[SOLVED] LDAP brings the whole tree of AD objects (Users, PCs, etc.)

Moderator: crythias

Post Reply
facundocaballe
Znuny newbie
Posts: 12
Joined: 27 Mar 2017, 22:07
Znuny Version: OTRS5
Real Name: Facundo Caballe
Company: Yagmour

[SOLVED] LDAP brings the whole tree of AD objects (Users, PCs, etc.)

Post by facundocaballe »

HI.
My name is Facundo, and i am noob on OTRS and the forum.

Many of the OTRS setups maked me sweat, but the LDAP config was one of the worst for me.

Now i have the LDAP sync, client list and LDAP auth, working. But, in my client list, appear every item in AD (servers, Pcs, Users, groups, etc.). I can not filter this information, so I only take users. This is my config.pm

Code: Select all

# --
# Copyright (C) 2001-2017 xxx, http://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
#  Note:
#
#  -->> Most OTRS configuration should be done via the OTRS web interface
#       and the SysConfig. Only for some configuration, such as database
#       credentials and customer data source changes, you should edit this
#       file. For changes do customer data sources you can copy the definitions
#       from Kernel/Config/Defaults.pm and paste them in this file.
#       Config.pm will not be overwritten when updating OTRS.
# --

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #

    # The database host
    $Self->{'DatabaseHost'} = '127.0.0.1';

    # The database name
    $Self->{'Database'} = "*********";

    # The database user
    $Self->{'DatabaseUser'} = "IT";

    # The password of database user. You also can use bin/otrs.Console.pl Maint::Database::PasswordCrypt
    # for crypted passwords
    $Self->{'DatabasePw'} = '*********';

    # The database DSN for MySQL ==> more: "perldoc DBD::mysql"
    $Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";

    # The database DSN for PostgreSQL ==> more: "perldoc DBD::Pg"
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a TCP/IP connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # The database DSN for Microsoft SQL Server - only supported if OTRS is
    # installed on Windows as well
#    $Self->{DatabaseDSN} = "DBI:ODBC:driver={SQL Server};Database=$Self->{Database};Server=$Self->{DatabaseHost},1433";

    # The database DSN for Oracle ==> more: "perldoc DBD::oracle"
#    $Self->{DatabaseDSN} = "DBI:Oracle://$Self->{DatabaseHost}:1521/$Self->{Database}";
#
#    $ENV{ORACLE_HOME}     = '/path/to/your/oracle';
#    $ENV{NLS_DATE_FORMAT} = 'YYYY-MM-DD HH24:MI:SS';
#    $ENV{NLS_LANG}        = 'AMERICAN_AMERICA.AL32UTF8';

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = '/opt/otrs';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #

# This is an example configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'xxx.xxx.x.xxx';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=********,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    #$Self->{'AuthModule::LDAP::GroupDN'} = 'OU=Users,OU=SITE,OU=XXX,DC=*******,DC=com';
    #$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    #$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrs_ldap@domain.com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = '*********';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
 
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '';
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
		sscope => 'sub'
    };
 
    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'xxx.xxx.x.xxx';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=******, dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otrs_ldap@domain.com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '********';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'customer_user',
    ];
	
	#Enable LDAP authentication for Customers / Users
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'xxx.xxx.x.xxx';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain, dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';


    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs_ldap@domain.com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '********';

    # CustomerUser
    # (customer user database backend and settings)
    $Self->{CustomerUser} = {
       Module => 'Kernel::System::CustomerUser::LDAP',
       Params => {
          Host => 'server.domain.com',
          BaseDN => 'OU=XXX,DC=********,DC=com',
          SSCOPE => 'sub',
          UserDN =>'otrs_ldap@domain.com',
          UserPw => '********',
       },

	   # customer unique id
       CustomerKey => 'sAMAccountName',
       # customer #
       CustomerID => 'mail',
       CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 250,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       Map => [
          # note: Login, Email and CustomerID needed!
          # var, frontend, storage, shown, required, storage-type
          #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
          [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
          [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
          [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
          [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
          [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
          [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
          #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
          #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
       ],
    };


    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #

use Kernel::Config::Defaults; # import Translatable()
use base qw(Kernel::Config::Defaults);

# -----------------------------------------------------#

1;
The info that bring is this:
LDAP Info.PNG
I cant see my error. Can you help me?

