Hello,
I have some problems with the OTRS system and Active Directory.
1. I try to sync agents roles ( admin in AD -> admin in OTRS ). With
the config bellow agents are capable to login with Active Directory
credentials but no roles sync.
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'pdc.test.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=test,dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'AuthModule::LDAP::GroupDN'} =
'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} =
'CN=otrs_ldap,CN=Users,DC=test,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'vali1982!';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists u...@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
# In case you want to convert all given usernames to lower letters you
# should activate this option. It might be helpfull if databases are
# in use that do not distinguish selects for upper and lower case letters
# (Oracle, postgresql). User might be synched twice, if this option
# is not in use.
# $Self->{'AuthModule::LDAP::UserLowerCase'} = 0;
# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
# $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthModule::LDAP::Die'} = 1;
# --------------------------------------------------- #
# authentication sync settings #
# (enable agent data sync. after succsessful #
# authentication) #
# --------------------------------------------------- #
# This is an example configuration for an LDAP auth sync. backend.
# (take care that Net::LDAP is installed!)
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'pdc.test.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=test,dc=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} =
'CN=otrs_ldap,CN=Users,DC=test,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'vali1982!';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
# $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';
# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# In case you need to use OTRS in iso-charset, you can define this
# by using this option (converts utf-8 data from LDAP to iso).
# $Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthSyncModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Die if backend can't work, e. g. can't connect to server.
$Self->{'AuthSyncModule::LDAP::Die'} = 1;
# Attributes needed for group syncs
# (attribute name for group value key)
# $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
# (attribute for type of group content UID/DN for full ldap name)
# $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
# $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of
first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# AuthSyncModule::LDAP::UserSyncGroupsDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# groups to otrs groups, define the following.)
$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
# ldap group
'CN=Domain Admins,CN=Users,DC=test,DC=local' => {
# otrs group
'admin' => {
# permission
rw => 1,
ro => 1,
},
'faq' => {
rw => 0,
ro => 1,
},
},
'CN=Domain Admins,CN=Users,DC=test,DC=local' => {
'users' => {
rw => 1,
ro => 1,
},
}
};
# AuthSyncModule::LDAP::UserSyncRolesDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# groups to otrs roles, define the following.)
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
# ldap group
'CN=Domain Admins,CN=Users,DC=test,DC=local' => {
# otrs role
'role1' => 1,
'role2' => 0,
},
'CN=Domain Admins,CN=Users,DC=test,DC=local' => {
'role3' => 1,
}
};
# AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# attributes to otrs groups, define the following.)
$Self->{'AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition'} = {
# ldap attribute
'LDAPAttribute' => {
# ldap attribute value
'LDAPAttributeValue1' => {
# otrs group
'admin' => {
# permission
rw => 1,
ro => 1,
},
'faq' => {
rw => 0,
ro => 1,
},
},
},
'LDAPAttribute2' => {
'LDAPAttributeValue' => {
'users' => {
rw => 1,
ro => 1,
},
},
}
};
# AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# attributes to otrs roles, define the following.)
$Self->{'AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition'} = {
# ldap attribute
'LDAPAttribute' => {
# ldap attribute value
'LDAPAttributeValue1' => {
# otrs role
'role1' => 1,
'role2' => 1,
},
},
'LDAPAttribute2' => {
'LDAPAttributeValue1' => {
'role3' => 1,
},
},
};
# UserTable
$Self->{DatabaseUserTable} = 'users';
$Self->{DatabaseUserTableUserID} = 'id';
$Self->{DatabaseUserTableUserPW} = 'pw';
$Self->{DatabaseUserTableUser} = 'login';
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'pdc.test.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=test,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} =
'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
# $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
'CN=otrs_ldap,CN=Users,DC=test,DC=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'vali1982!';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
# $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists u...@domain.
# $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Die if backend can't work, e. g. can't connect to server.
$Self->{'Customer::AuthModule::LDAP::Die'} = 1;
2. I have problems at customer login using Active Directory
credentials. I get panic no user data. In otrs log is the following
error:
[Fri May 7 09:35:52
2010][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser:
ion (CN=ion,CN=Users,DC=test,DC=local) authentication ok (REMOTE_ADDR:
192.168.0.1).
[Fri May 7 09:35:52
2010][Error][Kernel::System::CustomerUser::LDAP::CustomerUserDataGet][580]
000020D6: SvcErr: DSID-03100754, problem 5012 (DIR_ERROR), data 0
The config.pm for the customer sections is :
# CustomerUser
# (customer user ldap backend and settings)
$Self->{CustomerUser} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'pdc.test.local',
# ldap base dn
BaseDN => 'ou=test,o=local',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'CN=otrs_ldap,CN=Users,DC=test,DC=local',
UserPw => 'vali1982!',
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or
AlwaysFilter => '(objectclass=user)'
# AlwaysFilter => '',
# if your frontend is e. g. iso-8859-1 and the charset of your
# ldap server is utf-8, use this options (if not, ignore it)
# SourceCharset => 'utf-8',
# DestCharset => 'iso-8859-1',
# die if backend can't work, e. g. can't connect to server
Die => 1,
# Net::LDAP new params (if needed - for more info see
perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
# customer uniq id
CustomerKey => 'uid',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add a ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=gesperrt))',
# admin can't change customer preferences
AdminSetPreferences => 0,
# cache time to life in sec. - cache any ldap queris
CacheTTL => 0,
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown (1=always,2=lite),
required, storage-type, http-link, readonly
# [ 'UserSalutation', 'Title', 'title', 1,
0, 'var', '', 0 ],
# [ 'UserFirstname', 'Firstname', 'givenname', 1,
1, 'var', '', 0 ],
# [ 'UserLastname', 'Lastname', 'sn', 1,
1, 'var', '', 0 ],
# [ 'UserLogin', 'Username', 'uid', 1,
1, 'var', '', 0 ],
# [ 'UserEmail', 'Email', 'mail', 1,
1, 'var', '', 0 ],
# [ 'UserCustomerID', 'CustomerID', 'mail', 0,
1, 'var', '', 0 ],
# # [ 'UserCustomerIDs', 'CustomerIDs',
'second_customer_ids', 1, 0, 'var', '', 0 ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1,
0, 'var', '', 0 ],
# [ 'UserAddress', 'Address', 'postaladdress', 1,
0, 'var', '', 0 ],
# [ 'UserComment', 'Comment', 'description', 1,
0, 'var', '', 0 ],
],
};
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
