OTRS does indeed need local data regarding agents username and passwords, however the synchronisation normally takes care of this when you log on with appropriate credentials - there is no need to add the users manually. The main thing however, is that you should group your OTRS agents in AD so there's mechanism for OTRS to differentiate who are agents and who are customers - I know you mentioned that you don't want customers to log in, but your configuration still needs to reflect how to differentiate between the two (you obviously don't want customers to log into an agent interface) Here is the section of my own config.pm that authenticates agents based upon group membership: # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'servername.companyname.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=companyname,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS_Groups,dc=companyname,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=companyname,DC=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'searcherpassword'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = ''; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # Now sync data with OTRS DB $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'servername.companyname.local'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=companyname, dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=companyname,dc=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'searcherpassword'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ]; Give that a whirl and let us know how you get on. Regards, David On Thu, Feb 11, 2010 at 12:09 PM, Markus Moj wrote:

Hi,

As far as I know, every agent has to be added in the lokal databe to get the credentials from your AD. So if you realy have so many users it up to you to write a script for your Database and import the users through an sql script into you Oracle DB. Maybe there is another way, but I don´t know one.

Have fun ;)

Mit freundlichen Grüßen / Kind regards Markus Moj IT Infrastructure & Services

TimoCom Soft- und Hardware GmbH In der Steele 2 D-40599 Düsseldorf Tel: +49 211 88 26 80 14 Fax: +49 211 88 26 70 14 eMail: *mmoj@timocom.com* Internet: *www.timocom.com* http://www.timoCom.com

Geschäftsführer: Jens Thiermann, Gunther Matzaitis Amtsgericht Düsseldorf, HRB 34489

[image: Inactive hide details for Theofanis Katsiaounis ---11.02.2010 13:04:49---Hello. I am kinda new to OTRS and i am trying to setup]Theofanis Katsiaounis ---11.02.2010 13:04:49---Hello. I am kinda new to OTRS and i am trying to setup a server for my company. I managed to install

From: Theofanis Katsiaounis To: otrs@otrs.org Date: 11.02.2010 13:04 Subject: [otrs] OTRS and Active Directory Authentication/Synchronization Sent by: otrs-bounces@otrs.org ------------------------------

Hello. I am kinda new to OTRS and i am trying to setup a server for my company. I managed to install OTRS (version 2.3 for ubunu) and make it use an Oracle Database (using Ubuntu Server 9.10 and DBD::Oracle etc etc etc). Up to there everything OK. Otrs works fine i logged int with the default usr/passwd. I configured AD authentication and it works fine. If i create the users myself i can use no password and then login with my windows credential. What i cannot do is import AD users to the OTRS DB so i everytime i add a user n AD to have it synched to OTRS. Also with some settings i got to a point where for half of my (AD) users OTRS did not login due to wrong usr/poasswd and some of them gave panic no user data .

My settings are

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'host.domain.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain, dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'user'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'pass';

With these i can use AD just for authentication but not for synching.To synch i used:

#Start of LDAP Synchronization $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'host.domain.com'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com'; $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'user'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'pass'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', };

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

But no luck. Please i could use some help with this because i have many users. I will add them to groups myself but i need the import feature. Thanks in advance.

P.S. I only want to authenticate agents and not customers.

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

Hi Theofanis, Personally I haven't had any experience of that. Although if you're thinking of doing asset management you may want to look into the OTRS:ITSM module which encompasses a CMDB, if you know a bit of mysql then no doubt you can import the relevant data, or maybe produce an interface into it. Regards, On Fri, Feb 12, 2010 at 12:44 PM, Theofanis Katsiaounis wrote:

Did it. Thanks VERY MUCH. Do you know how i can integrate a hardware inventory app in otrs like ocs-ng??? I just want to assign each customer his hardware and be able to open a ticket reffering to the specific hardware eah time.

------------------------------ *From:* David Holder *To:* User questions and discussions about OTRS. *Sent:* Thu, February 11, 2010 5:58:46 PM *Subject:* Re: [otrs] OTRS and Active Directory Authentication/Synchronization

OTRS does indeed need local data regarding agents username and passwords, however the synchronisation normally takes care of this when you log on with appropriate credentials - there is no need to add the users manually.

The main thing however, is that you should group your OTRS agents in AD so there's mechanism for OTRS to differentiate who are agents and who are customers - I know you mentioned that you don't want customers to log in, but your configuration still needs to reflect how to differentiate between the two (you obviously don't want customers to log into an agent interface)

Here is the section of my own config.pm that authenticates agents based upon group membership:

# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'servername.companyname.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=companyname,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS_Groups,dc=companyname,dc=local'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; # for ldap posixGroups objectclass (just uid) #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=companyname,DC=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'searcherpassword';

# in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };

# Now sync data with OTRS DB $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'servername.companyname.local'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=companyname, dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=companyname,dc=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'searcherpassword'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', };

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

Give that a whirl and let us know how you get on.

Regards,

David

On Thu, Feb 11, 2010 at 12:09 PM, Markus Moj wrote:

...

Hi,

As far as I know, every agent has to be added in the lokal databe to get the credentials from your AD. So if you realy have so many users it up to you to write a script for your Database and import the users through an sql script into you Oracle DB. Maybe there is another way, but I don´t know one.

Have fun ;)

Mit freundlichen Grüßen / Kind regards Markus Moj IT Infrastructure & Services

TimoCom Soft- und Hardware GmbH In der Steele 2 D-40599 Düsseldorf Tel: +49 211 88 26 80 14 Fax: +49 211 88 26 70 14 eMail: *mmoj@timocom.com* Internet: *www.timocom.com* http://www.timoCom.com

Geschäftsführer: Jens Thiermann, Gunther Matzaitis Amtsgericht Düsseldorf, HRB 34489

[image: Inactive hide details for Theofanis Katsiaounis ---11.02.2010 13:04:49---Hello. I am kinda new to OTRS and i am trying to setup]Theofanis Katsiaounis ---11.02.2010 13:04:49---Hello. I am kinda new to OTRS and i am trying to setup a server for my company. I managed to install

From: Theofanis Katsiaounis To: otrs@otrs.org Date: 11.02.2010 13:04 Subject: [otrs] OTRS and Active Directory Authentication/Synchronization Sent by: otrs-bounces@otrs.org ------------------------------

Hello. I am kinda new to OTRS and i am trying to setup a server for my company. I managed to install OTRS (version 2.3 for ubunu) and make it use an Oracle Database (using Ubuntu Server 9.10 and DBD::Oracle etc etc etc). Up to there everything OK. Otrs works fine i logged int with the default usr/passwd. I configured AD authentication and it works fine. If i create the users myself i can use no password and then login with my windows credential. What i cannot do is import AD users to the OTRS DB so i everytime i add a user n AD to have it synched to OTRS. Also with some settings i got to a point where for half of my (AD) users OTRS did not login due to wrong usr/poasswd and some of them gave panic no user data .

My settings are

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'host.domain.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain, dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'user'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'pass';

With these i can use AD just for authentication but not for synching.To synch i used:

#Start of LDAP Synchronization $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'host.domain.com'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain, dc=com'; $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'user'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'pass'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', };

# AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ];

But no luck. Please i could use some help with this because i have many users. I will add them to groups myself but i need the import feature. Thanks in advance.

P.S. I only want to authenticate agents and not customers.

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/

--------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/