Here is my configuration file with active directory environment, this is working for me… please add this data to your your Kernel.pm file and modify the data marked with RED and BOLD in this mail with your Active Directory configuration data…

 

Actually I have two security  groups one for AGENTS (OTRS_AGENT_ALLOW) and the other for CUSTOMERS (OTRS_CUSTOMERS_ALLOW), please create these groups and add the users to these…

 

My OTRS User is a user with administrative privileges this is used to acces to active directory data…

 

<I wait that this information be useful for you…

 

 

#Enable LDAP authentication for Customers / Users

  $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';

  $Self->{'AuthModule::LDAP::Host'} = 'pdc.domain.com';

  $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Users,dc=domain,dc=com';

  $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

 

#The following is valid but would only be necessary if the

#anonymous user do NOT have permission to read from the LDAP tree

  $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS User,ou=Users,dc=domain,dc=com';

  $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

 

#CustomerUser

#(customer user database backend and settings)

   

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';

  $Self->{'Customer::AuthModule::LDAP::Host'} = 'svrmaster.bmartgroup.com';

  $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Usuarios,dc=bmartgroup,dc=com';

  $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

  $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS User,ou=Users,dc=domain,dc=com';

  $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Password';

 

$Self->{CustomerUser} = {

      Name => 'LDAP Customers',

      Module => 'Kernel::System::CustomerUser::LDAP',

      Params => {

      Host => 'pdc.domain.com',

      BaseDN => 'ou=Users,dc=domain,dc=com',

      SSCOPE => 'sub',

      UserDN =>'cn=OTRS User,ou=Users,dc=domain,dc=com',

      UserPw => 'password',

 

    },

 

 

    # customer unique id

    CustomerKey => 'sAMAccountName',

    # customer #

    CustomerID => 'mail',

    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],

    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],

    CustomerUserSearchPrefix => '',

    CustomerUserSearchSuffix => '*',

    CustomerUserSearchListLimit => 250,

    CustomerUserPostMasterSearchFields => ['mail'],

    CustomerUserNameFields => ['givenname', 'sn'],

    Map => [

      # note: Login, Email and CustomerID needed!

      # var, frontend, storage, shown, required, storage-type

      #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],

      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],

      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],

      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],

      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],

      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],

      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],

      #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],

      #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],

    ],

  };

 

# UserSyncLDAPMap

# (map if agent should create/synced from LDAP to DB after login)

    $Self->{UserSyncLDAPMap} = {

        # DB -> LDAP

        UserFirstname => 'givenName',

        UserLastname => 'sn',

        UserEmail => 'mail',

    };

 

# UserSyncLDAPGroups

# (If "LDAP" was selected="selected" for AuthModule, you can specify

# initial user groups for first login.)

    $Self->{UserSyncLDAPGroups} = [

        'OTRS_CUSTOMERS_ALLOW',

    ];

 

# UserTable

    $Self->{DatabaseUserTable} = 'users';

    $Self->{DatabaseUserTableUserID} = 'id';

    $Self->{DatabaseUserTableUserPW} = 'pw';

    $Self->{DatabaseUserTableUser} = 'login';

 

$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS_CUSTOMERS_ALLOW,ou=Users,dc=domain,dc=com';

  $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';

  $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

 

 

$Self->{'AuthModule::LDAP::GroupDN'}= 'cn=OTRS_AGENT_ALLOW,ou=Users,dc=domain,dc=com';

  $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

 

 

 

 

 

Luis Rodriguez

IT Manager

BMART S.A.

Guatemala C.A.

Email: lrodriguez@bmartgroup.com

Msn: luisgrodriguez@hotmail.com

P Porfavor considere el ambiente antes de imprimir este correo - Please consider the environment before printing this email.

