Agent Anmeldung über Active Directory

Hilfe zu OTRS Problemen aller Art
Post Reply
supertuxi
Znuny newbie
Posts: 4
Joined: 18 Jun 2020, 08:10
Znuny Version: 6.0.23
Real Name: Sascha

Agent Anmeldung über Active Directory

Post by supertuxi »

Hallo zusammen,

ich habe die OTRS Community Edition installiert und läuft soweit ohne Probleme.

Nun möchte ich die Agents gerne gegen mit Active Directory Daten anmelden lassen.

Den AD Connect habe ich soweit am Laufen. Wenn ich nun versuche den Agent anzumelden bekomme ich folgenden Fehler:

Code: Select all

"Authentifizierung erfolgreich, aber in der Datenbank wurde kein Eintrag für den Benutzer gefunden. Bitte kontaktieren Sie Ihren Administrator.
folgende zeilen habe ich in meiner Config

Code: Select all

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'LEVDC.xxxxx.xxx';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=xxxxx,DC=xxx';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'OTRS-LDAP@xxxxx.xxx';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxx';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
und bekomme dann den Fehler

Code: Select all

Global symbol "$Self" requires explicit package name (did you forget to declare "my $Self"?) at /opt/otrs/Kernel/Config.pm
Kann mir jemand helfen ?

Lg
Markus2020
Znuny newbie
Posts: 39
Joined: 19 Feb 2020, 18:38
Znuny Version: 6.0.24
Real Name: Markus Hofelich
Company: OTEC Präzisionsfinish GmbH

Re: Agent Anmeldung über Active Directory

Post by Markus2020 »

Hi Sascha,

du musst sowohl die Authentifzierung, als auch die Synchronisierung einrichten.

Code: Select all

# ---------------------------------------------------- #
    #                                                      #
    # Agenten-Authentifizierung                            #
    #                                                      #
    # ---------------------------------------------------- #

    # This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'XX.DOMAIN.XX';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'OU=XX,OU=XX,DC=XX,DC=XX';
    $Self->{'AuthModule::LDAP::UID'} = 'samaccountname';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
#    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
#    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    # for ldap posixGroups objectclass (just uid)
#    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    # for non ldap posixGroups objectclass (with full user dn)
#    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'USER';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'PW';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    # or if you want to filter with a locigal OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(mail=*)';

    # in case you want to add a suffix to each login name, then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
#    $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

    # In case you want to convert all given usernames to lower letters you
    # should activate this option. It might be helpful if databases are
    # in use that do not distinguish selects for upper and lower case letters
    # (Oracle, postgresql). User might be synched twice, if this option
    # is not in use.
#    $Self->{'AuthModule::LDAP::UserLowerCase'} = 0;

    # In case you need to use OTRS in iso-charset, you can define this
    # by using this option (converts utf-8 data from LDAP to iso).
#    $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

    # Die if backend can't work, e. g. can't connect to server.
    $Self->{'AuthModule::LDAP::Die'} = 0;

    # This is the auth. module against the otrs db
    $Self->{AuthModule1} = 'Kernel::System::Auth::DB';

    # ---------------------------------------------------- #
    #                                                      #
    # Agenten-Synchronisierung                             #
    #                                                      #
    # ---------------------------------------------------- #

    # This is an example configuration for an LDAP auth sync. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'XX.DOMAIN.XX';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'OU=XX,OU=XX,DC=XX,DC=XX';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'samaccountname';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'USER';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'PW';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    # or if you want to filter with a logical OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))'
#    $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

    # AuthSyncModule::LDAP::UserSyncMap
    # (map if agent should create/synced from LDAP to DB after successful login)
    # you may specify LDAP-Fields as either
    #  * list, which will check each field. first existing will be picked ( ["givenName","cn","_empty"] )
    #  * name of an LDAP-Field (may return empty strings) ("givenName")
    #  * fixed strings, prefixed with an underscore: "_test", which will always return this fixed string
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # In case you need to use OTRS in iso-charset, you can define this
    # by using this option (converts utf-8 data from LDAP to iso).
#    $Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthSyncModule::LDAP::Params'} = {
        port    => 389,
        timeout => 120,
        async   => 0,
        version => 3,
    };

    # Die if backend can't work, e. g. can't connect to server.
    $Self->{'AuthSyncModule::LDAP::Die'} = 0;

    # Attributes needed for group syncs
    # (attribute name for group value key)
#    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
    # (attribute for type of group content UID/DN for full ldap name)
#    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';

    # AuthSyncModule::LDAP::UserSyncRolesDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs roles, define the following.)
    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
        # ldap group
        'CN=ROLLENNAME,OU=XX,OU=XX,DC=XX,DC=XX' => {
            # otrs role
            'XX' => 1,
        },
       'CN=ROLLENNAME,OU=XX,OU=XX,DC=XX,DC=XX' => {
            # otrs role
            'XX' => 1,
        },
    };
Die Felder die mit XX gefüllt sind, solltest du natürlich abändern. Ich habe dir unten auch noch das Mapping der Sicherheitsgruppen dran gelassen.
Um die richtige BaseDN herauszufinden, empfehle ich dir einen LDAP Browser. Natürlich solltest du dich in das Thema dann auch ein wenig einlesen.

Gruß
Markus
Post Reply