Great program! OTRS 1.3.2 CentOS 3.3 Perl 5.8.0-88.7 Apache 2.0.46-40.ent.centos.1 Kernel 2.4.21-20.EL.c0 Windows 2000 Active Directory
Nutshell: Active Directory authentication is working but I cannot exclude users from logging into the Agent area. Details: I followed this documentation: http://otrs.mirror.netmonic.com/misc/doc/cvs/en/html/ldap-integration.html I added these lines to Config.pm: ================================= $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = '<domain controller>'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example, dc=com'; ### I changed the name of the domain to example.com ### ### to protect the innocent ### $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=<OTRS username>,OU=<its OU>,DC=example,DC=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = '<password>'; $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = '<domain controller>'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=example, dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=<OTRS username>,OU=<its OU>,DC=example,DC=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '<password>'; $Self->{CustomerUser} = { Name => 'Active Directory', Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => '<domain controller>', BaseDN => 'dc=example, dc=com', SSCOPE => 'sub', UserDN => 'CN=<OTRS username>,OU=<its OU>,DC=example,DC=com', UserPw => '<password>', }, CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], # [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], # [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], # [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; ========================================================== Any user can log into the Agent area. As far as I can tell, they don't have rights to do anything, but even so I don't want them going there. So I added these lines: $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=<group>, ou=<its OU>, dc=example, dc=com'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid'; #$Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; No good. I cannot log in even though my account is in that group. I tried commenting the UID line and commenting the DN line, no good. Ideas? The documentation says to create a posixGroup but there's no such beast in Active Directory. I used a standard Global group. CD _______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support oder Consulting für Ihr OTRS System? => http://www.otrs.de/