Hi, My environment : CentOS 7 / OTRS 5.0.19 / OpenLDAP 2.4 with SSL. My configuration in OTRS is at this end of this message. Thanks a lot to all posts found in this forum ! Hope that helps. Regards, Joel Marchand # ---------------------------------------------------- # # Paramètres LDAP communs # ---------------------------------------------------- # my $MyLDAPSearchUserDN = 'cn=otrs,ou=dsa,dc=xxxx,dc=fr'; my $MyLDAPSearchUserPw = 'xxxx'; my $MyLDAPHost = ['ldaps://ldapr1.xxx.fr:636/','ldaps://ldapr2.xxxx.fr:636/']; my $MyLDAPBase = 'dc=xxx,dc=fr'; my $MyLDAPFilter = '(objectclass=posixAccount)'; my $MyLDAPParams = { port => 636, timeout => 120, async => 0, version => 3, cafile => '/etc/ssl/certs/star_xxxx_fr-intermediate.pem', clientcert => '/etc/ssl/certs/star_xxxx_fr.pem', clientkey => '/etc/ssl/private/star_xxxx_fr.key', }; # ---------------------------------------------------- # # Pour les Operateurs = Agents # ---------------------------------------------------- # # --------------------------------------------------- # # authentication settings # # (enable what you need, auth against otrs db, # # against LDAP directory, against HTTP basic auth # # or against Radius server) # # --------------------------------------------------- # # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = $MyLDAPHost; $Self->{'AuthModule::LDAP::BaseDN'} = $MyLDAPBase; $Self->{'AuthModule::LDAP::UID'} = 'uid'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) # $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com'; # $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid'; # for ldap posixGroups objectclass (just uid) $Self->{'AuthModule::LDAP::UserAttr'} = 'uid'; # for non ldap posixGroups objectclass (with full user dn) # $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = $MyLDAPSearchUserDN; $Self->{'AuthModule::LDAP::SearchUserPw'} = $MyLDAPSearchUserPw; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' # or if you want to filter with a locigal OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))' $Self->{'AuthModule::LDAP::AlwaysFilter'} = $MyLDAPFilter; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. # $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com'; # In case you want to convert all given usernames to lower letters you # should activate this option. It might be helpful if databases are # in use that do not distinguish selects for upper and lower case letters # (Oracle, postgresql). User might be synched twice, if this option # is not in use. # $Self->{'AuthModule::LDAP::UserLowerCase'} = 0; # In case you need to use OTRS in iso-charset, you can define this # by using this option (converts utf-8 data from LDAP to iso). # $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = $MyLDAPParams; # Die if backend can't work, e. g. can't connect to server. $Self->{'AuthModule::LDAP::Die'} = 1; # UserTable $Self->{DatabaseUserTable} = 'users'; $Self->{DatabaseUserTableUserID} = 'id'; $Self->{DatabaseUserTableUserPW} = 'pw'; $Self->{DatabaseUserTableUser} = 'login'; # ---------------------------------------------------- # # Pour les Clients = Customers # ---------------------------------------------------- # # --------------------------------------------------- # # customer authentication settings # # (enable what you need, auth against otrs db, # # against a LDAP directory, against HTTP basic # # authentication and against Radius server) # # --------------------------------------------------- # # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = $MyLDAPHost; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = $MyLDAPBase; $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) # $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com'; # $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid'; # for ldap posixGroups objectclass (just uid) $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'uid'; # for non ldap posixGroups objectclass (full user dn) # $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = $MyLDAPSearchUserDN; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = $MyLDAPSearchUserPw; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = $MyLDAPFilter; # in case you want to add a suffix to each customer login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. # $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'Customer::AuthModule::LDAP::Params'} = $MyLDAPParams; # Die if backend can't work, e. g. can't connect to server. $Self->{'Customer::AuthModule::LDAP::Die'} = 1;