name, then****

# you can use this option. e. g. user just want to use user but****

# in your ldap directory exists user@domain.****

#$Self->{'AuthModule::LDAP::UserSuffix'} = '';****

****

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)****

$Self->{'AuthModule::LDAP::Params'} = {****

port => 389,****

timeout => 120,****

async => 0,****

version => 3,****

};****

****

# Now sync data with OTRS DB****

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';****

$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';****

$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';****

****

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {****

# DB -> LDAP****

UserFirstname => 'givenName',****

UserLastname => 'sn',****

UserEmail => 'mail',****

};****

****

# AuthSyncModule::LDAP::UserSyncInitialGroups****

# (sync following group with rw permission after initial create of first agent****

# login)****

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [****

'users',****

];****

****

# ---------------------------------------------------- #****

# Customer authentication section #****

# ---------------------------------------------------- #****

****

$Self->{'SecureMode'} = '1';****

# The name to be used for this server when constructing URLs in email****

$Self-> {'FQDN'} = 'otrsdev.domain.com';****

****

#Enable LDAP authentication for Customers / Users****

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; ****

$Self->{'Customer::AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=com';*** *

$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';****

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';****

$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';****

$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '';****

# $Self->{'AuthModule::LDAP::Die'} = 1;****

****

#CustomerUser****

#(customer user database backend and settings)****

$Self->{CustomerUser} = {****

Module => 'Kernel::System::CustomerUser::LDAP',****

Params => {****

Host => '172.16.10.21',****

BaseDN => 'DC=domain,DC=com',****

async => 0,****

port => 389,****

sscope => 'sub',****

timeout => 120,****

version => 3,****

UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';* ***

UserPw => 'password',****

},****

****

# Unique customer key/id****

CustomerKey => 'sAMAccountName',****

CustomerID => 'sAMAccountName',****

CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchPrefix => '',****

CustomerUserSearchSuffix => '*',****

CustomerUserSearchListLimit => 250,****

CustomerUserPostMasterSearchFields => ['mail'],****

CustomerUserNameFields => ['givenname', 'sn'],****

Map => [****

# note: Login, Email and CustomerID needed!****

# var, frontend, storage, shown, required, storage-type****

#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],****

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],*** *

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],****

[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],****

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],****

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],****

#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],** **

#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],****

],****

};****

****

****

# ---------------------------------------------------- #****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

-- ___________________________ Alvaro Cordero Retana Consultor de Tecnologias Gridshield Monitoreo de Redes e Infraestructura. 2258-5757 ext 123 alvaro@gridshield.net www.gridshield.net

Gerald I understand, when we started we struggled a lot with that, because we could see the system was loging the customers (in the logs) but we always got the messages about not being found in the data base. The solution is to change in sysconfig, it by default points to use Database as Customer Backend, so what he needs to adjust is make it LDAP and set the other data the same as in Config.pm. Regards 2013/3/20 Gerald Young

@Alvaro: Martin already is able to authenticate, so changing SysConfig for this will not be helpful.

On Wed, Mar 20, 2013 at 10:22 AM, Alvaro Cordero wrote:

...

Hello Marting,

Have you also check CustomerAuth option in Sysconfig. You need to configure both place (Config.pm) and Sysconfig options so the customers can loging and get into OTRS.

The option FrontEnd::Customer::Auth is what I am talking about.

2013/3/19 Marty Hillman

...

My Config.pm appears to be configured correctly, but it does not work. I have looked at the articles in your links along with dozens of others. All of them have the exact same configuration as what I posted in my initial email unless there is a character somewhere I am missing. I copied and pasted the configurations changing my DN, CN, OU, DC in accordance with my AD structure. It is obviously authenticating, so I am fairly certain I did it right. The sAMAccountName and mail settings have been changed various times to try to get it working. Until just before I posted my message, they were both set to ‘mail’.****

** **

One user wrote that the Customer::Auth page needed to be modified in SysConfig. http://deckerix.com/blog/configura-tu-otrs-con-soporte-ldap/ I did this as well and verified the settings in ZZZauto.pm.****

** **

From how I read your email (“OTRS will not populate your customer_user database”), I am going to have to hand enter 500 user accounts for the potential employees that can enter tickets or they will not be able to use the system. If I understand you correctly, that is a project killer.* ***

** **

If the system can create the agent accounts based on settings in the Config.pm file, why would it not be able to do so with customers?****

** **

*From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] *On Behalf Of *Leonardo Certuche *Sent:* Tuesday, March 19, 2013 2:03 PM *To:* User questions and discussions about OTRS. *Subject:* Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator."*** *

** **

Hello Marty,****

** **

OTRS will not populate your customer_user database once integrated with an LDAP/AD. It will check if the user exists on 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com' and then it will confirm the password. If it matches, it will let the customer log in.****

