Hi Michael,
I'm not using the latest version of configuration sentences but they work so
here they're:
For customers, I use the following:
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'A.B.C.D;
$Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'OU=XXXX,DC=YYYY,DC=ZZZZ';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'user@domain';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
For Agents, I use the following:
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'A.B.C.D;
$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=XXXX,DC=YYYY,DC=ZZZZ';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'user@domain';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
Keep in mind that you should have those customers/agents created on your
database backend, AD sync will check that the user exist and that the
provided password is correct but if that user in not in the database
backend, you'll get a "Panic! no user data" error message
I hope it helps,
Leonardo Certuche
www.itconsultores.com.co
On 21 April 2010 14:57, Martin, Michael
Hello again. I have tried to get this working with Microsoft’s A.D. but I’m still having troubles, but I think I’m getting closer. I’ve adapted my Config with help from this email list. (Thank You to Michiel Beijen and Guillaume Rehm.)
My question is how do I allow some A.D. users to be “users” and other A.D. users to be “Agents” or “Admins?” Here is my config so far:
((SNIP))
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'AD Server';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=my,DC=corp';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Agents-Group,OU=My-OU,DC=my,DC=corp';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs-user,OU=user-acct,DC=my,DC=corp';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Password';
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = ;
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'AD Server';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=my,DC=corp';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs-user,OU=user-Acct,DC=my,DC=corp';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Password';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'AD Server';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=my,DC=corp';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs-user,OU=user-acct,DC=my,DC=corp';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Password';
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'AD Server',
BaseDN => 'DC=my,DC=corp',
SSCOPE => 'sub',
UserDN => 'CN=otrs-user,OU=user-acct,DC=my,DC=corp',
UserPw => 'Password',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# # var, frontend, storage, shown, required, storage-type
# # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
((END SNIP))
I’m sure I’m missing something fundamental in this configuration. Any pointers would be appreciated very much!
/MM
Michael Martin Systems Administrator, Local Government Division P: 800-646-2633
--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/