Limit customers to specific Active Directory group members

[Rubidze]

Hi!
I’m having problems filtering Active Directory users. Problem I have is similar to ones discussed here and here. Have read these posts and others, but still can’t get it to work.
I have following Config.pm:

Code: Select all

$Self->{CustomerUser} = {
       Name => 'LDAP Data Source',
       Module => 'Kernel::System::CustomerUser::LDAP',
       Params => {
       Host => 'AD.mydomain.com,
       BaseDN => 'DC=mydomain,DC=com,
       SSCOPE => 'sub',
       UserDN => 'CN=otrs,OU=Services,DC=mydomain,DC=com,
       UserPw => 'password',
	   AlwaysFilter => '(objectclass=user)',
	   GroupDN => 'CN=_OTRSUSER,OU=Groups,OU=myou,DC=mydomain,DC=com,
       },
      CustomerKey => 'sAMAccountName',
       CustomerID => 'mail',
       CustomerUserListFields => ['sAMAccountName','cn', 'mail'],
       CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 250,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       Map => [
           [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
           [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
           [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
           [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
           [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
           [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
           [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
           [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
           [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
           [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
       ],
   };

It seems that AlwaysFilter => '(objectclass=user)', filter out groups and computer accounts which is almost good, but I still have lots of test accounts and service accounts which are kind of annoying when adding phone tickets. I’m trying to get only users that belong to active directory group _OTRSUSER by adding this: GroupDN => 'CN=_OTRSUSER,OU=Groups,OU=myou,DC=mydomain,DC=com, but unfortunately then I get nobody in my customer list.
I have these errors in my OTRS log:
[Mon May 14 10:53:41 2012][Error][Kernel::System::CustomerUser::LDAP::CustomerSearch][363] Sizelimit exceeded

Any help is appreciated!

[Rubidze]

Anybody?

[NTSOLO]

Hi, like you I was stuck with similar problems. In my case I couldn't get the following to work at all:

$Self->{CustomerUser} = {
Name => 'the freaking domain woo woo',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => '1.1.1.1',
port => 389,
# port => 3268,
timeout => 120,
async => 0,
version => 3,
BaseDN => 'dc=domain, dc=local',
SSCOPE => 'sub',
UserDN => 'cn=OTRS,ou=OTRS,dc=domain,dc=local',
UserPw => '4k!)kdD,bEuY3i2o1p',
AlwaysFilter => '(objectclass=user)'
GroupDN => 'CN=OTRS-Customers,OU=OTRS,DC=domain,DC=local',
# AccessAttr => 'member',
# UserAttr => 'DN',
# ReadOnly => '1',
# sizelimit => '0',
},

I would get search limit exceeded errors regardless of what I did, no user results either. If i disabled the GroupDN then I'd get the entire domain due to my BaseDN. I dont even know if GroupDN is an acceptable parameter ....

The only thing I found that does work was using this as a filter:
(&(objectclass=user) (memberOf=CN=OTRS-Customers,OU=OTRS,DC=domain,DC=local) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Filter by Users, member of the group X , and filter out disabled users.

..... That worked.

[Rubidze]

Hi NTSOLO!
Thanks a lot! Your solution worked for me too. Filter was something that I was looking for, but didn’t know how to filter by group membership in AD.
I noticed that this filter approach does not work with nested AD groups, but still a lot better than nothing.