Hi,
I have been trying
to get group authentication working against active directory and have read all
the posts I could find in the archives but to no avail. I ended up digging in
the Perl scripts to try and find out how it was done. The suggested lines that
need to go into the Config.pm file are:
$Self->{’AuthModule::LDAP::GroupDN’} =
’cn=otrsallow_A, ou=posixGroups, dc=example,
dc=com’;
$Self->{’AuthModule::LDAP::AccessAttr’} =
’memberUid’;
$Self->{’AuthModule::LDAP::UserAttr’} =
’DN’;
However I always got a group not
found error. The LDAP auth script looks for user members in the definition of
the group. Once I found that out, went and did a dump of the active
directory and looked in the definition of my group, then it was obvious.
Microsoft AD groups don't have "memberUid" only "member". By changing the above
to:
$Self->{’AuthModule::LDAP::GroupDN’} =
’cn=otrsallow_A, ou=posixGroups, dc=example,
dc=com’;
$Self->{’AuthModule::LDAP::AccessAttr’} =
’member’;
$Self->{’AuthModule::LDAP::UserAttr’} =
’DN’;
it now all
works and I can block users by dropping their membership in the "ortsallow"
group.
Someone
suggested commenting out of
$Self->{’AuthModule::LDAP::AccessAttr’} =
’memberUid’;
as a solution, but
as far as I can tell (and pleas keep in mind I'm very green in Perl and LDAP),
that essentially bypasses any comparisons to members in the "otrsallow" group,
thus authenticating everyone regardless of membership.
As I said I'm no
Perl expert, but this definitely works (win 2003 SBS), maybe someone in the OTRS
team can explain this better.
Cheers,
Remek.
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.10.25/102 - Release Date: 9/14/2005
_______________________________________________ OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs Support oder Consulting für Ihr OTRS System? => http://www.otrs.de/