OTRS - LDAP integration

[Justin]

We are planning to use OTRS for handling issues in our internal systems. Need to integrate OTRS with Windows active directory and make all employees within the organization as customers.
I have done the following update in config.pm replacing the parameters with the actual values. What else need to be done ?

Appreciate if someone can guide me on this.

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '[AD_server]';
$Self->{'AuthModule::LDAP::BaseDN'} = '[base_dn]';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

[Spuds]

I've got PART of this working. I've been really frustrated because I've been working on this for days now.

I can (maybe) pull in things from Active Directory-- I see users, but not all of them... and then I see groups that we haven't used in ages.

Every user I happen to authenticate goes directly into the "Agents" group, so all of my users can see all of the tickets, and delete them and respond to them.

I've seen dozens of iterations of how to implement AD LDAP lookups, but none of them work for me.

I have an OU called OTRS

Inside that I have 2 security groups:

OTRS_Agents
OTRS_Users

I have an LDAP Bind user that must be working because (again) it's pulling in all of these groups and users.

Here's my configuration:

Code: Select all

  # Setting Up Auth Account to allow full access to AD
        $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
        $Self->{'AuthModule::LDAP::Host'} = 'yoda.domain.com';
        $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=domain, dc=COM';
        $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
        $Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapbind@domain.com';
        $Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxxx';

        $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
        $Self->{'Customer::AuthModule::LDAP::Host'} = 'yoda.domain.com';
        $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=domain, dc=com';
        $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
        $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'ldapbind@asi.com';
        $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxx';

# Client LDAP Backend Settings

  $Self->{CustomerUser1} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      # ldap host
      Host => 'yoda.domain.com',
      # ldap base dn
      BaseDN => 'dc=domain, dc=com',
      # search scope (one|sub)
      SSCOPE => 'sub',
      # The following is valid but would only be necessary if the
      # anonymous user does NOT have permission to read from the LDAP tree
      UserDN => 'ldapbind@domain.com',
      UserPw => 'xxxxxxx',
      AlwaysFilter => '',
      SourceCharset => 'utf-8',
      DestCharset => 'iso-8859-1',
    },
    # customer uniq id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
      #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
      #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  };

   # This is an example configuration for an LDAP auth sync. backend.
   # (take care that Net::LDAP is installed!)
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'yoda.domain.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain,dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

   # The following is valid but would only be necessary if the
   # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'ldapbind@domain.COM';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'x';

   # in case you want to add always one filter to each ldap query, use
   # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

   # AuthSyncModule::LDAP::UserSyncMap
   # (map if agent should create/synced from LDAP to DB after successful login)
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

NOTE: Please assume that where I've but "domain.com" and any usernames and passwords are blanked out that I've actually entered these correctly. I'm just concerned about any chunks I'm missing, or where my syntax is incorrect that leads to the problem.

Can anyone tell me what I'm doing wrong? I really have done my best to search it out here and on google. I'm about 30 work hours into this. Setup was a snap... but this LDAP thing is just driving me crazy.

MANY, MANY thanks in advance to the person who solves my problem.

There's very likely a book, coffee, or free pizza in it as a bribe to the person that solves my problem.

[Spuds]

Here's a juicy tidbit I found in another thread-- this is pretty good stuff.

In my first reply, I was complaining that OTRS was pulling in groups and computers, etc... stuff I didn't want.

So-- in my Client LDAP backend settings:

# Client LDAP Backend Settings

$Self->{CustomerUser1} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'yoda.domain.com',
# ldap base dn
BaseDN => 'dc=domain, dc=com',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'ldapbind@domain.com',
UserPw => 'xxxxx',
AlwaysFilter => '(&(objectClass=user) (!(objectClass=Computer)) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
SourceCharset => 'utf-8',
DestCharset => 'iso-8859-1',


I changed "Always Filter" from '' to 'AlwaysFilter => '(&(objectClass=user) (!(objectClass=Computer)) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))', as you can see in my code above. HUGE difference so far.

Still drilling down....

[Spuds]

Okay-- I have a working Agent auth-- so I'm going to share it.

You need 2 things:

1) You need an LDAP account that can bind and search. (Easy)
2) You need a security group in the root of your domain. I called mine OTRSAgents

Here's the chunk of code:

Code: Select all

        #----------------------------------------#
        # First, we need to make sure that       #
        # agents can log in from OTRSAgents      #
        # group in Active Directory, sync it to  #
        # the local database                     #
        #----------------------------------------#


        # Enable LDAP Authentication Sync for Agent
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'yoda.domain.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=DOMAIN,dc=COM';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'ldapbind@DOMAIN.COM';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxx';
    $Self->{'AuthSyncModule::LDAP::Charset'} = 'utf-8';

        # Enable Agent Mapping from LDAP to DB #
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    UserFirstname => 'givenName',
    UserLastname => 'sn',
    UserEmail => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'yoda.domain.com';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=DOMAIN, dc=COM';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRSAgents,DC=DOMAIN,DC=COM';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'ldapbind@DOMAIN.COM';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxx';

If you plop this in and change the hostname and the DC settings and of course your ldapbind account, then place a user in the OTRSAgents group-- you'll be golden.

Now if I can get user mapping working.... (shouldn't it be similar?)

[Justin]

Thanks a ton for sharing your confgn
Really helpful ..

[Sayannara]

I see users, but not all of them...

I had the same problem.

after editing this line => AlwaysFilter => '(objectclass=user)', all the users appeard even some which are not user -_-

[dhanesh]

Hi,

Iam new to otrs tool. I have configured otrs + nagios in suse linux.

I have all my users in AD.

I want to sync my AD users with otrs.

Can anyone guide me on this.

Thanks and Regards
Dhanesh