Hi,
This email is an extended documentation of how multiple authentication and
identity backends for agents and customers work. The information herein was
tested on OTRS 3.3.7. I decided to publish it after parsing through a lot
of useless Internet search results about the subject and ultimately having
to explore the source code to figure out how things work.
I wrote the doc while setting up 2 backend types: DB and LDAP
To be able to use this documentation you need to know how to configure OTRS
via Config.pm and to understand how OTRS works out of the box using the DB
backend type for its authentication / identity info needs.
HTH someone.
Regards,
Bogdan
- OTRS supports multiple types of backends (e.g. DB and LDAP (WinAD))
- OTRS distinguishes between backends used for agents and backends used for
customers
- OTRS distinguishes between backends used for authentication and backends
used for identity info / details
- Using a backend for authentication means verifying given credentials
with the backend to ensure they are valid
- Using a backend for identity info means:
- Using a given agent / customer id (but not its password) to
retrieve from the backend detailed info about this identity (e.g. retrieve
first name, last name, address, email, etc.)
- Searching and retrieving identity info for a set of agent /
customer identities from the backend
- Up to 11 backends of varying types are supported for each of the
following:
- Agent authentication, Agent identity info, Customer authentication,
Customer identity info
- Correlating configurations with multiple physical backends
- Having a different configuration for an agent / customer
authentication backend vs. an identity info backend is a niche case.
Usually, the same physical backend needs to be configured at least twice,
once for authentication and once for identity info. When the same physical
backend is used for both agents and customer it needs to be configured four
times (each in slightly different ways).
- When more than one physical backend needs to be used (e.g. DB + LDAP)
care must be taken to configure them in the same order each time to avoid
inexplicable behavior
- Configuring backends for agent authentication
- Each backend is configured by specifying a set of settings (available
in Defaults.pm) with names like:
- {AuthModule*},
{'AuthModule::%{DB|LDAP|...}%::%SettingShortName%*'}
- The settings for the first configured backend appear with names as
found in Defaults.pm
- Settings for additional backends appear by duplicating the initial
setting set and modifying their names
- Choose a number between 1..10 to identify the additional set
- Modify all duplicated setting names by appending the set number
to their name
- e.g. For original set: {AuthModule},
{'AuthModule::%{DB|LDAP|...}%::%SettingShortName%'} ...
- e.g. For set 1: {AuthModule1},
{'AuthModule::%{DB|LDAP|...}%::%SettingShortName%1'} ...
- Each configured backend must specify if it's paired with a backend
for identity info
- The configuration setting set contains a setting named like
'AuthSyncBackend*' having either the empty value or values like
'AuthSyncBackend*'
- The empty value ('') means this backend is not paired with an
identity info backend and no sync must be attempted after agent login
- The value 'AuthSyncBackend' means this backend is paired with
the identity info backend specified through the settings set named like
{AuthSyncModule}, {'AuthSyncModule::%{DB|LDAP|...}%::%SettingShortName%'}
... and a sync must occur after agent login
- The value 'AuthSyncBackend1' means this backend is paired
with the identity info backend specified through the settings set named
like {AuthSyncModule1},
{'AuthSyncModule::%{DB|LDAP|...}%::%SettingShortName%1'} ... and a sync
must occur after agent login
- etc.
- Configuring backends for agent identity info
- Each backend is configured by specifying a set of settings (available
in Defaults.pm) with names like:
- {AuthSyncModule*},
{'AuthSyncModule::%{DB|LDAP|...}%::%SettingShortName%*'}
- The settings for the first configured backend appear with names as
found in Defaults.pm
- Settings for additional backends appear by duplicating the initial
setting set and modifying their names
- Choose a number between 1..10 to identify the additional set
- Modify all duplicated setting names by appending the set number
to their name
- e.g. For original set: {AuthSyncModule},
{'AuthSyncModule::%{DB|LDAP|...}%::%SettingShortName%'} ...
- e.g. For set 1: {AuthSyncModule1},
{'AuthSyncModule::%{DB|LDAP|...}%::%SettingShortName%1'} ...
- Agent identity info is retrieved (synched) after every successful
authentication and stored in OTRS' DB
- After sync, identity info is used directly from OTRS' DB where
it's stored in a single table and relationally referenced from wherever
else it's needed
- To refresh the identity info known to OTRS about an agent X, the
X agent needs to logout and login again
- Configuring backends for customer authentication
- Each backend is configured by specifying a set of settings (available
in Defaults.pm) with names like:
- {Customer::AuthModule*},
{'Customer::AuthModule::%{DB|LDAP|...}%::%SettingShortName%*'}
- The settings for the first configured backend appear with names as
found in Defaults.pm
- Settings for additional backends appear by duplicating the initial
setting set and modifying their names
- Choose a number between 1..10 to identify the additional set
- Modify all duplicated setting names by appending the set number
to their name
- e.g. For original set: {Customer::AuthModule},
{'Customer::AuthModule::%{DB|LDAP|...}%::%SettingShortName%'} ...
- e.g. For set 1: {Customer::AuthModule1},
{'Customer::AuthModule::%{DB|LDAP|...}%::%SettingShortName%1'} ...
- Configuring backends for customer identity info
- Each backend is configured by specifying a setting (available in
Defaults.pm) named like {CustomerUser*}
- The setting for the first configured backend appears with the same
name as found in Defaults.pm
- Settings for additional backends appear by duplicating the initial
setting and modifying its name
- Choose a number between 1..10 to identify the additional setting
- Modify the duplicated setting name by appending the set number to
its name
- e.g. For original: {CustomerUser}
- e.g. For set 1: {CustomerUser1}
- Customer identity info is dynamically retrieved from the backend
whenever it's needed and then cached in memory / disk for a while
- Some customer identity info may get replicated in OTRS' DB. In
particular, customer's email will be used / captured in ticket history and
articles. In some cases problems may occur if key identity info changes in
the backend.
- To ensure a refresh of the identity info known to OTRS about a
customer X, the agent / customer Y using the customer X identity info needs
to logout and login again
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
