I am using OTRS 5 and I am using LDAP authentification for the agents.
I am using 2 AD Groups and I would like to set them separate roles.
I have read info on the internet but it seems it`s not working.
I will atach my code to be more clear.
Code: Select all
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'xxx';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=xxx,DC=xxx,DC=xxx';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=Groups1,OU=Securitygroups,OU=xxx,DC=xxx,DC=xxx,DC=xxx';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'xxx';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxx';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub'
};
# This is an example configuration for using an MS AD backend
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'xxx';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=xxx,DC=xxx,DC=xxx';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=Group2,OU=Securitygroups,OU=xxx,DC=xxx,DC=xxx,DC=xxx';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'xxx';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxx';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub'
};
# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'xxx';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxx,DC=xxx,DC=xxx';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'xxx';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
'CN=Group1,OU=Securitygroups,OU=xxx,DC=xxx,DC=xxx,DC=xxx' => {
# OTRS role
'Test' => 1,
'Test2'=> 0,
},
'CN=Group2,OU=Securitygroups,OU=xxx,DC=xxx,DC=xxx,DC=xxx' => {
# OTRS role
'Test' => 0,
'Test2'=> 1,
}
};
Thank you.