** **

What you are facing probably has to do with the fact that first you associate CustomerID with one thing:****

** **

CustomerID => 'sAMAccountName',****

** **

And then you map it with another:****

** **

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

** **

Have you tried the following entries?****

** **

https://www.google.com.co/search?q=site%3Aforums.otterhub.org+%22Authenticat... ****

****

Leonardo Certuche www.itconsultores.com.co Medellín, Colombia****

** **

On 19 March 2013 13:41, Marty Hillman wrote:****

I have Googled and screwed around with Config.pm for hours. The configuration is creating agents in the database appropriately, but it is not creating users in the customer database. I am using this as in internal system only, so there is no outside access. I want any user to be able to use their AD credentials to log on. If there is not an account in OTRS, it should create one for them. ****

****

Anyone have any thoughts on what I am overlooking? Here is my /opt/otrs/Kernel/Config.pm. I copied and pasted from several Google results and modified for my own information. It does validate the password is correct for the customer, but does not add them to the database if they don’t exist.****

****

# ---------------------------------------------------- #****

# http://wiki.otterhub.org/index.php?title=Using_OTRS_with_Active_Directory_as... ****

# ---------------------------------------------------- #****

****

# This is an example configuration for using an MS AD backend****

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';****

$Self->{'AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com';****

$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';****

****

# Check if the user is allowed to auth in a posixGroup****

# (e. g. user needs to be in a group OTRS_Agents to use otrs)****

$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Corp_Admin_MIS,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';****

$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';****

****

# Bind credentials to log into AD****

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';****

****

# in case you want to add always one filter to each ldap query, use* ***

# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'****

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';****

****

# in case you want to add a suffix to each login name, then****

# you can use this option. e. g. user just want to use user but****

# in your ldap directory exists user@domain.****

#$Self->{'AuthModule::LDAP::UserSuffix'} = '';****

****

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)****

$Self->{'AuthModule::LDAP::Params'} = {****

port => 389,****

timeout => 120,****

async => 0,****

version => 3,****

};****

****

# Now sync data with OTRS DB****

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';****

$Self->{'AuthSyncModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com';****

$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';****

****

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {****

# DB -> LDAP****

UserFirstname => 'givenName',****

UserLastname => 'sn',****

UserEmail => 'mail',****

};****

****

# AuthSyncModule::LDAP::UserSyncInitialGroups****

# (sync following group with rw permission after initial create of first agent****

# login)****

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [****

'users',****

];****

****

# ---------------------------------------------------- #****

# Customer authentication section #****

# ---------------------------------------------------- #****

****

$Self->{'SecureMode'} = '1';****

# The name to be used for this server when constructing URLs in email****

$Self-> {'FQDN'} = 'otrsdev.domain.com';****

****

#Enable LDAP authentication for Customers / Users****

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';****

$Self->{'Customer::AuthModule::LDAP::Host'} = '172.16.10.21';****

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=com';* ***

$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';****

$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';****

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com';****

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';*** *

$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';****

$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '';****

# $Self->{'AuthModule::LDAP::Die'} = 1;****

****

#CustomerUser****

#(customer user database backend and settings)****

$Self->{CustomerUser} = {****

Module => 'Kernel::System::CustomerUser::LDAP',****

Params => {****

Host => '172.16.10.21',****

BaseDN => 'DC=domain,DC=com',****

async => 0,****

port => 389,****

sscope => 'sub',****

timeout => 120,****

version => 3,****

UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; ****

UserPw => 'password',****

},****

****

# Unique customer key/id****

CustomerKey => 'sAMAccountName',****

CustomerID => 'sAMAccountName',****

CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],****

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],*** *

CustomerUserSearchPrefix => '',****

CustomerUserSearchSuffix => '*',****

CustomerUserSearchListLimit => 250,****

CustomerUserPostMasterSearchFields => ['mail'],****

CustomerUserNameFields => ['givenname', 'sn'],****

Map => [****

# note: Login, Email and CustomerID needed!****

# var, frontend, storage, shown, required, storage-type****

#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],****

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],* ***

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],****

[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],****

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],****

[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],****

[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],*** *

#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], ****

#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],** **

],****

};****

****

****

# ---------------------------------------------------- #****

****

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs****

** **

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

-- ___________________________ Alvaro Cordero Retana Consultor de Tecnologias Gridshield Monitoreo de Redes e Infraestructura. 2258-5757 ext 123 alvaro@gridshield.net www.gridshield.net

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

-- ___________________________ Alvaro Cordero Retana Consultor de Tecnologias Gridshield Monitoreo de Redes e Infraestructura. 2258-5757 ext 123 alvaro@gridshield.net www.gridshield.net

