LDAP Anbindung Agents

Hilfe zu OTRS Problemen aller Art
Post Reply
Vinc
Znuny newbie
Posts: 36
Joined: 24 Nov 2016, 14:44
Znuny Version: 5.0.14
Company: XAX

LDAP Anbindung Agents

Post by Vinc »

Hallo,

DIe LDAP Anbindung bzw. AD für Customer klappt ohne Probleme. Nur die Agents können sich noch nicht anmelden. Kann mir jemand helfen und sagen wo der Fehler ist.

Code: Select all

# Agents LDAP Authentication
	$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
	$Self->{'AuthModule::LDAP::Host'} = 'dc1.x.de';
	$Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Users,ou=MyBusiness,dc=x,dc=de';
	$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
	
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
	$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS-User,ou=Security Groups,ou=MyBusiness,dc=x,dc=de';
	$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
	$Self->{'AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
	
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
	$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Service User otrs,ou=xServiceUser,ou=users,ou=MyBusiness,dc=x,dc=de';
	$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xx123';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
	$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
		$Self->{'AuthModule::LDAP::Params'} = {
		port => 389,
		timeout => 120,
		async => 0,
		version => 3,
		};

# defines AuthSyncBackend (AuthSyncModule) for AuthModule
# if this key exists and is empty, there won't be a sync.
# example values: AuthSyncBackend, AuthSyncBackend2
	$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
# agent data sync against ldap
	$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
	$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://xdc1.x.de/';
	$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=x, dc=de';
	$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
	$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=Service User otrs,ou=xServiceUser,ou=users,ou=MyBusiness,dc=x,dc=de';
	$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xx123';
	$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
	# DB -> LDAP
		UserFirstname => 'givenName',
		UserLastname => 'sn',
		UserEmail => 'mail',
};

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'xdc1.x.de';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Users,ou=MyBusiness,dc=x,dc=de';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'Service User otrs';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xx123';

# CustomerUser
# (customer user ldap backend and settings)
    $Self->{CustomerUser} = {
        Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            # ldap host
            Host => 'xdc1.x.de',
            # ldap base dn
            BaseDN => 'ou=Users,ou=MyBusiness,dc=x,dc=de',
            # search scope (one|sub)
            SSCOPE => 'sub',
            # The following is valid but would only be necessary if the
            # anonymous user does NOT have permission to read from the LDAP tree
            UserDN => 'Service User otrs',
            UserPw => 'xx123',
            # in case you want to add always one filter to each ldap query, use
            # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
            AlwaysFilter => '',
            # if the charset of your ldap server is iso-8859-1, use this:
            # SourceCharset => 'iso-8859-1',
            # die if backend can't work, e. g. can't connect to server
            Die => 0,
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
           Params => {
                port    => 389,
                timeout => 120,
                async   => 0,
               version => 3,
            },
        },
        # customer unique id
        CustomerKey => 'sAMAccountname',
        # customer #
        CustomerID => 'mail',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountname', 'cn', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        # show now own tickets in customer panel, CompanyTickets
       CustomerUserExcludePrimaryCustomerID => 0,
        # add a ldap filter for valid users (expert setting)
        # CustomerUserValidFilter => '(!(description=gesperrt))',
        # admin can't change customer preferences
        AdminSetPreferences => 0,
        # cache time to live in sec. - cache any ldap queries
       CacheTTL => 0,
        Map => [
            # note: Login, Email and CustomerID needed!
            # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
            [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
	    [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',   'sAMAccountname',  1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],           
	    [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
            [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
            [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
            [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
        ],
    };

Vinc
Znuny newbie
Posts: 36
Joined: 24 Nov 2016, 14:44
Znuny Version: 5.0.14
Company: XAX

Re: LDAP Anbindung Agents

Post by Vinc »

Ich konnte es selber lösen.

$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

und

$Self->{'AuthSyncModule::LDAP::Host'} = 'xdc1.x.de';

habe ich geändert
Vinc
Znuny newbie
Posts: 36
Joined: 24 Nov 2016, 14:44
Znuny Version: 5.0.14
Company: XAX

Re: LDAP Anbindung Agents

Post by Vinc »

Und der User braucht im AD einen Eintrag für eine Emailadresse sonst funktioniert es nicht.

Panic, user authenticated but no user data can be found in OTRS DB!! Perhaps the user is invalid.
Post Reply