On Tue, Apr 3, 2012 at 2:13 AM, Sune T. Tougaard
Thanks for the links. After reading those docs I had a better a idea of what I should be searching for and found this:
http://faq.otrs.org/otrs/public.pl?Action=PublicFAQZoom;ItemID=219
Now I have users and agents working for parent and child domain.
Only issue is that if a username is in both domains it will give me
problems. Using userPrincipalName instead of sAMAccount should help with
this but it seems it needs the username in the format username@domain
so It might confuse users a little. Our emails are different from
user@domain and the closest thing they know besides their email is the
occasional domain\username.
Going to try to set it to log in using the users email address as it will be more "natural"
How does the sysconfig page work now that there are a "duplicate" sections ?
config section:
------------------------------------------------------------
#LDAP1 START
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '192.168.0.1';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=parentdomain, dc=com';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=bind user,ou=Users,dc=parentdomain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'password';
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = '192.168.0.1';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=parentdomain, dc=com';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'cn=bind user,ou=Users,dc=parentdomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'password';
$Self->{CustomerUser1} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '192.168.0.1',
BaseDN => 'dc=parentdomain, dc=com',
SSCOPE => 'sub',
UserDN => 'cn=bind user,ou=Users,dc=parentdomain,dc=com',
UserPw => 'password',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
# CustomerID => 'o',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=helpdesk_agents,ou=Security Groups,ou=Groups,dc=parentdomain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
# Now sync data with OTRS DB
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = '192.168.0.1';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=parentdomain, dc=com';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'cn=bind user,ou=Users,dc=parentdomain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'password';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
'users',
];
#LDAP1 END
#LDAP2 START
$Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host2'} = '192.168.0.2';
$Self->{'AuthModule::LDAP::BaseDN2'} = 'dc=childdomain,dc=parentdomain, dc=com';
$Self->{'AuthModule::LDAP::UID2'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN2'} = 'cn=bind user,ou=Users,dc=childdomain,dc=parentdomain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw2'} = 'password';
$Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host2'} = '192.168.0.2';
$Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=childdomain,dc=parentdomain, dc=com';
$Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'cn=bind user,ou=Users,dc=childdomain,dc=parentdomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'password';
$Self->{CustomerUser2} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '192.168.0.2',
Port => '3268',
BaseDN => 'dc=childdomain,dc=parentdomain, dc=com',
SSCOPE => 'sub',
UserDN => 'cn=bind user,ou=Users,dc=childdomain,dc=parentdomain,dc=com',
UserPw => 'password',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
# CustomerID => 'o',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
#$Self->{'AuthModule::LDAP::GroupDN2'} = 'cn=helpdesk_agents,ou=Security Groups,ou=FP_Groups,dc=parentdomain,dc=com';
$Self->{'AuthModule::LDAP::GroupDN2'} = 'cn=helpdesk_agents,ou=FP_Groups,dc=childdomain,dc=parentdomain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr2'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr2'} = 'DN';
# Now sync data with OTRS DB
$Self->{'AuthSyncModule2'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host2'} = '192.168.0.2';
$Self->{'AuthSyncModule::LDAP::BaseDN2'} = 'dc=childdomain,dc=parentdomain, dc=com';
$Self->{'AuthSyncModule::LDAP::UID2'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN2'} = 'cn=bind user,ou=Users,dc=childdomain,dc=parentdomain,dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw2'} = 'password';
$Self->{'AuthSyncModule::LDAP::UserSyncMap2'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups2'} = [
'users',
];
#LDAP2 END
# 3rd backend, internal OTRS DB
$Self->{'AuthModule3'} = 'Kernel::System::Auth::DB';
$Self->{'AuthModule::DB::CryptType3'} = 'crypt';
------------------------------------------------------------