Hello list, I have recently setup OTRS and I am wondering how you might use this with Active Directory. Would it be the same configuration if I was configuring for LDAP? Also is there a way to setup the configuration through SysConfig or does it have to be manually done by editing the Config.pm file. Thanks for the help. Dan King Software Developer Canadian Resident Matching Service 613.237.0075 ext. 241 (Toll free) 877.CARMS.42 171 Nepean Street, Suite 300 Ottawa, ON, CAN K2P 0B4 www.carms.ca http://www.carms.ca ------------------------------------------------------------------------------------ This e-mail message, including any attachments, is for the sole use of the intended recipients and may contain confidential and or privileged information. If you are not the intended recipient or this information has been forwarded in error, please contact the sender by reply e-mail and destroy copies of the original message. Ce message (incluant toute pièce jointe) s'adresse uniquement au(x) destinataire(s) prévu(s) ou à une personne autorisée à le recevoir en son (leur) nom. Il pourrait contenir des renseignements confidentiels ou protégés. Si vous l'avez reçu par erreur, nous vous prions d'en informer l'auteur dans les meilleurs délais, de ne pas divulguer son contenu et de le supprimer de votre système. Merci.
Dan, I'll just cover a few general things. Most of this is from another email I sent a while back but should help. Have fun GEH Greg Horne #### Setup a user account that can browse AD's LDAP. (username - OTRS_Account password - whatever) you may want to make it never expire. Setup two groups, one for Customers and one for Agents. Make AD users members of the Customers group. Add AD users to the Agents group that you want to use the system as an agent. Create a user in OTRS and add to the admin group using the same username that you intend to login to AD with. Modify your Config.pm file adding the following to allow agents and customers/users to login using LDAP. Modify for your structure. Taken from my setup, add and modify as needed. Just an example: ############## Start of Config.pm ################ <snip> #we want to use LDAP for Auth $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domainname,dc=win,dc=domain,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; #The username and password of the user you setup to access LDAP information in AD $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs'; #We want our Customer/users to Auth using LDAP $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.domain.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs'; $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => 'ldap.domain.com', BaseDN => 'OU=Users,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com', SSCOPE => 'sub', UserDN => 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com', UserPw => 'whateverYourPasswordIs', }, CustomerKey => 'sAMAccountName', CustomerID => 'userPrincipalName', CustomerUserListFields => ['displayName', 'userPrincipalName'], CustomerUserSearchFields => ['displayName', 'userPrincipalName'], CustomerUserPostMasterSearchFields => userPrincipalName, CustomerUserNameFields => ['givenName', 'sn'], #the following must map to valid fields in your AD (givenname,sn,sAMAccountName,...) Map => [ [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'userPrincipalName', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'userPrincipalName', 0, 1, 'var' ], ], }; #OK now lets have our agents use LDAP $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=helpdesk_agents,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=helpdesk_customers,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com'; $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member'; $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; # UserSyncLDAPMap # (map if agent should create/synced from LDAP to DB after login must match your AD) $Self->{UserSyncLDAPMap} = { # DB -> LDAP Firstname => 'givenName', Lastname => 'sn', Email => 'userPrincipalName', }; # UserSyncLDAPGroups # (If "LDAP" was selected for AuthModule, you can specify # initial user groups for first login.) $Self->{UserSyncLDAPGroups} = [ 'users', ]; <snip> ##################### End of Config.pm #################### Have Fun GEH ----Original Message----- From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org]On Behalf Of Dan King Sent: Wednesday, July 11, 2007 10:37 AM To: User questions and discussions about OTRS.org Subject: [otrs] LDAP and Active Directory Hello list, I have recently setup OTRS and I am wondering how you might use this with Active Directory. Would it be the same configuration if I was configuring for LDAP? Also is there a way to setup the configuration through SysConfig or does it have to be manually done by editing the Config.pm file. Thanks for the help. Dan King Software Developer Canadian Resident Matching Service 613.237.0075 ext. 241 (Toll free) 877.CARMS.42 171 Nepean Street, Suite 300 Ottawa, ON, CAN K2P 0B4 http://www.carms.ca www.carms.ca ------------------------------------------------------------------------------------ This e-mail message, including any attachments, is for the sole use of the intended recipients and may contain confidential and or privileged information. If you are not the intended recipient or this information has been forwarded in error, please contact the sender by reply e-mail and destroy copies of the original message. Ce message (incluant toute pièce jointe) s'adresse uniquement au(x) destinataire(s) prévu(s) ou à une personne autorisée à le recevoir en son (leur) nom. Il pourrait contenir des renseignements confidentiels ou protégés. Si vous l'avez reçu par erreur, nous vous prions d'en informer l'auteur dans les meilleurs délais, de ne pas divulguer son contenu et de le supprimer de votre système. Merci.
