LDAP/AD with Single Sign On

[janikotto]

Hello Community!

I've already posted in the german subforum, but maybe there are some more people in here who might be able to help with my problem. The original thread can be found here.

We want to integrate a ticket-system for our internal support and OTRS seemed to be the best option. So we downloaded version 3.2.8 with ITSM and installed it on a Windows 2012-Server. It runs smooth and seems to work. Our "customers" are in an OU called "Benutzer" (in english "users", but not the standard "Users"-AD-Group!). All users who are member of the group "OTRS-Customers" should be able to log in, but not the others.

That's how we sync the "customers":

Code: Select all

$Self->{CustomerUser} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
       Host => 'dc.firma.local',
       BaseDN => 'OU=Benutzer, DC=firma, DC=local',                              
       SSCOPE => 'sub',
       UserDN => 'CN=OTRS_Searcher,OU=Spezial,DC=firma,DC=local',
       UserPw => 'somepass',
       AlwaysFilter =>  '(objectClass=user)',
       SourceCharset => 'utf-8',
       DestCharset   => 'utf-8',
    },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
       [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
       [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
       [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
       [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
       [ 'UserCustomerID', 'CustomerID', 'sAMAccountName', 0, 1, 'var' ],
       [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
       ],
    }; 

Logging in via LDAP works fine, too when using the following code (but without SSO):

Code: Select all

    #$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    #$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc.firma.local';
    #$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=Benutzer, DC=firma, DC=local';
    #$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    #$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRS-Customers,OU=OTRS,OU=Berechtigungen,DC=firma,DC=local';
    #$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
    #$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
    #$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS AD Searcher,OU=Spezial,OU=Benutzer,DC=firma,DC=local';
    #$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'somepass';

If I understood correctly, SSO can just be enabled using

Code: Select all

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';

But when I insert this line the LDAP-part is beoing ignored and any synched user can be logged in. So I tried cutting down the synched users changing the "AlwaysFilter" from

Code: Select all

AlwaysFilter =>  '(objectClass=user)',

to

Code: Select all

AlwaysFilter =>  '(&(objectClass=user)(memberof=CN=OTRS-Customers,OU=OTRS,OU=Berechtigungen,DC=firma,DC=local))',

At first it seemed to work: Only users who are member of the group "OTRS-Customers" were synched. BUT if I add a group to the "OTRS-Customers"-group (ie. the group "Einkauf", whose users should be added as customers, too) it's users are not recognized. (If I remove "(objectClass=user)", the group "Einkauf" is being listed in the OTRS customers view.)
Keyword "nested groups", but I was still not able to find a solution.

I even found a package called "Connect AD", which seems so solve the problem, but it's not available for the 3.2.* versions of OTRS.

Now I'd like to know how to solve this problem of if anybody already solved it. Maybe there's some simple thing I forgot or something...

[crythias]

groups of groups are not handled within otrs base.

While the code you mentioned isn't explicitly for 3.2, you should look at the code and determine that it probably isn't that hard to configure to 3.2