Hi Alberto, For LDAP authentication you need to differentiate between who are agents and who are customers. This can be accomplished by group membership. I've had a look at your code which includes: # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) # $Self->{'AuthModule::LDAP::GroupDN'} = '; # $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for ldap posixGroups objectclass (just uid) # $Self->{'AuthModule::LDAP::UserAttr'} = 'sAMAccountName'; # for non ldap posixGroups objectclass (with full user dn) # $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; All your group based configuration is commented out. Below is the same extract from my config (obvious information omitted. # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS_Groups,dc=companyname,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; In the example above, *only* members of the OTRS_Agents group can use the agent interface. I hope this answers your question. Regards, David On Mon, Feb 22, 2010 at 7:29 AM, Alberto Aldrigo < albertoaldrigo@codognotto.eu> wrote:
Hi all,
I’m trying to configure OTRS 2.4.7 for users in my company.
I want them to authenticate using Active Directory as customer user, but each time they try to enter in http://mysite/otrs/Customer.pl they enter as agents.
I can’t understand what’s wrong in my Config.pm, can you please help me?
Thenks
* *
*Alberto Aldrigo*
* *
My config.pm:
sub Load {
my $Self = shift;
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# Start of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# database settings #
# ---------------------------------------------------- #
# DatabaseHost
# (The database host.)
$Self->{DatabaseHost} = $dbserver || 'localhost';
# Database
# (The database name.)
$Self->{Database} = $dbname || 'otrs';
# DatabaseUser
# (The database user.)
$Self->{DatabaseUser} = $dbuser || 'otrs';
# DatabasePw
# (The password of database user. You also can use bin/CryptPassword.pl
# for crypted passwords.)
$Self->{DatabasePw} = $dbpass;
# DatabaseDSN
# (The database DSN for MySQL ==> more: "man DBD::mysql")
$Self->{DatabaseDSN} = "$dsn=$Self->{Database};host=$Self->{DatabaseHost};port=$dbport;";
# (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
# if you want to use a local socket connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
# if you want to use a tcpip connection
# $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
# ---------------------------------------------------- #
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = '/usr/share/otrs';
# ---------------------------------------------------- #
# insert your own config settings "here" #
# config settings taken from Kernel/Config/Defaults.pm #
# ---------------------------------------------------- #
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = ‘server';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=company, dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'AuthModule::LDAP::GroupDN'} = ';
# $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=Device,OU=UO-CED,OU=UO-HQ-SITE,DC=company,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists u...@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';
# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'server';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=company, dc=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=Device,OU=UO-CED,OU=UO-HQ-SITE,DC=company,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
# CustomerUser
# (customer user ldap backend and settings)
$Self->{CustomerUser} = {
Name => 'Active Directory',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'server',
BaseDN => 'OU=UO-HQ-SITE,DC=company,DC=local',
SSCOPE => 'sub',
UserDN => 'device@company.local',
UserPw => ‘password',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'sAMAccountName',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
# [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
# ---------------------------------------------------- #
# switch off the web based installer for the Debian package
$Self->{SecureMode} = 1;
# ---------------------------------------------------- #
# data inserted by installer #
# ---------------------------------------------------- #
# $DIBI$
# ---------------------------------------------------- #
# ---------------------------------------------------- #
# #
# End of your own config options!!! #
# #
# ---------------------------------------------------- #
# ---------------------------------------------------- #
}
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/