Greg Horne schrieb:
Dan,
I'll just cover a few general things. Most of this is from another email I sent a while back but should help.
Have fun
GEH
Greg Horne
####
Setup a user account that can browse AD's LDAP. (username - OTRS_Account password - whatever) you may want to make it never expire.
Setup two groups, one for Customers and one for Agents.
Make AD users members of the Customers group.
Add AD users to the Agents group that you want to use the system as an agent.
Create a user in OTRS and add to the admin group using the same username that you intend to login to AD with.
Modify your Config.pm file adding the following to allow agents and customers/users to login using LDAP. Modify for your structure. Taken from my setup, add and modify as needed. Just an example:
############## Start of Config.pm ################
<snip>
#we want to use LDAP for Auth
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domainname,dc=win,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
#The username and password of the user you setup to access LDAP information in AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs';
#We want our Customer/users to Auth using LDAP
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.domain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'whateverYourPasswordIs';
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'ldap.domain.com',
BaseDN => 'OU=Users,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com',
SSCOPE => 'sub',
UserDN => 'CN=otrs_helpdesk,OU=Users,OU=OldTown,DC=ot,DC=win,DC=domain,DC=com',
UserPw => 'whateverYourPasswordIs',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'userPrincipalName',
CustomerUserListFields => ['displayName', 'userPrincipalName'],
CustomerUserSearchFields => ['displayName', 'userPrincipalName'],
CustomerUserPostMasterSearchFields => userPrincipalName,
CustomerUserNameFields => ['givenName', 'sn'],
#the following must map to valid fields in your AD (givenname,sn,sAMAccountName,...)
Map => [
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'userPrincipalName', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'userPrincipalName', 0, 1, 'var' ],
],
};
#OK now lets have our agents use LDAP
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=helpdesk_agents,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=helpdesk_customers,OU=Groups,OU=OldTown,DC=domain,DC=win,DC=domain,DC=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login must match your AD)
$Self->{UserSyncLDAPMap} = {
# DB -> LDAP
Firstname => 'givenName',
Lastname => 'sn',
Email => 'userPrincipalName',
};
# UserSyncLDAPGroups
# (If "LDAP" was selected for AuthModule, you can specify
# initial user groups for first login.)
$Self->{UserSyncLDAPGroups} = [
'users',
];
<snip>
##################### End of Config.pm ####################
Have Fun
GEH
----Original Message----- *From:* otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org]*On Behalf Of *Dan King *Sent:* Wednesday, July 11, 2007 10:37 AM *To:* User questions and discussions about OTRS.org *Subject:* [otrs] LDAP and Active Directory
Hello list,
I have recently setup OTRS and I am wondering how you might use this with Active Directory. Would it be the same configuration if I was configuring for LDAP? Also is there a way to setup the configuration through SysConfig or does it have to be manually done by editing the Config.pm file.
Thanks for the help.
Dan King Software Developer Canadian Resident Matching Service 613.237.0075 ext. 241 (Toll free) 877.CARMS.42 171 Nepean Street, Suite 300 Ottawa, ON, CAN K2P 0B4 www.carms.ca http://www.carms.ca
------------------------------------------------------------------------------------
This e-mail message, including any attachments, is for the sole use of the intended recipients and may contain confidential and or privileged information. If you are not the intended recipient or this information has been forwarded in error, please contact the sender by reply e-mail and destroy copies of the original message. Ce message (incluant toute pièce jointe) s'adresse uniquement au(x) destinataire(s) prévu(s) ou à une personne autorisée à le recevoir en son (leur) nom. Il pourrait contenir des renseignements confidentiels ou protégés. Si vous l'avez reçu par erreur, nous vous prions d'en informer l'auteur dans les meilleurs délais, de ne pas divulguer son contenu et de le supprimer de votre système. Merci.
------------------------------------------------------------------------
_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support or consulting for your OTRS system? => http://www.otrs.com/
I have the Astaro Secure Gateway, which also allows AD authentication. (This is however not completely relevant to my question, but is releated)This system requires a global security group - which is only supported in non-mixed mode. Does otrs also require global security groups? --Shawn
participants (3)
-
Dan King -
Greg Horne -
Shawn Beasley