I was able to successfully setup agent authentication via my LDAP backend; however, I also want to configure the same LDAP backend to generate customer accounts and authenticate customers, and furthermore, I don't want customers to be created as agents, which currently seems to be the case.
To clarify, I have had a number of IT staff login with their AD credentials, and they were able to login fine. OTRS HelpDesk created agent accounts for them. All is well so far, but what I don't want is our end-users to login and become agents, rather I want them to be customers. Here is what I have, so far, in my Config.pm file:
Code: Select all
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'primaryDC';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=ourdomain,dc=com';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS LDAP,OU=Operational Accounts,DC=ourdomain,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = '*************';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
# --------------------------------------------------- #
# authentication sync settings #
# (enable agent data sync. after succsessful #
# authentication) #
# --------------------------------------------------- #
# This is an example configuration for an LDAP auth sync. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'primaryDC';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=ourdomain,dc=com';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS LDAP,OU=Operational Accounts,DC=ourdomain,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = '*************';
# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthSyncModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
Here is what I know I can add to the Configuration.pm file for Customer authentication against the LDAP backend:
Code: Select all
# This is an example configuration for an LDAP auth. backend.
# (make sure Net::LDAP is installed!)
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'primaryDC';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=ourdomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS LDAP,OU=Operational Accounts,DC=ourdomain,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '*************';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'Customer::AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
Code: Select all
###AGENT###
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
###CUSTOMER###
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (full user dn)
#$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each customer login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com';
Further more our structure for Users looks like this in AD:
OurDomain_Users
|
|_> Utah Office
|
|_> South Carolina Office
and so on, with our users and our agents scatterd between these location-based OUs. I'm hoping I can filter on one or more distribution/security groups in AD, and I need assistance doing so (for example, all agents are members of Domain Admins while customers/users are members of a different DL, or simply not members of Domain Admins).
Any help you can provide would be greatly appreciated! Hopefully I've provided adequate information, but please let me know if I can provide more.