How to configure Ldap Authentication for Azure AD

Dont create your support topics here! No new topics with questions allowed!

Moderator: crythias

Post Reply
OTRS newbie
Posts: 14
Joined: 12 Nov 2018, 16:54
OTRS Version?: 6.0.12
Real Name: Tommy Ballo

How to configure Ldap Authentication for Azure AD

Post by Ballzer0 » 03 Dec 2018, 16:27

STEP ONE: ... ecure-ldap
set up an LDAPS service by following these steps.

Skip this step if you already know the layout of your AD and what the distinguishedName of your relevant OrganisationalUnits and Security Groups are
Use a tool like Apache Directory Studio to figure out the name of your BaseDN and GroupDN(groupDN is only relevant if you want to use a securityGroup)

get certificate from the ldaps server by using this OpenSSL command. if your worried about a trusted connection (spoiler alert. You should!)

Code: Select all

openssl s_client -connect | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem

Below is an Example Configuration for Azure AD.
In theory you should only have to change the first 7 lines to get it to work.
  • host: notice the ldaps:// prefix, and the port suffix.
  • BaseDN: This should be the distinguishedName of your lowest OrganisationalUnit (OU) that contains all your users.
  • GroupDN: This should be the distinguishedName of a Security Group that contains the spesific users that are allowed to sign into OTRS. If you dont want all the users in your OU to be allowed to sign in, comment out the 3 lines in the GroupDN field.
  • BindUser: This should be the username of a user that belongs to the "AAD DC Administrators" in Azure
  • BindPassword: This should be the password to that user.
  • VerifyCertificate: it is set to 'none' to avoid issues during setup. I highly recommend changing it to "require" once your done testing.
  • CertFile: use the .pem file you downloaded in step 3.
If you notice anything thats not working optimal with this settup, please tell me about it.

Code: Select all

    my $Host = 'ldaps://';
    my $BaseDN = 'OU=AADDC Users,DC=domain,DC=com';
    my $GroupDN = 'CN=OTRS-agents,OU=AADDC Users,DC=domain,DC=no';
    my $BindUser = '';
    my $BindPassword = 'Password';
    my $VerifyCertificate = 'none'; # use 'require' if you want otrs to require a spesific certificate.
    my $CertFile = '/path/to/sertificate.pem'; # You can use the commandline tool openssl to convert or download relevant certificate.

    # --------------------------------------------------- #
    # Agent authentication settings                       #
    # (enable agent autentification and where to find     #
    # those agents)                                       #
    # --------------------------------------------------- 
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = $Host;
    $Self->{'AuthModule::LDAP::BaseDN'} = $BaseDN;
    $Self->{'AuthModule::LDAP::UID'} = 'userPrincipalName';

        $Self->{'AuthModule::LDAP::GroupDN'} = $GroupDN;              
        $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';           
        $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';                 

    $Self->{'AuthModule::LDAP::SearchUserDN'} = $BindUser;
    $Self->{'AuthModule::LDAP::SearchUserPw'} = $BindPassword;

    $Self->{'AuthModule::LDAP::Params'} = {
        timeout => 120,
        async   => 0,
        version => 3,
        verify => $VerifyCertificate,
        cafile => $CertFile,
    $Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

    # --------------------------------------------------- #
    # authentication sync settings                        #
    # (enable agent data sync. after succsessful          #
    # authentication)                                     #
    # --------------------------------------------------- #
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = $Host;
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = $BaseDN;
    $Self->{'AuthSyncModule::LDAP::UID'} = 'userPrincipalName';

    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = $BindUser;
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = $BindPassword;

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'userPrincipalName',

    $Self->{'AuthSyncModule::LDAP::Params'} = {
        timeout => 120,
        async   => 0,
        version => 3,
        verify => $VerifyCertificate,
        cafile => $CertFile,


Post Reply