Hello, I have some problems with the OTRS system and Active Directory. 1. I try to sync agents roles ( admin in AD -> admin in OTRS ). With the config bellow agents are capable to login with Active Directory credentials but no roles sync. # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'pdc.test.local'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=test,dc=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) # $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com'; # $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid'; # for ldap posixGroups objectclass (just uid) # $Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) # $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap,CN=Users,DC=test,DC=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'vali1982!'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' # $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. # $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com'; # In case you want to convert all given usernames to lower letters you # should activate this option. It might be helpfull if databases are # in use that do not distinguish selects for upper and lower case letters # (Oracle, postgresql). User might be synched twice, if this option # is not in use. # $Self->{'AuthModule::LDAP::UserLowerCase'} = 0; # In case you need to use OTRS in iso-charset, you can define this # by using this option (converts utf-8 data from LDAP to iso). # $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # Die if backend can't work, e. g. can't connect to server. $Self->{'AuthModule::LDAP::Die'} = 1; # --------------------------------------------------- # # authentication sync settings # # (enable agent data sync. after succsessful # # authentication) # # --------------------------------------------------- # # This is an example configuration for an LDAP auth sync. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'pdc.test.local'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=test,dc=local'; $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap,CN=Users,DC=test,DC=local'; $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'vali1982!'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' # $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = ''; # AuthSyncModule::LDAP::UserSyncMap # (map if agent should create/synced from LDAP to DB after successful login) $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # In case you need to use OTRS in iso-charset, you can define this # by using this option (converts utf-8 data from LDAP to iso). # $Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthSyncModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # Die if backend can't work, e. g. can't connect to server. $Self->{'AuthSyncModule::LDAP::Die'} = 1; # Attributes needed for group syncs # (attribute name for group value key) # $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid'; # (attribute for type of group content UID/DN for full ldap name) # $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID'; # $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN'; # AuthSyncModule::LDAP::UserSyncInitialGroups # (sync following group with rw permission after initial create of first agent # login) $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users', ]; # AuthSyncModule::LDAP::UserSyncGroupsDefinition # (If "LDAP" was selected for AuthModule and you want to sync LDAP # groups to otrs groups, define the following.) $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = { # ldap group 'CN=Domain Admins,CN=Users,DC=test,DC=local' => { # otrs group 'admin' => { # permission rw => 1, ro => 1, }, 'faq' => { rw => 0, ro => 1, }, }, 'CN=Domain Admins,CN=Users,DC=test,DC=local' => { 'users' => { rw => 1, ro => 1, }, } }; # AuthSyncModule::LDAP::UserSyncRolesDefinition # (If "LDAP" was selected for AuthModule and you want to sync LDAP # groups to otrs roles, define the following.) $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = { # ldap group 'CN=Domain Admins,CN=Users,DC=test,DC=local' => { # otrs role 'role1' => 1, 'role2' => 0, }, 'CN=Domain Admins,CN=Users,DC=test,DC=local' => { 'role3' => 1, } }; # AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition # (If "LDAP" was selected for AuthModule and you want to sync LDAP # attributes to otrs groups, define the following.) $Self->{'AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition'} = { # ldap attribute 'LDAPAttribute' => { # ldap attribute value 'LDAPAttributeValue1' => { # otrs group 'admin' => { # permission rw => 1, ro => 1, }, 'faq' => { rw => 0, ro => 1, }, }, }, 'LDAPAttribute2' => { 'LDAPAttributeValue' => { 'users' => { rw => 1, ro => 1, }, }, } }; # AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition # (If "LDAP" was selected for AuthModule and you want to sync LDAP # attributes to otrs roles, define the following.) $Self->{'AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition'} = { # ldap attribute 'LDAPAttribute' => { # ldap attribute value 'LDAPAttributeValue1' => { # otrs role 'role1' => 1, 'role2' => 1, }, }, 'LDAPAttribute2' => { 'LDAPAttributeValue1' => { 'role3' => 1, }, }, }; # UserTable $Self->{DatabaseUserTable} = 'users'; $Self->{DatabaseUserTableUserID} = 'id'; $Self->{DatabaseUserTableUserPW} = 'pw'; $Self->{DatabaseUserTableUser} = 'login'; # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'pdc.test.local'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=test,dc=local'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) # $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com'; # $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid'; # for ldap posixGroups objectclass (just uid) # $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (full user dn) # $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs_ldap,CN=Users,DC=test,DC=local'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'vali1982!'; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' # $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each customer login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. # $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'Customer::AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # Die if backend can't work, e. g. can't connect to server. $Self->{'Customer::AuthModule::LDAP::Die'} = 1; 2. I have problems at customer login using Active Directory credentials. I get panic no user data. In otrs log is the following error: [Fri May 7 09:35:52 2010][Notice][Kernel::System::CustomerAuth::LDAP::Auth] CustomerUser: ion (CN=ion,CN=Users,DC=test,DC=local) authentication ok (REMOTE_ADDR: 192.168.0.1). [Fri May 7 09:35:52 2010][Error][Kernel::System::CustomerUser::LDAP::CustomerUserDataGet][580] 000020D6: SvcErr: DSID-03100754, problem 5012 (DIR_ERROR), data 0 The config.pm for the customer sections is : # CustomerUser # (customer user ldap backend and settings) $Self->{CustomerUser} = { Name => 'LDAP Backend', Module => 'Kernel::System::CustomerUser::LDAP', Params => { # ldap host Host => 'pdc.test.local', # ldap base dn BaseDN => 'ou=test,o=local', # search scope (one|sub) SSCOPE => 'sub', # The following is valid but would only be necessary if the # anonymous user does NOT have permission to read from the LDAP tree UserDN => 'CN=otrs_ldap,CN=Users,DC=test,DC=local', UserPw => 'vali1982!', # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' # AlwaysFilter => '', # if your frontend is e. g. iso-8859-1 and the charset of your # ldap server is utf-8, use this options (if not, ignore it) # SourceCharset => 'utf-8', # DestCharset => 'iso-8859-1', # die if backend can't work, e. g. can't connect to server Die => 1, # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) Params => { port => 389, timeout => 120, async => 0, version => 3, }, }, # customer uniq id CustomerKey => 'uid', # customer # CustomerID => 'mail', CustomerUserListFields => ['cn', 'mail'], CustomerUserSearchFields => ['uid', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], # show not own tickets in customer panel, CompanyTickets CustomerUserExcludePrimaryCustomerID => 0, # add a ldap filter for valid users (expert setting) # CustomerUserValidFilter => '(!(description=gesperrt))', # admin can't change customer preferences AdminSetPreferences => 0, # cache time to life in sec. - cache any ldap queris CacheTTL => 0, Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ], # [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ], # [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ], # [ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ], # [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ], # [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ], # # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ], # [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ], # [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ], # [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ], ], };