Yes. Those settings are all there. From: Alvaro Cordero [mailto:alvaro@gridshield.net] Sent: Wednesday, March 20, 2013 9:22 AM To: User questions and discussions about OTRS. Subject: Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." Hello Marting, Have you also check CustomerAuth option in Sysconfig. You need to configure both place (Config.pm) and Sysconfig options so the customers can loging and get into OTRS. The option FrontEnd::Customer::Auth is what I am talking about. 2013/3/19 Marty Hillman mailto:mhillman@equuscs.com> My Config.pm appears to be configured correctly, but it does not work. I have looked at the articles in your links along with dozens of others. All of them have the exact same configuration as what I posted in my initial email unless there is a character somewhere I am missing. I copied and pasted the configurations changing my DN, CN, OU, DC in accordance with my AD structure. It is obviously authenticating, so I am fairly certain I did it right. The sAMAccountName and mail settings have been changed various times to try to get it working. Until just before I posted my message, they were both set to 'mail'. One user wrote that the Customer::Auth page needed to be modified in SysConfig. http://deckerix.com/blog/configura-tu-otrs-con-soporte-ldap/ I did this as well and verified the settings in ZZZauto.pm.

From how I read your email ("OTRS will not populate your customer_user database"), I am going to have to hand enter 500 user accounts for the potential employees that can enter tickets or they will not be able to use the system. If I understand you correctly, that is a project killer.

If the system can create the agent accounts based on settings in the Config.pm file, why would it not be able to do so with customers? From: otrs-bounces@otrs.orgmailto:otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.orgmailto:otrs-bounces@otrs.org] On Behalf Of Leonardo Certuche Sent: Tuesday, March 19, 2013 2:03 PM To: User questions and discussions about OTRS. Subject: Re: [otrs] "Authentication succeeded, but no customer record is found in the customer backend. Please contact your administrator." Hello Marty, OTRS will not populate your customer_user database once integrated with an LDAP/AD. It will check if the user exists on 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com' and then it will confirm the password. If it matches, it will let the customer log in. What you are facing probably has to do with the fact that first you associate CustomerID with one thing: CustomerID => 'sAMAccountName', And then you map it with another: [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], Have you tried the following entries? https://www.google.com.co/search?q=site%3Aforums.otterhub.org+%22Authenticat... Leonardo Certuche www.itconsultores.com.cohttp://www.itconsultores.com.co Medellín, Colombia On 19 March 2013 13:41, Marty Hillman mailto:mhillman@equuscs.com> wrote: I have Googled and screwed around with Config.pm for hours. The configuration is creating agents in the database appropriately, but it is not creating users in the customer database. I am using this as in internal system only, so there is no outside access. I want any user to be able to use their AD credentials to log on. If there is not an account in OTRS, it should create one for them. Anyone have any thoughts on what I am overlooking? Here is my /opt/otrs/Kernel/Config.pm. I copied and pasted from several Google results and modified for my own information. It does validate the password is correct for the customer, but does not add them to the database if they don't exist. # ---------------------------------------------------- # # http://wiki.otterhub.org/index.php?title=Using_OTRS_with_Active_Directory_as... # # ---------------------------------------------------- # # This is an example configuration for using an MS AD backend $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = '172.16.10.21'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group OTRS_Agents to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Corp_Admin_MIS,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # Bind credentials to log into AD $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = ''; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # Now sync data with OTRS DB $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = '172.16.10.21'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com'; $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ]; # ---------------------------------------------------- # # Customer authentication section # # ---------------------------------------------------- # $Self->{'SecureMode'} = '1'; # The name to be used for this server when constructing URLs in email $Self-> {'FQDN'} = 'otrsdev.domain.comhttp://otrsdev.domain.com'; #Enable LDAP authentication for Customers / Users $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = '172.16.10.21'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password'; $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)'; $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = ''; # $Self->{'AuthModule::LDAP::Die'} = 1; #CustomerUser #(customer user database backend and settings) $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => '172.16.10.21', BaseDN => 'DC=domain,DC=com', async => 0, port => 389, sscope => 'sub', timeout => 120, version => 3, UserDN => 'CN=OTRS Dev,OU=level2,OU=level1,DC=domain,DC=com'; UserPw => 'password', }, # Unique customer key/id CustomerKey => 'sAMAccountName', CustomerID => 'sAMAccountName', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; # ---------------------------------------------------- # --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs -- ___________________________ Alvaro Cordero Retana Consultor de Tecnologias Gridshield Monitoreo de Redes e Infraestructura. 2258-5757 ext 123 alvaro@gridshield.netmailto:alvaro@gridshield.net www.gridshield.nethttp://www.gridshield.net