Hi all, I have some problems with my AD authentication (LDAP) and OTRS (installed on OpenSuse 11.2). I have copied multiple lines from the internet in order to make it working, but it appears as if it is working, but the list of customers I have now is enormously long. Customers who are member of our AD are able to log on now but when I have a look in our Customers overview in OTRS I see about all the users we have in our AD (>100) and that's a thing I don't want. I want only a couple of customers member of a group called "OTRS Users" to be able to log onto the OTRS system as customer, but at the moment it seems like everyone member of our AD can log in. Can anyone help us with this? Where lies the error in our config.pm? And is it possible to remove customers from the list? Our config.pm : # -- # Kernel/Config.pm - Config file for OTRS kernel # Copyright (C) 2001-2009 OTRS AG, http://otrs.org/ # -- # $Id: Config.pm.dist,v 1.21 2009/02/16 12:01:43 tr Exp $ # -- # This software comes with ABSOLUTELY NO WARRANTY. For details, see # the enclosed file COPYING for license information (AGPL). If you # did not receive this file, see http://www.gnu.org/licenses/agpl.txt. # -- # Note: # # -->> OTRS does have a lot of config settings. For more settings # (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator, # LDAP, PostMaster, Session, Preferences, ...) see # Kernel/Config/Defaults.pm and copy your wanted lines into "this" # config file. This file will not be changed on update! # # -- package Kernel::Config; sub Load { my $Self = shift; $Self->{SecureMode} = 0; # ---------------------------------------------------- # # ---------------------------------------------------- # # # # Start of your own config options!!! # # # # ---------------------------------------------------- # # ---------------------------------------------------- # # ---------------------------------------------------- # # database settings # # ---------------------------------------------------- # # DatabaseHost # (The database host.) $Self->{'DatabaseHost'} = 'localhost'; # Database # (The database name.) $Self->{'Database'} = 'otrs'; # DatabaseUser # (The database user.) $Self->{'DatabaseUser'} = 'ErikA'; # DatabasePw # (The password of database user. You also can use bin/CryptPassword.pl # for crypted passwords.) $Self->{'DatabasePw'} = 'xxxxxx'; # DatabaseDSN # (The database DSN for MySQL ==> more: "man DBD::mysql") $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};"; # (The database DSN for PostgreSQL ==> more: "man DBD::Pg") # if you want to use a local socket connection # $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};"; # if you want to use a tcpip connection # $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};"; # ---------------------------------------------------- # # fs root directory # ---------------------------------------------------- # $Self->{Home} = '/opt/otrs'; # ---------------------------------------------------- # # insert your own config settings "here" # # config settings taken from Kernel/Config/Defaults.pm # # ---------------------------------------------------- # # $Self->{SessionUseCookie} = 0; # $Self->{'CheckMXRecord'} = 1; # ---------------------------------------------------- # # ---------------------------------------------------- # # data inserted by installer # # ---------------------------------------------------- # # $DIBI$ $Self->{'SystemID'} = 50; $Self->{'SecureMode'} = 1; $Self->{'Organization'} = 'Test'; $Self->{'LogModule::LogFile'} = '/tmp/otrs.log'; $Self->{'LogModule'} = 'Kernel::System::Log::SysLog'; $Self->{'FQDN'} = 'OpenSuseOTRS.suzo.int'; $Self->{'DefaultLanguage'} = 'en'; $Self->{'AdminEmail'} = 'test@test.nl'; $Self->{'DefaultCharset'} = 'utf-8'; # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly, http-link-target [ 'UserCustomerIDs', 'CustomerIDs', 'customer_ids', 1, 0, 'var', '', 0 ], # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host1'} = '192.168.1.2'; $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=Suzo, dc=int'; $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=Helpdesk (Ticket Systeem),OU=IT Department,OU=Suzo NL,DC=Suzo,DC=int'; $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxxxxxxxx'; # In case you need to use OTRS in iso-charset, you can define this # by using this option (converts utf-8 data from LDAP to iso). # $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # --------------------------------------------------- # # authentication sync settings # # (enable agent data sync. after succsessful # # authentication) # # --------------------------------------------------- # # This is an example configuration for an LDAP auth sync. backend. # (take care that Net::LDAP is installed!) $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host1'} = '192.168.1.2'; $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=Suzo, dc=int'; $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=Helpdesk (Ticket Systeem),OU=IT Department,OU=Suzo NL,DC=Suzo,DC=int'; $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'xxxxxxxxxx'; # AuthSyncModule::LDAP::UserSyncMap # (map if agent should create/synced from LDAP to DB after successful login) $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # In case you need to use OTRS in iso-charset, you can define this # by using this option (converts utf-8 data from LDAP to iso). # $Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) # $Self->{'AuthSyncModule::LDAP::Params'} = { # port => 389, # timeout => 120, # async => 0, # version => 3, # }; #Enable LDAP authentication for Customers / Users $Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host2'} = '192.168.1.2'; $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=Suzo, dc=int'; $Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName'; #The following is valid but would only be necessary if the #anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=Helpdesk (Ticket Systeem),OU=IT Department,OU=Suzo NL,DC=Suzo,DC=int'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'xxxxxxxxx'; #CustomerUser #(customer user database backend and settings) $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => '192.168.1.2', BaseDN => 'dc=Suzo, dc=int', SSCOPE => 'sub', UserDN =>'CN=Helpdesk (Ticket Systeem),OU=IT Department,OU=Suzo NL,DC=Suzo,DC=int', UserPw => 'xxxxxxxxxx', }, # customer unique id CustomerKey => 'sAMAccountName', # customer # CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; #Add the following lines when only users are allowed to login if they reside in the spicified security group #Remove these lines if you want to provide login to all users specified in the User Base DN #example: $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=BaseOU, dc=example, dc=com'; $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRS Users,OU=Suzo NL,DC=Suzo,DC=int'; $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid'; $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID' # Die if backend can't work, e. g. can't connect to server. # $Self->{'AuthSyncModule::LDAP::Die'} = 1; # Die if backend can't work, e. g. can't connect to server. # $Self->{'AuthModule::LDAP::Die'} = 1; # ---------------------------------------------------- # # ---------------------------------------------------- # # # # End of your own config options!!! # # # # ---------------------------------------------------- # # ---------------------------------------------------- # } # ---------------------------------------------------- # # needed system stuff (don't edit this) # # ---------------------------------------------------- # use strict; use warnings; use vars qw(@ISA $VERSION); use Kernel::Config::Defaults; push (@ISA, 'Kernel::Config::Defaults'); use vars qw(@ISA $VERSION); $VERSION = qw($Revision: 1.21 $)[1]; # -----------------------------------------------------# 1; Met vriendelijke groet / Kind regards / Mit freundlichem Gruß, Erik