Just replying to myself as an update.. this configuration does allow the listing of customers and have added filter of AlwaysFilter => '(objectclass=person)',
Auth still problematic for me - any pointers as to where I am going wrong? W 2009/11/19 William Hamilton <[email protected]> > Hi we have LAM (LDAP Account Manager) installed on a box which is used to > authenticate a Samba server. I want to use this server to hold OTRS auth > and user details for internal company. I am not sure how much LAM differs > from AD (which most of the docs seems to point to). > > I am not getting any authentication happening nor able to list users (using > r...@localhost login). Anyone else using LAM? > > tia > > W > > > Setup > Debian (Stable LDAP server and Testing OTRS server) > LAM 2.3.0 > > Config.pm entries looks like below > ############ Customer stuff (staff) ############### > # CustomerUser > # (customer user ldap backend and settings) > $Self->{CustomerUser} = { > Name => 'LDAP Data source', > Module => 'Kernel::System::CustomerUser::LDAP', > Params => { > Host => 'ldapserver', > BaseDN => 'dc=xxxx,dc=com', > SSCOPE => 'sub', > UserDN => '', > UserPw => '', > AlwaysFilter => '', > # SourceCharset => 'utf-8', > # DestCharset => 'iso-8859-1', > # Net::LDAP new params (if needed - for more info see perldoc > Net::LDAP) > Params => { > port => 389, > timeout => 120, > async => 0, > version => 3, > }, > }, > # customer uniq id > CustomerKey => 'uid', > # customer # > CustomerID => 'mail', > CustomerUserListFields => ['cn', 'mail'], > CustomerUserSearchFields => ['uid', 'cn', 'mail'], > CustomerUserSearchPrefix => '', > CustomerUserSearchSuffix => '*', > CustomerUserSearchListLimit => 250, > CustomerUserPostMasterSearchFields => ['mail'], > CustomerUserNameFields => ['givenname', 'sn'], > # show now own tickets in customer panel, CompanyTickets > CustomerUserExcludePrimaryCustomerID => 0, > # add a ldap filter for valid users (expert setting) > # CustomerUserValidFilter => '(!(description=gesperrt))', > # admin can't change customer preferences > AdminSetPreferences => 0, > Map => [ > # note: Login, Email and CustomerID needed! > # var, frontend, storage, shown (1=always,2=lite), required, > storage-type, http-link, readonly > [ 'UserSalutation', 'Title', 'title', 1, 0, > 'var', '', 0 ], > [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, > 'var', '', 0 ], > [ 'UserLastname', 'Lastname', 'sn', 1, 1, > 'var', '', 0 ], > [ 'UserLogin', 'Username', 'uid', 1, 1, > 'var', '', 0 ], > [ 'UserEmail', 'Email', 'mail', 1, 1, > 'var', '', 0 ], > [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, > 'var', '', 0 ], > # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, > 0, 'var', '', 0 ], > [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, > 'var', '', 0 ], > [ 'UserAddress', 'Address', 'postaladdress', 1, 0, > 'var', '', 0 ], > [ 'UserComment', 'Comment', 'description', 1, 0, > 'var', '', 0 ], > ], > }; > > > ############# Auth customer folk (staff) ############## > # (take care that Net::LDAP is installed!) > $Self->{'Customer::AuthModule'} = > 'Kernel::System::CustomerAuth::LDAP'; > $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldapserver'; > $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=xxxx,dc=com'; > $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid'; > > # Check if the user is allowed to auth in a posixGroup > # (e. g. user needs to be in a group xyz to use otrs) > $Self->{'Customer::AuthModule::LDAP::GroupDN'} = > 'cn=1gstaff,ou=Groups,dc=xxxx,dc=com'; > $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid'; > # for ldap posixGroups objectclass (just uid) > $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'uid'; > # for non ldap posixGroups objectclass (full user dn) > # $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; > > # The following is valid but would only be necessary if the > # anonymous user do NOT have permission to read from the LDAP tree > $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = ''; > $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = ''; > > # in case you want to add always one filter to each ldap query, use > # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => > '(objectclass=user)' > $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = ''; > > # in case you want to add a suffix to each customer login name, then > # you can use this option. e. g. user just want to use user but > # in your ldap directory exists u...@domain. > # $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com'; > > # Net::LDAP new params (if needed - for more info see perldoc > Net::LDAP) > $Self->{'Customer::AuthModule::LDAP::Params'} = { > port => 389, > timeout => 120, > async => 0, > version => 3, > }; > > ############# Auth support folk (1gtech) ############## > # (take care that Net::LDAP is installed!) > $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; > $Self->{'AuthModule::LDAP::Host'} = 'ldapserver'; > $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=xxxx,dc=com'; > $Self->{'AuthModule::LDAP::UID'} = 'uid'; > > # The following is valid but would only be necessary if the > # anonymous user do NOT have permission to read from the LDAP tree > $Self->{'AuthModule::LDAP::SearchUserDN'} = ''; > $Self->{'AuthModule::LDAP::SearchUserPw'} = ''; > > # Check if the user is allowed to auth in a posixGroup > # (e. g. user needs to be in a group xyz to use otrs) > $Self->{'AuthModule::LDAP::GroupDN'} = > 'cn=1gtech,ou=groups,dc=xxxx,dc=com'; > $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid'; > # for ldap posixGroups objectclass (just uid) > $Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; > # for non ldap posixGroups objectclass (with full user dn) > $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; > > > # in case you want to add always one filter to each ldap query, use > # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => > '(objectclass=user)' > $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; > > # in case you want to add a suffix to each login name, then > # you can use this option. e. g. user just want to use user but > # in your ldap directory exists u...@domain. > # $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com'; > > # Net::LDAP new params (if needed - for more info see perldoc > Net::LDAP) > $Self->{'AuthModule::LDAP::Params'} = { > port => 389, > timeout => 120, > async => 0, > version => 3, > }; > > # agent data sync against ldap > $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; > $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldapserver/'; > $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=xxxx,dc=com'; > $Self->{'AuthSyncModule::LDAP::UID'} = 'uid'; > $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = ''; > $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = ''; > $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { > # DB -> LDAP > UserFirstname => 'givenName', > UserLastname => 'sn', > UserEmail => 'mail', > }; > > # AuthSyncModule::LDAP::UserSyncInitialGroups > # (sync following group with rw permission after initial create of > first agent > # login) > $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ > 'users', > ]; > > >
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/
