How to add LDAP groups in OTRS Config

[manik]

Dear Folks,

I am new to OTRS and to this forum. This is my first post here. I am trying to integrate OTRS with my OpenLDAP backend. Below is my LDAP directory structure;

example.com
|___Groups
| |__OTRS-Users
| |__NMS-Users
|
|___People
|_otrs-user1
|_otrs-user2
|_nms-user1

I have 2 main OUs under my root; Groups and People, I have all my users under People OU and all the otrs users are assigned to OTRS-Users group. I want to allow only the users in this group to login to OTRS customer portal.

Below is my Config file;

#------------------------------------------#
#Customer user data source LDAP
#------------------------------------------#
#customer user ldap backend and settings
#For 1st LDAP Server
$Self->{CustomerUser1} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'openldap1.example.com',
# ldap base dn
# BaseDN => 'cn=OTRS-Users,ou=Groups,dc=example,dc=com',
BaseDN => 'dc=example,dc=com',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => '',
UserPw => '',
# uid=jdoe,ou=Users,dc=example,dc=com
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#AlwaysFilter => '',
# if the charset of your ldap server is iso-8859-1, use this:
# SourceCharset => 'iso-8859-1',
# die if backend can't work, e. g. can't connect to server
Die => 0,
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
# customer unique id
CustomerKey => 'uid',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show customer user and customer tickets in customer interface
CustomerUserExcludePrimaryCustomerID => 0,
# add a ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=gesperrt))',
# admin can't change customer preferences
AdminSetPreferences => 0,
# cache time to live in sec. - cache any ldap queries
CacheTTL => 0,
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly, http-link-target, link class(es)
[ 'UserTitle', Translatable('Title or salutation'), 'title', 1, 0, 'var', '', 1, undef, undef ],
[ 'UserFirstname', Translatable('Firstname'), 'givenname', 1, 1, 'var', '', 1, undef, undef ],
[ 'UserLastname', Translatable('Lastname'), 'sn', 1, 1, 'var', '', 1, undef, undef ],
[ 'UserLogin', Translatable('Username'), 'uid', 1, 1, 'var', '', 1, undef, undef ],
[ 'UserEmail', Translatable('Email'), 'mail', 1, 1, 'var', '', 1, undef, undef ],
[ 'UserCustomerID', Translatable('CustomerID'), 'mail', 0, 1, 'var', '', 1, undef, undef ],
# [ 'UserCustomerIDs', Translatable('CustomerIDs'), 'second_customer_ids', 1, 0, 'var', '', 1, undef, undef ],
[ 'UserPhone', Translatable('Phone'), 'telephonenumber', 1, 0, 'var', '', 1, undef, undef ],
[ 'UserAddress', Translatable('Address'), 'postaladdress', 1, 0, 'var', '', 1, undef, undef ],
[ 'UserComment', Translatable('Comment'), 'description', 1, 0, 'var', '', 1, undef, undef ],
# this is needed, if "SMIME::FetchFromCustomer" is active
# [ 'UserSMIMECertificate', 'SMIMECertificate', 'userSMIMECertificate', 0, 1, 'var', '', 1, undef, undef ],
# Dynamic field example
# [ 'DynamicField_Name_X', undef, 'Name_X', 0, 0, 'dynamic_field', undef, 0, undef, undef ],
],
};
# LDAP Customer Auth
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'openldap1.example.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=example,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'uid';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Users,ou=Groups,dc=example,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'uid';


This config doesn't help me to achieve my goal; instead all the users in under the People OU are able to login to the OTRS customer portal.

Can anyone help me to solve this issue?

[root]

Hi,

What's the attributes name of the group which holds the member? Is it member or did you changed the schema? What the value? the uid or the DN?

- Roy

[manik]

Hi Roy, belowis my ldapsearch -x output for more clarification.

