Hi,
My environment : CentOS 7 / OTRS 5.0.19 / OpenLDAP 2.4 with SSL.
My configuration in OTRS is at this end of this message.
Thanks a lot to all posts found in this forum !
Hope that helps.
Regards,
Joel Marchand
# ---------------------------------------------------- #
# Paramètres LDAP communs
# ---------------------------------------------------- #
my $MyLDAPSearchUserDN = 'cn=otrs,ou=dsa,dc=xxxx,dc=fr';
my $MyLDAPSearchUserPw = 'xxxx';
my $MyLDAPHost =
['ldaps://ldapr1.xxx.fr:636/','ldaps://ldapr2.xxxx.fr:636/'];
my $MyLDAPBase = 'dc=xxx,dc=fr';
my $MyLDAPFilter = '(objectclass=posixAccount)';
my $MyLDAPParams = {
port => 636,
timeout => 120,
async => 0,
version => 3,
cafile => '/etc/ssl/certs/star_xxxx_fr-intermediate.pem',
clientcert => '/etc/ssl/certs/star_xxxx_fr.pem',
clientkey => '/etc/ssl/private/star_xxxx_fr.key',
};
# ---------------------------------------------------- #
# Pour les Operateurs = Agents
# ---------------------------------------------------- #
# --------------------------------------------------- #
# authentication settings #
# (enable what you need, auth against otrs db, #
# against LDAP directory, against HTTP basic auth #
# or against Radius server) #
# --------------------------------------------------- #
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = $MyLDAPHost;
$Self->{'AuthModule::LDAP::BaseDN'} = $MyLDAPBase;
$Self->{'AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'AuthModule::LDAP::GroupDN'} =
'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'uid';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = $MyLDAPSearchUserDN;
$Self->{'AuthModule::LDAP::SearchUserPw'} = $MyLDAPSearchUserPw;
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
# or if you want to filter with a locigal OR-Expression, like AlwaysFilter
=> '(|(mail=*abc.com)(mail=*xyz.com))'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = $MyLDAPFilter;
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
# In case you want to convert all given usernames to lower letters you
# should activate this option. It might be helpful if databases are
# in use that do not distinguish selects for upper and lower case letters
# (Oracle, postgresql). User might be synched twice, if this option
# is not in use.
# $Self->{'AuthModule::LDAP::UserLowerCase'} = 0;
# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
# $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = $MyLDAPParams;
# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthModule::LDAP::Die'} = 1;
# UserTable
$Self->{DatabaseUserTable} = 'users';
$Self->{DatabaseUserTableUserID} = 'id';
$Self->{DatabaseUserTableUserPW} = 'pw';
$Self->{DatabaseUserTableUser} = 'login';
# ---------------------------------------------------- #
# Pour les Clients = Customers
# ---------------------------------------------------- #
# --------------------------------------------------- #
# customer authentication settings #
# (enable what you need, auth against otrs db, #
# against a LDAP directory, against HTTP basic #
# authentication and against Radius server) #
# --------------------------------------------------- #
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = $MyLDAPHost;
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = $MyLDAPBase;
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} =
'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'uid';
# for non ldap posixGroups objectclass (full user dn)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = $MyLDAPSearchUserDN;
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = $MyLDAPSearchUserPw;
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = $MyLDAPFilter;
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = $MyLDAPParams;
# Die if backend can't work, e. g. can't connect to server.
$Self->{'Customer::AuthModule::LDAP::Die'} = 1;
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs
