Hi Bernd, wenn du NUR LDAP anbinden willst dann musst du den ersten Teil auskommentieren, siehe Bsp. Ich hab dir die Änderungen die du machen musst mal fett markiert.
Es wird nicht "verglichen" sondern der Wert ensprechend dem Feld übernommen. Als Kundennummer wird die Mail Adresse des Users genommen, ist insoweit sinnvoll als das du hier zwischen den Usern differenzierst. Wo welche Felder genommen werden siehst du im letzten Block. $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'IPADRESSE'; $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=DOMAIN,DC=local'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = ' CN=USER,CN=Users,DC=DOAMIN,DC=local'; $Self->{'AuthModule::LDAP::SearchUserPw'} = 'PASSWORD'; # This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'IPADRESSE'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=DOMAIN,DC=local'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = ' CN=USER,CN=Users,DC=DOAMIN,DC=local'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'PASSWORD'; # CustomerUser # (customer user database backend and settings) # $Self->{CustomerUser} = { # Name => 'Datenbank', # Module => 'Kernel::System::CustomerUser::DB', # Params => { Table => 'customer_user', # # to use an external database # DSN => 'DBI:odbc:yourdsn', # DSN => 'DBI:mysql:database=customerdb;host=customerdbhost', # User => '', Password => '', # }, # customer uniq id # CustomerKey => 'login', # CustomerID => 'customer_id', # CustomerValid => 'valid_id', # CustomerUserListFields => ['first_name', 'last_name', 'email'], # CustomerUserListFields => ['login', 'first_name', 'last_name', 'customer_id', 'email'], # CustomerUserSearchFields => ['login', 'last_name', 'customer_id'], # CustomerUserSearchPrefix => '', # CustomerUserSearchSuffix => '*', # CustomerUserSearchListLimit => 250, # CustomerUserPostMasterSearchFields => ['email'], # CustomerUserNameFields => ['salutation', 'first_name', 'last_name'], # ReadOnly => 1, # Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type, http-link # [ 'UserSalutation', 'Salutation', 'salutation', 1, 0, 'var' ], # [ 'UserFirstname', 'Firstname', 'first_name', 1, 1, 'var' ], # [ 'UserLastname', 'Lastname', 'last_name', 1, 1, 'var' ], # [ 'UserLogin', 'Login', 'login', 1, 1, 'var' ], # [ 'UserPassword', 'Password', 'pw', 0, 1, 'var' ], # [ 'UserEmail', 'Email', 'email', 0, 1, 'var' ], # [ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var' ], # [ 'UserComment', 'Comment', 'comments', 1, 0, 'var' ], # [ 'ValidID', 'Valid', 'valid_id', 0, 1, 'int' ], # ], # }; # CustomerUser1 # (customer user ldap backend and settings) $Self->{CustomerUser1} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { # ldap host Host => 'IPADRESSE', # ldap base dn BaseDN => 'DC=DOMAIN,DC=local', # search scope (one|sub) SSCOPE => 'sub', # The following is valid but would only be necessary if the # anonymous user does NOT have permission to read from the LDAP tree UserDN => 'CN=USER,CN=Users,DC=DOMAIN,DC=local', UserPw => 'password', AlwaysFilter => '', SourceCharset => 'utf-8', DestCharset => 'utf-8', }, # customer uniq id CustomerKey => 'sAMAccountName', # customer # CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; Von: Bernd Nachtigall <bna...@web.de> An: otrs-de@otrs.org Datum: 27.04.2010 07:24 Betreff: Re: [otrs-de] AGENT - LDAP Hi, hat niemand eine Idee? Habe ich zu kompliziert geschrieben, fehlen Infos oder was habe ich falsch gemacht, dass so gar keine Reaktion kommt? Bye Bernd ============================================================ Hallo zusammen, ich versuche eine Agent-Auth. via LDAP zu konfigurieren. Anscheinend mangels ausreichender Perl-Kenntnisse habe ich dabei einige Probleme und bitte um Nachhilfe. Die Admin-Doku ist da leider nicht ausreichend für mich und in der Dev.-Doku finde ich nichts entsprechendes. *Wie läuft die Auth. via LDAP ab? Offenbar wird die DB ebenfalls benötigt. *Welche Attribute welcher Objekte werden womit verglichen? *messages sagt: OTRS-CGI-10[29564]: [Error][Kernel::System::Auth::LDAP::Auth][Line:276]: Search failed! base='cn=otrsagent,ou=Abt,o=company', filter='(member=testuser)', Success -Failed und Success in einer Meldung!?!? -member=testuser? Im Attr. member der Gruppe steht aber: 'cn=testuser,ou=Abt,o=company' 'testuser' wäre uid; ========================== System: -Der LDAP-Host ist eDir (KEIN MAD!) -DB (MySQL) ist auf entferntem Host scheint aber zu funktionieren (Ohne LDAP geht's) Vielen Dank für eure Unterstützung Bye Bernd Ab hier kommen Ausschnitte aus config.pm; messages und die Ergebnisse der ldap abfragen. ========================== Config.pm: $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.tld'; $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Abt,o=company'; $Self->{'AuthModule::LDAP::UID'} = 'uid'; <=Was soll hier stehen? Wozu ist der Eintrag gut? # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsagent,ou=Abt,o=company'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'member'; <=Was soll hier stehen? Wozu ist der Eintrag gut? # for ldap posixGroups objectclass (just uid) $Self->{'AuthModule::LDAP::UserAttr'} = 'entryDN'; <=Was soll hier stehen? Wozu ist der Eintrag gut? # for non ldap posixGroups objectclass (with full user dn) #$Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; <=Was soll hier stehen? Wozu ist der Eintrag gut? # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=ldapproxy,o=company'; #$Self->{'AuthModule::LDAP::SearchUserPw'} = ”; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' #$Self->{'AuthModule::LDAP::AlwaysFilter'} = ”; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists u...@domain. #$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, }; # # agent data sync against ldap $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP'; $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.domain.tld/'; $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'ou=Abt,o=company'; $Self->{'AuthSyncModule::LDAP::UID'} = 'uid'; $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=ldapproxy,o=company'; #$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'some_pass'; $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', Phone => 'telephoneNumber', Username => 'uid', comment => 'description', }; ========================== Ausgabe messages: OTRS-CGI-10[29564]: [Error][Kernel::System::Auth::LDAP::Auth][Line:276]: Search failed! base='cn=otrsagent,ou=Abt,o=company', filter='(member=testuser)', Success OTRS-CGI-10[29564]: [Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for 'testuser'! ========================== Ergebnis einer Abfrage via ldapsearch: Nach dem Benutzer: dn: cn=testuser,ou=Abt,o=company homeDirectory: /home/testuser mail: testu...@domain.tld uid: testuser eMailAddress: testu...@domain.tld Nach der Gruppe: dn: cn=otrsagent,ou=Abt,o=company objectClass: groupOfNames objectClass: top member: cn=testuser,ou=Abt,o=company description: --------------------------------------------------------------------- OTRS mailing list: otrs-de - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs-de To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs-de NEU! ENTERPRISE SUBSCRIPTION - JETZT informieren und buchen! http://www.otrs.com/de/support/enterprise-subscription/
<<image/gif>>
--------------------------------------------------------------------- OTRS mailing list: otrs-de - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs-de To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs-de NEU! ENTERPRISE SUBSCRIPTION - JETZT informieren und buchen! http://www.otrs.com/de/support/enterprise-subscription/