# nocland.com
dn: dc=nocland,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: nocland.com
dc: nocland

# admin, nocland.com
dn: cn=admin,dc=nocland,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# Groups, nocland.com
dn: ou=Groups,dc=nocland,dc=com
objectClass: organizationalUnit
ou: Groups
description: generic groups branch

# People, nocland.com
dn: ou=People,dc=nocland,dc=com
objectClass: organizationalUnit
ou: People
description: generic people branch

# OTRS-Users, Groups, nocland.com
dn: cn=OTRS-Users,ou=Groups,dc=nocland,dc=com
objectClass: groupOfNames
cn: OTRS-Users
description: Group for all OTRS user
member: cn=otrsuser1,ou=People,dc=nocland,dc=com
member: cn=otrsuser2,ou=People,dc=nocland,dc=com
member: cn=otrsuser3,ou=People,dc=nocland,dc=com

# OTRS-Admins, Groups, nocland.com
dn: cn=OTRS-Admins,ou=Groups,dc=nocland,dc=com
objectClass: groupOfNames
cn: OTRS-Admins
description: Group for all OTRS administrator
member: cn=otrsadmin1,ou=People,dc=nocland,dc=com
member: cn=otrsadmin2,ou=People,dc=nocland,dc=com

# OpenNMS-Users, Groups, nocland.com
dn: cn=OpenNMS-Users,ou=Groups,dc=nocland,dc=com
objectClass: groupOfNames
cn: OpenNMS-Users
description: Group for all OpenNMS user
member: cn=nmsuser1,ou=People,dc=nocland,dc=com
member: cn=nmsuser2,ou=People,dc=nocland,dc=com

# OpenNMS-Admins, Groups, nocland.com
dn: cn=OpenNMS-Admins,ou=Groups,dc=nocland,dc=com
objectClass: groupOfNames
cn: OpenNMS-Admins
description: Group for all OpenNMS administrator
member: cn=nmsadmin1,ou=People,dc=nocland,dc=com
member: cn=nmsadmin2,ou=People,dc=nocland,dc=com

# nmsuser1, People, nocland.com
dn: cn=nmsuser1,ou=People,dc=nocland,dc=com
objectClass: inetOrgPerson
cn: nmsuser1
sn: nmsuser1
uid: nmsuser1
ou: People
mail: nmsuser1@nocland.com
employeeNumber: 111111

# nmsuser2, People, nocland.com
dn: cn=nmsuser2,ou=People,dc=nocland,dc=com
objectClass: inetOrgPerson
cn: nmsuser2
sn: nmsuser2
uid: nmsuser2
ou: People

# otrsuser1, People, nocland.com
dn: cn=otrsuser1,ou=People,dc=nocland,dc=com
objectClass: inetOrgPerson
cn: otrsuser1
sn: otrsuser1
uid: otrsuser1
ou: People
employeeNumber: 1001
mail: otrsuser1@nocland.com

# otrsuser2, People, nocland.com
dn: cn=otrsuser2,ou=People,dc=nocland,dc=com
objectClass: inetOrgPerson
cn: otrsuser2
sn: otrsuser2
uid: otrsuser2
ou: People
mail: otrsuser2@nocland.com
employeeNumber: 1002

# otrsuser3, People, nocland.com
dn: cn=otrsuser3,ou=People,dc=nocland,dc=com
cn: otrsuser3
mail: otrsuser3@nocland.com
employeeNumber: 1003
objectClass: inetOrgPerson
objectClass: top
ou: People
sn: otrsuser3
uid: otrsuser3

# search result
search: 2
result: 0 Success

-----------------------------------------------------
I modified my config file as below and tried but no luck. Could you edit it as per my ldap schema and post it?

# LDAP Customer Auth
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'openldap1.nocland.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=nocland,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'uid';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Users,ou=Groups,dc=nocland,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = '';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = '';

[root]

$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Users,ou=Groups,dc=nocland,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';

Hi,

I think they should look like this:

$Self->{'Customer::AuthModule::LDAP::GroupDN1'} = 'cn=OTRS-Users,ou=Groups,dc=nocland,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';

- Roy