I would like to introduce OTRS at my company and am currently evaluating the current release for Windows (v3.0.10). So you can guess me being completely clueless atm
I searched this forum quite while but couldn't find a solution for my problem...which is using user accounts from my AD to specify agents and customers for OTRS. After trying to setup my goal using the frontend (which wouldn't succeed), I tried to edit the "C:\Program Files\OTRS\OTRS\Kernel\Config.pm" manually which didn't lead to any changes at all: auth with AD-Users doesn't work.
I'd like to show you my config, please do a short check if I miss something crucial:
Code: Select all
#LDAP-Access for Agents
#==============================================================
#Enable LDAP authentication for Customers / Users
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=tech,DC=emea,DC=XYZ,DC=biz';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
$Self->{'AuthModule::LDAP::GroupDN'} ='CN=ADMINS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUID';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
# port => 389,
port => 3268,
timeout => 120,
async => 0,
version => 3,
};
# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=tech,DC=emea,DC=XYZ,DC=biz';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=OTRS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'ADMINS',
];
#LDAP-Access for Customers
#==============================================================
# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'DC02.tech.emea.XYZ.biz';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=tech,DC=emea,DC=XYZ,DC=biz';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=DOMAINUSERS,OU=Global_Universell Groups,OU=Groups,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUID';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
# port => 389,
port => 3268,
timeout => 120,
async => 0,
version => 3,
};
# CustomerUser
# (customer user ldap backend and settings)
$Self->{CustomerUser} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'DC02.tech.emea.XYZ.biz',
# ldap base dn
BaseDN => 'DC=tech,DC=emea,DC=XYZ,DC=biz',
# search scope (one|sub)
SSCOPE => 'sub',
# # The following is valid but would only be necessary if the
# # anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'CN=OTRS-SEARCH,OU=Users,OU=123,DC=tech,DC=emea,DC=XYZ,DC=biz',
UserPw => 'password',
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
AlwaysFilter => '(objectclass=user)',
# if your frontend is e. g. iso-8859-1 and the charset of your
# ldap server is utf-8, use these options.
# SourceCharset => 'utf-8',
# DestCharset => 'iso-8859-1',
# if both your frontend and your LDAP are unicode, use this:
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
# port => 389,
port => 3268,
timeout => 120,
async => 0,
version => 3,
},
},
ReadOnly => 1,
# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['cn', 'givenname', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add an ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=locked))',
# administrator can't change customer preferences
AdminSetPreferences => 0,
# # cache time to live in sec. - cache any database queries
CacheTTL => 120,
Map => [
# note: Login, Email and CustomerID are mandatory!
# if you need additional attributes from AD, just map them here.
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var', '', 0 ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
[ 'UserMobile', 'Mobile', 'mobile', 1, 0, 'var', '', 0 ],
[ 'UserRoom', 'Room', 'physicalDeliveryOfficeName', 1, 0, 'var', '', 0 ],
],
};
$Self->{'AuthSyncModule::LDAP::Params'} = {
port => 3268,
timeout => 120,
async => 0,
version => 3,
};
Best Regards,
Chris