[SOLVED] LDAP issues

Marwain · Post by **Marwain** » 13 Nov 2011, 21:21

Hello,

I am implementing OTRS based on LDAP (Active Directory) and 2 smaller issues appeared.

First one: The LDAP authorization should be limited only to some organizational units (OU) of the AD. Of course I have figured the way to limit it only to one OU, but not more (using some "or" operator). The config is done using baseDN setting:

Code: Select all

$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=unit,DC=example,DC=com';

The result should be something like this:

Code: Select all

$Self->{'AuthModule::LDAP::BaseDN'} = '(|(OU=unit1)(OU=unit2)),DC=example,DC=com';

Of course this doesn't work as it's completely different notation, but I think my aim is clearer with this interpretation.

Second one: Despite using the LDAP auth for customers, when displaying the customer detail, there are still editable fields. When this auth method is used, the fields should of course be read-only.

Any help appreciated with these. The OTRS is version 3.0 (the newest one).
Thanks in advance

Post by **crythias** » 14 Nov 2011, 15:18

Use a filter for the first part, LDAP is usually read-only even if the fields are "editable". Hard-code that in Config.pm if it is not already.

Marwain · Post by **Marwain** » 21 Nov 2011, 10:53

Thanks for your reply.

I tried using the "AlwaysFilter" directive, but the problem is that the AD LDAP apparently doesn't work with the "memberOf" parameter, which is necessary for filtering customers by organizational unit (OU). I am not aware of any other way to do this.

I was afraid of hardcoding the form fields' read-only property. Maybe this could be considered as a bug (or feature request) - when the data source is set to read-only, the customer detail should not be editable, right?

Thanks in advance.

Post by **root** » 21 Nov 2011, 12:44

Hi,

Set 8th parameter of the mapping (CustomerUser[1-9]) to 1 and you disabled input boxes on the customer details.

If there is no filter possible to match your different OUs there are two possibilities:

1.) Set the up as a different CustomerUser source.
2.) I have already finished an AgentAuth and Sync with nested groups in AD. Give me a week and I'll give it a try to implement it as a CustomerUser module.

Marwain · Post by **Marwain** » 25 Nov 2011, 11:46

Thanks,
the 8th param did the work.

As for the LDAP, I've split it into 2 customer sources. Works well.

Thanks again

Post by **root** » 16 Feb 2012, 23:02

I you still need nested groups support with AD just try this out: https://github.com/rkaldung/ConnectAD

Znuny Open Source Ticketsystem

[SOLVED] LDAP issues

[SOLVED] LDAP issues

Re: LDAP issues

Re: LDAP issues

Re: LDAP issues

Re: LDAP issues

Re: [SOLVED] LDAP issues