Je souhaiterais pouvoir authentifier les agents OTRS suivant un groupe spécifique de mon active directory.
L'authentification "active directory" semble fonctionner, mais j'ai du mal quand au fait de "limite" les agents a un groupe. En gros, un utilisateur, qui est dans le group AD "OTRS-ALLOW-A" entre son login/pass, otrs me dit que l'authentification a fonctionner, mais qu'il ne trouve pas d'info concernant ce user: il s'agirait de la "syncronisation" du user AD dans la DB local d'OTRS.
Voiçi quelques infos:
- Version d'OTRS: Fonction assurée par OTRS 3.2.8
- Serveur Debian 7.1 (x86)
- Utilisateur Active directory pour l'authentification: OTRS (with password: otrs1$) --> 'CN=OTRS,OU=Prestataires-Services,OU=Special,OU=Sites,DC=domain,DC=priv'
- Groupe Active Directory qui dont le user devrait être membre pour pouvoir être agent: OTRS-ALLOW-A --> 'CN=OTRS-ALLOW-A,OU=groups,OU=Sites,DC=domain,DC=priv'
La partie de code que j'ai ajouter dans mon "Config.pm"
Si quelqu'un a une idée, je suis preneur.
Bonne journée à vous, et d'avance merci pour toutes aide
Code: Select all
#--------------------------------------------------------#
# #
# #
# Here Starts Config For ADUC Agent and Customer #
# #
# #
#--------------------------------------------------------#
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'server.domain.priv';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=domain,dc=priv';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=OTRS-ALLOW-A,OU=groups,OU=Sites,DC=domain,DC=priv';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS,OU=Prestataires-Services,OU=Special,OU=Sites,DC=domain,DC=priv';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'otrs1$';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# --------------------------------------------------- #
# authentication sync settings #
# (enable agent data sync. after succsessful #
# authentication) #
# --------------------------------------------------- #
# This is an example configuration for an LDAP auth sync. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'server.domain.priv';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=domain,dc=priv';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=OTRS,OU=Prestataires-Services,OU=Special,OU=Sites,DC=domain,DC=priv';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'otrs1$';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=OTRS-ALLOW-A,OU=groups,OU=Sites,DC=domain,DC=priv';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
'users',
];
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
# $Self->{'AuthSyncModule::LDAP::Params'} = {
# port => 389,
# timeout => 120,
# async => 0,
# version => 3,
# };
# Die if backend can't work, e. g. can't connect to server.
# $Self->{'AuthSyncModule::LDAP::Die'} = 1;
# Die if backend can't work, e. g. can't connect to server.
# $Self->{'AuthModule::LDAP::Die'} = 1;
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'server.domain.priv';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=domain,dc=priv';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS,OU=Prestataires-Services,OU=Special,OU=Sites,DC=domain,DC=priv';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'otrs1$';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# Die if backend can't work, e. g. can't connect to server.
# $Self->{'Customer::AuthModule::LDAP::Die'} = 1;
#CustomerUser
#(customer user database backend and settings)
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'server.domain.priv',
BaseDN => 'dc=domain,dc=priv',
SSCOPE => 'sub',
UserDN =>'CN=OTRS,OU=Prestataires-Services,OU=Special,OU=Sites,DC=domain,DC=priv',
UserPw => 'otrs1$',
},
# customer unique id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
#--------------------------------------------------------#
# #
# #
# Here Ends Config For ADUC Agent and Customer #
# #
# #
#--------------------------------------------------------#