 

 

De: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] En nombre de Davin Taddeo
Enviado el: miércoles, 06 de mayo de 2009 07:43 a.m.
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] Newbie : OTRS on CentOS authenticating on Win2K3 LDAP

 

That's honestly one that I don't know the answer to.  Here's a php script I use to make sure that I can connect and query the AD domain controller (you will need to be sure that php-ldap is installed.:

<?php

    $dn = "basedn";

    $attributes = array("displayname");

    $filter = "(cn=*)";

    $ad = ldap_connect("ldap://domaincontroller")
          or die("Couldn't connect to AD!");

    $bd = ldap_bind($ad,"searchuser@searchdomain","searchuserpassword")
          or die("Couldn't bind to AD!");

    $result = ldap_search($ad, $dn, $filter, $attributes);

    $entries = ldap_get_entries($ad, $result);

    for ($i=0; $i<$entries["count"]; $i++) {
        echo "<p>Name: ".$entries[$i]["displayname"][0]."<br />";
        echo '&nbsp;<br />';
        echo '&nbsp;<br />';
    }

    ldap_unbind($ad);

?>

If that works, you should be able to see a listing of the display name of all of your AD Users.  If that doesn't work, then you may need to look at your search users' privileges and the Base DN you're connecting to.  The Global Catalog may be important, but as I'm not the AD admin at my shop, I just don't know how it's setup.

Also, have you run the CheckModules script that comes with OTRS to make sure you have the LDAP module for Perl installed?

Sorry I can't be more helpful than that.

~Davin

Jan Vorster wrote:

Thanks Davin,

 

I’ve tried it again and it’s still not working...

 

I read somewhere that the server hosting the AD must also be a Global Catalog... do you know if this is a requirement? Was it the case on your configuration?

 

Thanks

Jan

 

>> 

You do not need to have the CentOS box attached to the domain and you will not need the Windows Services for Unix/Linux.  Depending on how your AD is setup you may need to have a user with administration privileges that can be put into the config file to allow OTRS to search the domain for the users.

Here's how I set it up in my config.  It may not be perfect, but it got the job done for me, if anybody has a better config to reference that they can post, I'm sure I could use some learning too:


$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
  $Self->{'AuthModule::LDAP::Host'} = 'DomainController';
  $Self->{'AuthModule::LDAP::BaseDN'} = 'Base DN';
  $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

  $Self->{'AuthModule::LDAP::SearchUserDN'} = 'Admin User';
  $Self->{'AuthModule::LDAP::SearchUserPw'} = 'Admin User Password';
 
  $Self->{UserSyncLDAPGroups} = [
       'users'
  ];

  $Self->{UserSyncLDAPMap} = {
    UserFirstname => 'givenName',
    UserLastname => 'sn',
    UserEmail => 'mail',
  };

# CustomerUser1
# (customer user ldap backend and settings)
  $Self->{CustomerUser1} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      # ldap host
      Host => 'curley',
      # ldap base dn
      BaseDN => 'Base DN',
      # search scope (one|sub)
      SSCOPE => 'sub',
      # The following is valid but would only be necessary if the
      # anonymous user does NOT have permission to read from the LDAP tree
      UserDN => 'Admin User',
      UserPw => 'Admin User Password',
      AlwaysFilter => '',
      SourceCharset => 'utf-8',
      DestCharset => 'iso-8859-1',
    },
    # customer uniq id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 900,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
      [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
      [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  };



Hope it helps:

~Davin

Jan Vorster wrote:

Hi all,

 

I’ve just setup OTRS on my CentOS 5 box and I want it to authenticate the users against an active directory running on Windows 2003 Server.

 

I’ve read somewhere that you need to load Windows Services for Linux in order to have additional UNIX options on an Active Directory user.

 

I did not read anyhting about this in the OTRS manual... so I was wondering if this is a necessary step.

 

Needless to say that my attempts to log on to the AD from the OTRS web interface are failing.

 

 

PS : A second question also... does the CentOS box need to be “on” the domain? Is this even possible?

 

Thanks
Jan

 

<< 



__________ Information from ESET NOD32 Antivirus, version of virus signature database 4056 (20090506) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com