Hi Deniz,
the LDAP configuration is mainly configured in the config.pm file, there is
quite a bit of customisation to do on this front.
Please find attached my blank LDAP config - I've seen many questions on LDAP
authentication and decided to compile a template for people to use to aid
them in implementing it, thanks to a lot of help I received myself during my
initial phases of setting up OTRS.
Some considerations you need to be aware of:
- The config is split into two groups, agents and customers
- Agents are differentiated by a exclusive group membership. This
prevents customers from accessing the agent interface.
- Agent passwords are synced with OTRS's relevant database fields,
this is a requirement (afaik)
- Customers are identified by any legitimate LDAP account.
Let us know how you get on.
Thanks,
David
On Wed, Feb 24, 2010 at 3:59 PM, Deniz Rende <[email protected]> wrote:
> Hello,
>
> I've been trying to figure out how to integrate our company ldap with OTRS
> 2.4.7 . Here is what I did so far that did not give me any results:
> 0) Installed Net::LDAP Module
> 1) From Admin -> SysConfig
> 2) Search for LDAP
> 3) Frontend::Customer::Auth
> 4) Edited the Following:
>
> - Customer::AuthModule::LDAP::Host (instead of default I added our ldap
> server)
> - Customer::AuthModule::LDAP::BaseDN (entered o=.....,o......)
> - Customer::AuthModule::LDAP::UID (left the default as UID)
> - Customer::AuthModule::LDAP::GroupDN (instead of the default I entered
> our cn, ,our ou=staff, our o's....)
> - Customer::AuthModule::LDAP::AccessAttr (left is as memberUid)
>
> 5) Created a test user in our ldap, and made sure that It was created (ldap
> searches from servers returned just fine)
> 6) Restarted the Apache server.
> 7) Tried to login with my testuser in https://otrshost/otrs/customer.pl
>
> and the login failed. Tried to get the password, but otrs informed me no
> such user...
>
> What else needs to be done for ldap integration? Do I need to go back to
> /opt/otrs/Kernel/Config.pm and add things or do the Web GUI method is
> enough?
>
> Here is what I am using
>
> Solaris 10 X86
> Perl 5.10
> Apache2 with SSL
> OTRS 2.4.7
> check.Modules returns ok
>
>
>
>
> --
> Deniz Rende
> E-mail: [email protected]
> Phone: +1 (224) 789-UNIX (8649)
> Mobile: +1 (816) 213-2139
> Web: http://www.deniz-rende.com/blog
>
>
> ---------------------------------------------------------------------
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>
> NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
> http://www.otrs.com/en/support/enterprise-subscription/
>
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'servername.companyname.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=companyname,dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; #You may need to
change this, not sure if it's M$ AD specific, default is "mail" I think
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} =
'cn=OTRS_Agents,ou=OTRS_Groups,dc=companyname,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP
Searcher,DC=companyname,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'searcherpassword';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists u...@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'servername.companyname.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=companyname, dc=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS
LDAP Searcher,dc=companyname,dc=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'searcherpassword';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first
agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# CustomerUser
# (customer user ldap backend and settings)
$Self->{CustomerUser} = {
Name => 'Company Staff',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'servername.companyname.local',
# ldap base dn
BaseDN => 'ou=Company User Accounts,dc=companyname,dc=local',
# search scope (one|sub)
SSCOPE => 'sub',
# # The following is valid but would only be necessary if the
# # anonymous user does NOT have permission to read from the LDAP
tree
UserDN => 'cn=OTRS Searcher,ou=OTRS LDAP
Searcher,dc=companyname,dc=local',
UserPw => 'searcherpassword',
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
AlwaysFilter => '',
# if your frontend is e. g. iso-8859-1 and the charset of your
# ldap server is utf-8, use this options (if not, ignore it)
# SourceCharset => 'utf-8',
# DestCharset => 'iso-8859-1',
# Net::LDAP new params (if needed - for more info see perldoc
Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
# customer uniq id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show now own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add a ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=gesperrt))',
# admin can't change customer preferences
AdminSetPreferences => 0,
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown (1=always,2=lite), required,
storage-type, http-link, readonly
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var',
'', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var',
'', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var',
'', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1,
1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var',
'', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var',
'', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0,
'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var',
'', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var',
'', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var',
'', 0 ],
],
};
################### Customer User Authentication #####################
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'server.companyname.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=companyname,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} =
'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
Searcher,ou=OTRS LDAP Searcher,dc=companyname,dc=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'searcherpassword';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists u...@domain.
# $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
