[otrs] Re: LDAP and Active Directory

Shawn Beasley shawn.beasley at dlh.de
Mon Jul 16 07:49:26 GMT 2007 

Greg Horne schrieb:
> Dan,
> 
> I'll just cover a few general things.  Most of this is from another 
> email I sent a while back but should help.
> 
> Have fun
> 
> GEH
> 
> Greg Horne
> 
> ####
> 
> Setup a user account that can browse AD's LDAP. (username - OTRS_Account 
> password - whatever) you may want to make it never expire.
> 
> Setup two groups, one for Customers and one for Agents.
> 
> Make AD users members of the Customers group.
> 
> Add AD users to the Agents group that you want to use the system as an 
> agent.
> 
> Create a user in OTRS and add to the admin group using the same username 
> that you intend to login to AD with.
> 
> Modify your Config.pm file adding the following to allow agents and 
> customers/users to login using LDAP. Modify for your structure. Taken 
> from my setup, add and modify as needed. Just an example:
> 
> ############## Start of Config.pm ################
> 
> <snip>
> 
> #we want to use LDAP for Auth
> 
> $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
> 
> $Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.com';
> 
> $Self->{'AuthModule::LDAP::BaseDN'} = 
> 'dc=domainname,dc=win,dc=domain,dc=com';
> 
> $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
> 
> #The username and password of the user you setup to access LDAP 
> information in AD
> 
> $Self->{'AuthModule::LDAP::SearchUserDN'} = 
> 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
> 
> $Self->{'AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs';
> 
> #We want our Customer/users to Auth using LDAP
> 
> $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
> 
> $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.domain.com';
> 
> $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 
> 'OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
> 
> $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> 
> $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 
> 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
> 
> $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 
> 'whateverYourPasswordIs';
> 
> $Self->{CustomerUser} = {
> 
> Module => 'Kernel::System::CustomerUser::LDAP',
> 
> Params => {
> 
> Host => 'ldap.domain.com',
> 
> BaseDN => 'OU=Users,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com',
> 
> SSCOPE => 'sub',
> 
> UserDN => 
> 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com',
> 
> UserPw => 'whateverYourPasswordIs',
> 
> },
> 
> CustomerKey => 'sAMAccountName',
> 
> CustomerID => 'userPrincipalName',
> 
> CustomerUserListFields => ['displayName', 'userPrincipalName'],
> 
> CustomerUserSearchFields => ['displayName', 'userPrincipalName'],
> 
> CustomerUserPostMasterSearchFields => userPrincipalName,
> 
> CustomerUserNameFields => ['givenName', 'sn'],
> 
> #the following must map to valid fields in your AD 
> (givenname,sn,sAMAccountName,...)
> 
> Map => [
> 
> [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
> 
> [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
> 
> [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> 
> [ 'UserEmail', 'Email', 'userPrincipalName', 1, 1, 'var' ],
> 
> [ 'UserCustomerID', 'CustomerID', 'userPrincipalName', 0, 1, 'var' ],
> 
> ],
> 
> };
> 
>  
> 
> #OK now lets have our agents use LDAP
> 
> $Self->{'AuthModule::LDAP::GroupDN'} = 
> 'CN=helpdesk_agents,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com';
> 
> $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
> 
> $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
> 
>  
> 
>  
> 
> $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 
> 'CN=helpdesk_customers,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com';
> 
> $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
> 
> $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
> 
> # UserSyncLDAPMap
> 
> # (map if agent should create/synced from LDAP to DB after login must 
> match your AD)
> 
> $Self->{UserSyncLDAPMap} = {
> 
> # DB -> LDAP
> 
> Firstname => 'givenName',
> 
> Lastname => 'sn',
> 
> Email => 'userPrincipalName',
> 
> };
> 
> # UserSyncLDAPGroups
> 
> # (If "LDAP" was selected for AuthModule, you can specify
> 
> # initial user groups for first login.)
> 
> $Self->{UserSyncLDAPGroups} = [
> 
> 'users',
> 
> ];
> 
> <snip>
> 
> ##################### End of Config.pm ####################
> 
> Have Fun
> 
> GEH
> 
>     ----Original Message-----
>     *From:* otrs-bounces at otrs.org [mailto:otrs-bounces at otrs.org]*On
>     Behalf Of *Dan King
>     *Sent:* Wednesday, July 11, 2007 10:37 AM
>     *To:* User questions and discussions about OTRS.org
>     *Subject:* [otrs] LDAP and Active Directory
> 
>     Hello list,
> 
>      
> 
>     I have recently setup OTRS and I am wondering how you might use this
>     with Active Directory. Would it be the same configuration if I was
>     configuring for LDAP? Also is there a way to setup the configuration
>     through SysConfig or does it have to be manually done by editing the
>     Config.pm file.
> 
>      
> 
>     Thanks for the help.
> 
>      
> 
>     Dan King
>     Software Developer
>     Canadian Resident Matching Service
>     613.237.0075  ext. 241
>     (Toll free) 877.CARMS.42
>     171 Nepean Street, Suite 300
>     Ottawa, ON, CAN    K2P 0B4
>     www.carms.ca <http://www.carms.ca>
> 
>     ------------------------------------------------------------------------------------
> 
>     This e-mail message, including any attachments, is for the sole use
>     of the intended recipients and may contain confidential and or
>     privileged information.  If you are not the intended recipient or
>     this information has been forwarded in error, please contact the
>     sender by reply e-mail and destroy copies of the original message. 
>     Ce message (incluant toute pièce jointe) s'adresse uniquement au(x)
>     destinataire(s) prévu(s) ou à une personne autorisée à le recevoir
>     en son (leur) nom. Il pourrait contenir des renseignements
>     confidentiels ou protégés.  Si vous l'avez reçu par erreur, nous
>     vous prions d'en informer l'auteur dans les meilleurs délais, de ne
>     pas divulguer son contenu et de le supprimer de votre système. Merci.
> 
>      
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> Support or consulting for your OTRS system?
> => http://www.otrs.com/

I have the Astaro Secure Gateway, which also allows AD authentication. 
(This is however not completely relevant to my question, but is 
releated)This system requires a global security group - which is only 
supported in non-mixed mode.

Does otrs also require global security groups?

--Shawn

More information about the otrs mailing list