[SOLVED] Active Directory Login with UPN user principal name

[aph]

Hello Everyone,

I would like to know, whether it is possible to login into OTRS using UPN (userPrincipalName)?

The OTRS HelpDesk Documentation mentions only a uid http://otrs.github.io/doc/manual/admin/ ... h-backends

Code: Select all

# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.example.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';

Code: Select all

# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.example.com/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=otrs, dc=org';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=sys, ou=user, dc=otrs, dc=org';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'some_pass';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
};

Can this 'uid' be userPrincipalName (not only sAMAccountName) . The reference in Wiki mentions only sAMAccountName http://wiki.otterhub.org/index.php?titl ... for_agents

Code: Select all

# This is an example configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'servername.companyname.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=companyname,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

Code: Select all

# Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'servername.companyname.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=companyname, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=companyname,dc=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'searcherpassword';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

Thanks a lot for your answers

[jojo]

sure you can

[aph]

Are the relevant lines then:

Code: Select all

$Self->{'AuthModule::LDAP::UID'} = 'userPrincipalName';

and

Code: Select all

$Self->{'AuthSyncModule::LDAP::UID'} = 'userPrincipalName';

or do I need to make some other changes? How do I deal with multiple UPN suffixes in the AD?

Thanks a lot

[crythias]

;) Try it. the worst that can happen is it doesn't work, then you can ask another question. It won't destroy data if you ask for the wrong login.

[aph]

opened a new thread since not entirely related here. viewtopic.php?f=62&t=25651