Sorry to hear its going slow. Had fun also with getting it to work using
AD. You did not include all of your config for LDAP, so I'll just cover a
few general things.
Setup a user account that can browse AD's LDAP. (username - OTRS_Account
password - whatever) you may want to make it never expire.
Setup two groups, one for Customers and one for Agents.
Make AD users members of the Customers group.
Add AD users to the Agents group that you want to use the system as an
agent.
Create a user in OTRS and add to the admin group using the same username
that you intend to login to AD with.
Modify your Config.pm file adding the following to allow agents and
customers/users to login using LDAP. Modify for your structure. Taken from
my setup, add and modify as needed. Just an example:
############## Start of Config.pm ################
<snip>
#we want to use LDAP for Auth
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.com';
$Self->{'AuthModule::LDAP::BaseDN'} =
'dc=domainname,dc=win,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
#The username and password of the user you setup to access LDAP
information in AD
$Self->{'AuthModule::LDAP::SearchUserDN'} =
'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs';
#We want our Customer/users to Auth using LDAP
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.domain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} =
'whateverYourPasswordIs';
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'ldap.domain.com',
BaseDN => 'OU=Users,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com',
SSCOPE => 'sub',
UserDN =>
'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com',
UserPw => 'whateverYourPasswordIs',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'userPrincipalName',
CustomerUserListFields => ['displayName', 'userPrincipalName'],
CustomerUserSearchFields => ['displayName', 'userPrincipalName'],
CustomerUserPostMasterSearchFields => userPrincipalName,
CustomerUserNameFields => ['givenName', 'sn'],
#the following must map to valid fields in your AD
(givenname,sn,sAMAccountName,...)
Map => [
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'userPrincipalName', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'userPrincipalName', 0, 1, 'var' ],
],
};
#OK now lets have our agents use LDAP
$Self->{'AuthModule::LDAP::GroupDN'} =
'CN=helpdesk_agents,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} =
'CN=helpdesk_customers,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=co
m';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login must
match your AD)
$Self->{UserSyncLDAPMap} = {
# DB -> LDAP
Firstname => 'givenName',
Lastname => 'sn',
Email => 'userPrincipalName',
};
# UserSyncLDAPGroups
# (If "LDAP" was selected for AuthModule, you can specify
# initial user groups for first login.)
$Self->{UserSyncLDAPGroups} = [
'users',
];
<snip>
##################### End of Config.pm ####################
Restart OTRS and try logining in using the username you setup as the admin,
but use your AD password. Should work. They login as a customer using the
username and password that you put in the customer group in AD.
Have Fun
GEH
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Matthew Joyce
Sent: Thursday, June 07, 2007 9:40 PM
To: otrs
Subject: [otrs] ORTS, LDAP and AD groups
Hi all,
I'm having glacial progress with getting otrs (Debian) to authenticate
with Active Directory.
I've have trawled the archives and I'm still not even sure the setup
I'm after can be done.
I have a standard structure of OUs
Customer and Agent account are distributed throughout the OUs
I'd like to put Agents in a group to distinguish then from Customers
The login IDs should be their samAccountName
Group membership can be derived from the group attribute 'member'
which contains users DNs.
here's the config...
$Self->{'AuthModule::LDAP::UID'} = 'samAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} =
'cn=OTRS-Agents,ou=Groups,dc=domain,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'distinguishedname';
Looking at the log, it seems membership is being tested using the
Login ID and failing.
Jun 8 11:37:28 vm-helpdesk OTRS-CGI-10[13668]:
[Notice][Kernel::System::Auth::LDAP::Auth] User: mjoyce authentication
failed, no LDAP group
entry foundGroupDN='cn=OTRS-Agents,ou=Groups,dc=domain,dc=local',
Filter='(member=mjoyce)'! (REMOTE_ADDR: x.x.x.x).
Have I misunderstood how this authentication process works ?
Can anyone advise me ?
Thanks
Matt
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support or consulting for your OTRS system?
=> http://www.otrs.com/
