AD group based acces

atetz · Post by **atetz** » 08 Sep 2011, 15:01

Hi there,

Currently I have a group in my AD called APP_Slickticket(tried slickticket too in my test environment) which is aloud to acces OTRS and these users will be synched to users and stats.
Is it possible to have multipe AD groups and synch them to different groups in OTRS? Say like a user thats member of APP_OTRS_ADMIN, will see all admin functionality in OTRS. And a second group called OTRS_AGENTS will only see the agent Q's etc..

This is my setup now:

# This is an example configuration for using an MS AD backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '192.168.150.128';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=servicedesk,dc=test';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=APP_Slickticket,ou=Applications,ou=Servicedesk,DC=servicedesk,DC=test';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Services,cn=users,dc=servicedesk,dc=test';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxx';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '192.168.150.128';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=servicedesk,dc=test';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=Services,cn=users,dc=servicedesk,dc=test';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxx';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users', 'stats'
];

Post by **crythias** » 08 Sep 2011, 15:07

You might use multiple backends to handle this.

atetz · Post by **atetz** » 08 Sep 2011, 15:12

Multiple LDAP backends?

Post by **crythias** » 08 Sep 2011, 16:01

Yes. Each one would assign its filtered logins to the appropriate groups.

atetz · Post by **atetz** » 08 Sep 2011, 16:04

Is there any documentation/ template of this? I tried searching but no satisfactional hits.

Post by **crythias** » 08 Sep 2011, 16:20

It's similar to the multiple Customer backends. http://doc.otrs.org/3.0/en/html/custome ... nd-example

Basically, you'll duplicate the configurations and append a number from 1-10 for additional entries regarding the agent configuration.

# This is an example configuration for using an MS AD backend
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = '192.168.150.128';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=servicedesk,dc=test';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=APP_Slickticket,ou=Applications,ou=Servicedesk,DC=servicedesk,DC=test';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=Services,cn=users,dc=servicedesk,dc=test';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxxxx';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
# $Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix1'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = '192.168.150.128';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=servicedesk,dc=test';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'cn=Services,cn=users,dc=servicedesk,dc=test';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'xxxxx';

$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
'users', 'group2',
];

atetz · Post by **atetz** » 09 Sep 2011, 11:26

Thanks! Works like a charm

Znuny Open Source Ticketsystem

AD group based acces

AD group based acces

Re: AD group based acces

Re: AD group based acces

Re: AD group based acces

Re: AD group based acces

Re: AD group based acces

Re: AD group based acces