My question is how do I allow some A.D. users to be “users” and other A.D. users to be “Agents” or “Admins?” Here is my config so far:

 

((SNIP))

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';

$Self->{'AuthModule::LDAP::Host'} = 'AD Server';

$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=my,DC=corp';

$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

 

$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Agents-Group,OU=My-OU,DC=my,DC=corp';

$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

 

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs-user,OU=user-acct,DC=my,DC=corp';

$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Password';

 

# $Self->{'AuthModule::LDAP::AlwaysFilter'} = ;

 

$Self->{'AuthModule::LDAP::Params'} = {

   port => 389,

   timeout => 120,

   async => 0,

   version => 3,

};

 

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';

$Self->{'AuthSyncModule::LDAP::Host'} = 'AD Server';

$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=my,DC=corp';

$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs-user,OU=user-Acct,DC=my,DC=corp';

$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Password';

 

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {

     # DB -> LDAP

     UserFirstname => 'givenName',

     UserLastname  => 'sn',

     UserEmail     => 'mail',

};

 

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [

   'users',

];

 

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

$Self->{'Customer::AuthModule::LDAP::Host'} = 'AD Server';

$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=my,DC=corp';

$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs-user,OU=user-acct,DC=my,DC=corp';

$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Password';

$Self->{CustomerUser} = {

  Module => 'Kernel::System::CustomerUser::LDAP',

  Params => {

  Host => 'AD Server',

  BaseDN => 'DC=my,DC=corp',

  SSCOPE => 'sub',

  UserDN => 'CN=otrs-user,OU=user-acct,DC=my,DC=corp',

  UserPw => 'Password',

  },

  CustomerKey => 'sAMAccountName',

  CustomerID => 'mail',

  CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],

  CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],

  CustomerUserPostMasterSearchFields => ['sAMAccountName', 'cn', 'mail'],

  CustomerUserNameFields => ['givenname', 'sn'],

  Map => [

  # note: Login, Email and CustomerID needed!

  #     # var, frontend, storage, shown, required, storage-type

  #         #       [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],

  [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],

  [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],

  [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],

  [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],

  [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],

  [ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var' ],

  #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],

  #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],

    ],

 };

 

((END SNIP))

 

 

 

 

I’m sure I’m missing something fundamental in this configuration. Any pointers would be appreciated very much!

 

/MM