Tnx in advance,¡.

Best regards.
Facundo
You do not have the required permissions to view the files attached to this post.
Last edited by facundocaballe on 24 Apr 2017, 14:16, edited 1 time in total.
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: LDAP brings the whole tree of AD objects (Users, PCs, etc.)

Post by root »

I recommend adding AlwaysFilter in in the CustomerUser part. Sth, like (mail=*)
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
facundocaballe
Znuny newbie
Posts: 12
Joined: 27 Mar 2017, 22:07
Znuny Version: OTRS5
Real Name: Facundo Caballe
Company: Yagmour

Re: LDAP brings the whole tree of AD objects (Users, PCs, etc.)

Post by facundocaballe »

Root.
First of all, tnx for the quick response.

I did this

# CustomerUser
# (customer user database backend and settings)
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'server.domain.com',
BaseDN => 'OU=XXX,DC=********,DC=com',
SSCOPE => 'sub',
UserDN =>'otrs_ldap@domain.com',
UserPw => '********',
AlwaysFilter => '(objectclass=user)',
},

But did not work. Still bring me servers. Can i use this filter with some Security Group?
By example, Group "OTRS_Users" in this AD path: "CN=OTRS_Users,OU=OTRS_GROUPS,OU=GROUPS,OU=xxx,DC=domain,DC=com".

Thanks in advance!
Best Regards.
Facundo
wurzel
Znuny guru
Posts: 3224
Joined: 08 Jul 2010, 22:25
Znuny Version: x.x.x
Real Name: Florian

Re: LDAP brings the whole tree of AD objects (Users, PCs, etc.)

Post by wurzel »

Hi,

try additional filter
mail=*
or sn=*

or similar
OTRS 8 SILVER (Prod)
OTRS 8 auf Debian 11 (Test)
Znuny 7.x latest version testing auf Debian 11

-- Ich beantworte keine Forums-Fragen PN - No PN please

I won't answer to unfriendly users any more. A greeting and regards are just polite.
facundocaballe
Znuny newbie
Posts: 12
Joined: 27 Mar 2017, 22:07
Znuny Version: OTRS5
Real Name: Facundo Caballe
Company: Yagmour

Re: LDAP brings the whole tree of AD objects (Users, PCs, etc.)

Post by facundocaballe »

Wurzel.

Tnx for response.

The correct sentence will be AlwaysFilter => '(objectclass=user)(mail=*)(sn=*)',?

Otherwise, what is the correct form?

Thanks in advance.
Best Regards.
Facundo
facundocaballe
Znuny newbie
Posts: 12
Joined: 27 Mar 2017, 22:07
Znuny Version: OTRS5
Real Name: Facundo Caballe
Company: Yagmour

Re: LDAP brings the whole tree of AD objects (Users, PCs, etc.)

Post by facundocaballe »

Guys.

I tryed the way Wurzel says, and it works.

AlwaysFilter => '(objectclass=user)(mail=*) <--- Only users, with asigned mails.

Now, can i do the same with Users in a Specific Group? What where the correct sentence to do it?

Thanks for everything.

Greetings.
Facundo
facundocaballe
Znuny newbie
Posts: 12
Joined: 27 Mar 2017, 22:07
Znuny Version: OTRS5
Real Name: Facundo Caballe
Company: Yagmour

Re: LDAP brings the whole tree of AD objects (Users, PCs, etc.)

Post by facundocaballe »

Hi all!

Well, you can solve this Post. Even i dont know yet how to filter by a group, the info that Wurzel and root gave me, works fine.

Thank all guys!
Post Reply