I built my 3.0 config using what I think were 2.4 docs, so I believe the
functionality is unchanged.
My config example is below. You'll just need to change the names/passwords
and possibly use Kernel::System::Auth::Sync::LDAP instead of
Kernel::System::Auth::Sync::ActiveDirectory .
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
$Self->{'SecureMode'} = '1';
# The name to be used for this server when constructing URLs in email
$Self-> {'FQDN'} = 'helpdesk.xyz.net';
# Use variables here for consistency between agent and customer settings
my $ldapHost = 'xyz';
my $baseDN = 'DC=xyz,DC=net';
my $uidAttr = 'sAMAccountName';
my $searchUserDN = 'CN=service-OTRS,OU=Service
Accounts,OU=Administrative Accounts,DC=xyz,DC=net';
my $searchUserPwd = 'password';
my $adminGroup = 'CN=Apps.OTRS.Admin,OU=Access
Groups,OU=RBAC,DC=xyz,DC=net';
my $agentGroup = 'CN=Apps.OTRS.Agent,OU=Access
Groups,OU=RBAC,DC=xyz,DC=net';
my $agentFilter = '(|(memberOf:1.2.840.113556.1.4.1941:=' . $adminGroup
. ')(memberOf:1.2.840.113556.1.4.1941:=' . $agentGroup . '))';
# Agent authentication settings for LDAP
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = $ldapHost;
$Self->{'AuthModule::LDAP::BaseDN'} = $baseDN;
$Self->{'AuthModule::LDAP::UID'} = $uidAttr;
$Self->{'AuthModule::LDAP::SearchUserDN'} = $searchUserDN;
$Self->{'AuthModule::LDAP::SearchUserPw'} = $searchUserPwd;
# Allow only members of the specified access group to authenticate
as an agent
$Self->{'AuthModule::LDAP::AlwaysFilter'} = $agentFilter;
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Auto-sync LDAP users to the agent list in OTRS (so that user IDs
don't need to be predefined)
$Self->{'AuthSyncModule'} =
'Kernel::System::Auth::Sync::ActiveDirectory'; # Use a customized module for
better AD integration (nested groups)
$Self->{'AuthSyncModule::LDAP::Host'} = $ldapHost;
$Self->{'AuthSyncModule::LDAP::BaseDN'} = $baseDN;
$Self->{'AuthSyncModule::LDAP::UID'} = $uidAttr;
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = $searchUserDN;
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = $searchUserPwd;
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# Sync/assign agents to OTRS roles based on AD group memberships
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
# LDAP group DN
$adminGroup => {
# OTRS roles
'XYZ Admins' => 1,
},
$agentGroup => {
# OTRS roles
'XYZ Agents' => 1,
},
};
#Enable LDAP authentication for Customers / Users
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = $ldapHost;
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = $baseDN;
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = $searchUserDN;
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = $searchUserPwd;
#CustomerUser
#(customer user database backend and settings)
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => $ldapHost,
BaseDN => $baseDN,
SSCOPE => 'sub',
UserDN =>$searchUserDN,
UserPw => $searchUserPwd,
},
# Unique customer key/id
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
Hugh
On Mon, Sep 20, 2010 at 9:59 AM, Vance Walsh <vance_wa...@concordacademy.org
> wrote:
> Is the config for LDAP to a windows 2003 or 2008 server the same as 2.4?
> I am having some troubles getting OTRS to either populate it's customer base
> with LDAP or allow access by User Group.
>
> ---
>
> Vance Walsh
> Network and Systems Administrator
> Concord Academy - Concord, Mass.
>
>
> ---------------------------------------------------------------------
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
