wir nutzen aktuell Znuny 6.3.4 unter Debian Linux mit einer OpenLDAP Anbindung für Agenten und Customer (Config.pm unten). Wir wollen von OpenLDAP zu Microsoft Azure SAML wechseln (Agenten und Customer), hat das schon mal jemand gemacht? Ist das überhaupt möglich? Natürlich sollten die Berechtigungen und Zuordnungen der LDAP-Agenten/Customer erhalten bleiben. Login mit Microsoft SAML wäre dann auch mit einer eMail-Adresse, mit der man im Browser bereits eingeloggt ist.
Code: Select all
###########################################################
# LDAP Agent
###########################################################
# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldaps://example.org';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=de';
$Self->{'AuthModule::LDAP::UID'} = 'employeeNumber';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'ou=people,dc=example,dc=de';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'employeeNumber';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'employeeNumber';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = '';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(memberOf=cn=otrs-example-agenten,ou=programme,ou=groups,dc=example,dc=de)';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 636,
timeout => 120,
async => 0,
version => 3,
SourceCharset => 'utf8',
#DestCharset => 'iso-8859-1',
};
###########################################################
## LDAP Customer
###########################################################
#Enable LDAP authentication for Customers / Users
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'ldaps://example.org';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=people,dc=example,dc=de';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'employeeNumber';
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'anonymous';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '';
#CustomerUser
#(customer user database backend and settings)
$Self->{CustomerUser} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'ldaps://example.org',
BaseDN => 'ou=people,dc=example,dc=de',
SSCOPE => 'sub',
UserDN =>'anonymous',
UserPw => '',
SourceCharset => 'utf-8',
#DestCharset => 'iso-8859-1',
AlwaysFilter => '(memberOf=cn=otrs-example-customer,ou=programme,ou=groups,dc=example,dc=de)',
},
# customer unique id
CustomerKey => 'employeeNumber',
# customer #
CustomerID => 'businessCategory',
#CustomerUserListFields => ['uid', 'cn', 'mail'],
CustomerUserListFields => ['cn', 'mail'],
#CustomerUserSearchFields => ['employeeNumber', 'cn', 'mail'],
CustomerUserSearchFields => ['sn', 'givenName', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'employeeNumber', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 0, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'businessCategory', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};