LDAP Configuration / Multiple trees ?

[conz]

I'm trying to set up a fresh OTRS installation to handle support tickets for various things (not always IT related) but I need to get LDAP going..
I have a single Novell eDirectory which holds multiple top level organisations that hold users that need to authenticate to OTRS with their network credentials.
I found a few examples on what the ldap configuration needs to look like but all of them fail to mention where to put it

Because of this I have a few questions:

- Most importantly, where do you put the ldap config
- Can you have multiple search bases for 1 ldap connection ?
- Can you have multiple ldap connections ?
- Can you still have people with certain group membership automatically assigned to a certain group or role when you use ldap for normal user authentication ?

With Novell you are missing the DC= path that AD has which makes specifying the root of the tree usually impossible and thus I tend to have to make multiple O= connections for most things that use ldap around here.
Not really sure why ldap is not build in by default, anything over 10 users seems to make things a bit maintenance intensive especially if you have a lot of people leaving and coming too.

[crythias]

where do you put the ldap config

Config.pm
Read Defaults.pm but copy to Config.pm

Can you have multiple search bases for 1 ldap connection ?

Yes, either by multiple backends or "(&(" ldap search

Can you still have people with certain group membership automatically assigned to a certain group or role when you use ldap for normal user authentication ?

Agents, yes, but customers, not really. (At least, as far as I've been able to determine).

Not really sure why ldap is not build in by default, anything over 10 users seems to make things a bit maintenance intensive especially if you have a lot of people leaving and coming too.

You're basing your experience on an internal ticketing system for a campus or other large organization. Many of OTRS implementations are basing requests on established clients that won't change en masse, with one or a few representative ticket submitters.
Still others are using it for individuals who need support on a product. No active directory needed there.

[conz]

Thanks, I'll go see if I can figure this out.

I am indeed trying to set this up as an internal ticketing system where everyone can submit heir own tickets that get routed depending on what they are having problems with.
I guess I am just spoiled by already having a lot of ldap integrated services

[conz]

After a lot of tinkering I have the following which *almost* works:

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '1.2.3.4';
$Self->{'AuthModule::LDAP::BaseDN'} = 'o=org1';
$Self->{'AuthModule::LDAP::UID'} = 'uid';

$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agent,o=groups';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=admin,o=servers';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxxxxx';

$Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    SSCOPE => 'sub',
};

### org2 ###
$Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host2'} = '1.2.3.4';
$Self->{'AuthModule::LDAP::BaseDN2'} = 'o=org2';
$Self->{'AuthModule::LDAP::UID2'} = 'uid';
$Self->{'AuthModule::LDAP::GroupDN2'} = 'cn=OTRS_Agent,o=groups';
$Self->{'AuthModule::LDAP::AccessAttr2'} = 'member';

$Self->{'AuthModule::LDAP::SearchUserDN2'} = 'cn=admin,o=servers';
$Self->{'AuthModule::LDAP::SearchUserPw2'} = 'xxxxxxxxxxx';

$Self->{'AuthModule::LDAP::Params2'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    SSCOPE => 'sub',
};


# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://1.2.3.4/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'o=org1';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=admin,o=servers';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxxxxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];

$Self->{'AuthSyncModule2'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host2'} = 'ldap://1.2.3.4/';
$Self->{'AuthSyncModule::LDAP::BaseDN2'} = 'o=org2';
$Self->{'AuthSyncModule::LDAP::UID2'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN2'} = 'cn=admin,o=servers';
$Self->{'AuthSyncModule::LDAP::SearchUserPw2'} = 'xxxxxxxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap2'} = {
   # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups2'} = [
    'users',
];

$Self->{AuthModule3} = 'Kernel::System::Auth::DB';

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = '1.2.3.4';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'o=org1';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=admin,o=servers';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'xxxxxxxxxxx';

$Self->{'Customer::AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    SSCOPE => 'sub',
};

The agent login works now, when someone is a member of the group they are allowed to log in.
Is it possible to merge the 2 agent backends somehow ?

The customer login is not working however, it is giving me the 'Panic, user authenticated but no user data can be found in OTRS DB!! Perhaps the user is invalid.' error which would mean there should be an authsyncmodule for customers as well but I can not find any reference for that.

After this works I can start securing things a little like not using our admin user for ldap authentication.

[crythias]

(I may have missed the AuthSync for index 3 ...?)

The agent login works now, when someone is a member of the group they are allowed to log in.
Is it possible to merge the 2 agent backends somehow ?

Is it the same LDAP Server? Use a more inclusive baseDN and search filter on the organizations. It may be that you can get away with a "" as a baseDN if your orgs are not members of the same forest. (If not, no, but if it works currently, why bother changing it?)
http://technet.microsoft.com/en-us/libr ... G.65).aspx
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(&(objectclass=user)(|(o=org1)(o=org2))';

The customer login is not working however, it is giving me the 'Panic, user authenticated but no user data can be found in OTRS DB!! Perhaps the user is invalid.' error which would mean there should be an authsyncmodule for customers as well but I can not find any reference for that.

No, you just need the CustomerUser entries that don't point to a DB.
http://wiki.otterhub.org/index.php?titl ... _customers