Here is my configuration file with active directory environment, this is
working for me... please add this data to your your Kernel.pm file and modify
the data marked with RED and BOLD in this mail with your Active Directory
configuration data...
Actually I have two security groups one for AGENTS (OTRS_AGENT_ALLOW) and the
other for CUSTOMERS (OTRS_CUSTOMERS_ALLOW), please create these groups and add
the users to these...
My OTRS User is a user with administrative privileges this is used to acces to
active directory data...
<I wait that this information be useful for you...
#Enable LDAP authentication for Customers / Users
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'pdc.domain.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Users,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
User,ou=Users,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
#CustomerUser
#(customer user database backend and settings)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'svrmaster.bmartgroup.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'ou=Usuarios,dc=bmartgroup,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
User,ou=Users,dc=domain,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'Password';
$Self->{CustomerUser} = {
Name => 'LDAP Customers',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'pdc.domain.com',
BaseDN => 'ou=Users,dc=domain,dc=com',
SSCOPE => 'sub',
UserDN =>'cn=OTRS User,ou=Users,dc=domain,dc=com',
UserPw => 'password',
},
# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login)
$Self->{UserSyncLDAPMap} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# UserSyncLDAPGroups
# (If "LDAP" was selected="selected" for AuthModule, you can specify
# initial user groups for first login.)
$Self->{UserSyncLDAPGroups} = [
'OTRS_CUSTOMERS_ALLOW',
];
# UserTable
$Self->{DatabaseUserTable} = 'users';
$Self->{DatabaseUserTableUserID} = 'id';
$Self->{DatabaseUserTableUserPW} = 'pw';
$Self->{DatabaseUserTableUser} = 'login';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} =
'cn=OTRS_CUSTOMERS_ALLOW,ou=Users,dc=domain,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthModule::LDAP::GroupDN'}=
'cn=OTRS_AGENT_ALLOW,ou=Users,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
Luis Rodriguez
IT Manager
BMART S.A.
Guatemala C.A.
Email: lrodrig...@bmartgroup.com <file:///\\lrodrig...@bmartgroup.com>
Msn: luisgrodrig...@hotmail.com <file:///\\luisgrodrig...@hotmail.com>
P Porfavor considere el ambiente antes de imprimir este correo - Please
consider the environment before printing this email.
De: otrs-boun...@otrs.org [mailto:otrs-boun...@otrs.org] En nombre de Davin
Taddeo
Enviado el: miƩrcoles, 06 de mayo de 2009 07:43 a.m.
Para: User questions and discussions about OTRS.
Asunto: Re: [otrs] Newbie : OTRS on CentOS authenticating on Win2K3 LDAP
That's honestly one that I don't know the answer to. Here's a php script I use
to make sure that I can connect and query the AD domain controller (you will
need to be sure that php-ldap is installed.:
<?php
$dn = "basedn";
$attributes = array("displayname");
$filter = "(cn=*)";
$ad = ldap_connect("ldap://domaincontroller";)
or die("Couldn't connect to AD!");
$bd = ldap_bind($ad,"searchu...@searchdomain","searchuserpassword")
or die("Couldn't bind to AD!");
$result = ldap_search($ad, $dn, $filter, $attributes);
$entries = ldap_get_entries($ad, $result);
for ($i=0; $i<$entries["count"]; $i++) {
echo "<p>Name: ".$entries[$i]["displayname"][0]."<br />";
echo ' <br />';
echo ' <br />';
}
ldap_unbind($ad);
?>
If that works, you should be able to see a listing of the display name of all
of your AD Users. If that doesn't work, then you may need to look at your
search users' privileges and the Base DN you're connecting to. The Global
Catalog may be important, but as I'm not the AD admin at my shop, I just don't
know how it's setup.
Also, have you run the CheckModules script that comes with OTRS to make sure
you have the LDAP module for Perl installed?
Sorry I can't be more helpful than that.
~Davin
Jan Vorster wrote:
Thanks Davin,
I've tried it again and it's still not working...
I read somewhere that the server hosting the AD must also be a Global
Catalog... do you know if this is a requirement? Was it the case on your
configuration?
Thanks
Jan
>>
You do not need to have the CentOS box attached to the domain and you will not
need the Windows Services for Unix/Linux. Depending on how your AD is setup
you may need to have a user with administration privileges that can be put into
the config file to allow OTRS to search the domain for the users.
Here's how I set it up in my config. It may not be perfect, but it got the job
done for me, if anybody has a better config to reference that they can post,
I'm sure I could use some learning too:
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'DomainController';
$Self->{'AuthModule::LDAP::BaseDN'} = 'Base DN';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'Admin User';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Admin User Password';
$Self->{UserSyncLDAPGroups} = [
'users'
];
$Self->{UserSyncLDAPMap} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# CustomerUser1
# (customer user ldap backend and settings)
$Self->{CustomerUser1} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'curley',
# ldap base dn
BaseDN => 'Base DN',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'Admin User',
UserPw => 'Admin User Password',
AlwaysFilter => '',
SourceCharset => 'utf-8',
DestCharset => 'iso-8859-1',
},
# customer uniq id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 900,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
Hope it helps:
~Davin
Jan Vorster wrote:
Hi all,
I've just setup OTRS on my CentOS 5 box and I want it to authenticate the users
against an active directory running on Windows 2003 Server.
I've read somewhere that you need to load Windows Services for Linux in order
to have additional UNIX options on an Active Directory user.
I did not read anyhting about this in the OTRS manual... so I was wondering if
this is a necessary step.
Needless to say that my attempts to log on to the AD from the OTRS web
interface are failing.
PS : A second question also... does the CentOS box need to be "on" the domain?
Is this even possible?
Thanks
Jan
<<
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4056 (20090506) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
