login with email account using AD [SOLVED]

Moderator: crythias

Locked
rvaldomir
Znuny expert
Posts: 155
Joined: 04 Aug 2014, 23:59
Znuny Version: 3.3.8
Real Name: Roberto A. Valdomir

login with email account using AD [SOLVED]

Post by rvaldomir »

Hi,

Actually I have the following configuration to sync and authenticate users with our AD. but I want to use the "email" as a login. How to do that?

I tried to replace
Login => 'uid',
by
Login => 'mail',
without luck.

Code: Select all

#################################################################
#             Configuration for Active Directory                #
#################################################################

#Begin of Agent AD conf

# This is a configuration for using an MS AD backend
    $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = 'UYDC01.domain.com';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'OU=AMS,OU=Departments,DC=domain,DC=com';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';

# User with permission to read from the LDAD tree
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=otrs,OU=Service accounts,OU=AMS,DC=domain,DC=com';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'somepass';

# This is a configuration for an LDAP auth sync. backend with AD
    $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'UYDC01.domain.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'OU=AMS,OU=Departments,DC=domain,DC=com';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';

# User with permission to read from the LDAD tree
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'cn=otrs,OU=Service accounts,OU=AMS,DC=domain,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'somepass';

# Map if agent should create/synced from LDAP to DB after successful login
    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
           # DB -> LDAP
           UserFirstname => 'givenName',
           UserLastname  => 'sn',
           UserEmail     => 'mail',
           Firstname => 'givenName',
           UserTitle => 'description',
           UserPhone => 'userAccountControl',
           Email => 'mail',
           Login => 'uid',
           #Login => 'mail',
    };

# This is to sync existing AD groups with OTRS Roles so permissions are assigne automatically
    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition1'} = {
           'CN=Technician,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'Technician' => 1,
           },
           'CN=TAM,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'TAM' => 1,
           },
           'CN=SD,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'SD' => 1,
           },
           'CN=SDO,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'SDO' => 1,
           },
           'CN=Customer Care,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'Customer Care' => 1,
           },
           'CN=Compliance Team,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'Compliance Team' => 1,
           },
           'CN=Team Leader,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'TL' => 1,
           },
    };

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthSyncModule::LDAP::Params1'} = {
           port    => 389,
           timeout => 120,
           async   => 0,
           version => 3,
    };

#End of Agent AD conf

#Begin of Customer AD conf

#Enable LDAP authentication for Customers / Users
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'UYDC01.domain.com';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=Clients,OU=AMS,DC=domain,DC=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,OU=Service accounts,OU=AMS,DC=domain,DC=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'somepassword';

    # CustomerUser
    # (customer user database backend and settings)
    $Self->{CustomerUser} = {
       Module => 'Kernel::System::CustomerUser::LDAP',
       Name => 'domain AD',
       Params => {
          Host => 'UYDC01.domain.com',
          BaseDN => 'OU=Clients,OU=AMS,DC=domain,DC=com',
          SSCOPE => 'sub',
          AlwaysFilter => '(objectclass=user)',
          UserDN =>'cn=otrs,OU=Service accounts,OU=AMS,DC=domain,DC=com',
          UserPw => 'somepass',
       },

       # customer unique id
       CustomerKey => 'sAMAccountName',
       # customer #
       CustomerID => 'company',
       CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 250,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       Map => [
          # note: Login, Email and CustomerID needed!
          # var, frontend, storage, shown, required, storage-type
          #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
          [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
          [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
          [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
          [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
          [ 'UserCustomerID', 'CustomerID', 'company', 0, 1, 'var' ],
          [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#OBI AD password for customer users sync
          [ 'OBIPassword', 'OBIPassword', 'protocolSettings', 1, 0, 'var' ],
          #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
          #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
       ],
    };

#End of Customer AD conf

#################################################################
#             Configuration for Active Directory                #
#################################################################
Last edited by rvaldomir on 04 Jul 2015, 15:10, edited 1 time in total.
​Roberto A. Valdomir
Mobile: (+598) 93 868 147 | Skype: roberto.a.valdomir
@roberto.valdomir | re.vu/robertovaldomir

----------------------------------------------------------------------------------------
OTRS 3.3.8 | RHEL 6 x64 | Oracle 11g | Custom Development by OTRS365
Top
crythias
Moderator
Posts: 10170
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:
Contact crythias

Re: login with email account using AD

Post by crythias »

Who? Customers or Agents?
viewtopic.php?t=16543
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Top
rvaldomir
Znuny expert
Posts: 155
Joined: 04 Aug 2014, 23:59
Znuny Version: 3.3.8
Real Name: Roberto A. Valdomir

Re: login with email account using AD

Post by rvaldomir »

both
​Roberto A. Valdomir
Mobile: (+598) 93 868 147 | Skype: roberto.a.valdomir
@roberto.valdomir | re.vu/robertovaldomir

----------------------------------------------------------------------------------------
OTRS 3.3.8 | RHEL 6 x64 | Oracle 11g | Custom Development by OTRS365
Top
rvaldomir
Znuny expert
Posts: 155
Joined: 04 Aug 2014, 23:59
Znuny Version: 3.3.8
Real Name: Roberto A. Valdomir

Re: login with email account using AD

Post by rvaldomir »

I have already viewed the topic you quote. everything is working but with user not email

any help? suffix didn't worked
​Roberto A. Valdomir
Mobile: (+598) 93 868 147 | Skype: roberto.a.valdomir
@roberto.valdomir | re.vu/robertovaldomir

----------------------------------------------------------------------------------------
OTRS 3.3.8 | RHEL 6 x64 | Oracle 11g | Custom Development by OTRS365
Top
crythias
Moderator
Posts: 10170
Joined: 04 May 2010, 18:38
Znuny Version: 5.0.x
Location: SouthWest Florida, USA
Contact:
Contact crythias

Re: login with email account using AD

Post by crythias »

I don't know what errors you're experiencing.

I can only guess what will "not not work" based upon what you've provided, and I can't guarantee that the following will be free of errors, as I hand modified this in place.

Code: Select all

#################################################################
#             Configuration for Active Directory                #
#################################################################

#Begin of Agent AD conf

# This is a configuration for using an MS AD backend
    $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = 'UYDC01.domain.com';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'OU=AMS,OU=Departments,DC=domain,DC=com';
    $Self->{'AuthModule::LDAP::UID1'} = 'mail';

#AccessAttr is only really used with GroupDN and UserAttr: Given a GroupDN, look for field called "AccessAttr's value" and see if "UserAttr's Keyvalue of the current user" matches within GroupDN. (Example: GroupDN="Sales", AccessAttr="member", UserAttr="DN". Is member=[DN of current user] part of "Sales"?)
    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    


# User with permission to read from the LDAP tree
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=otrs,OU=Service accounts,OU=AMS,DC=domain,DC=com';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'somepass';

# This is a configuration for an LDAP auth sync. backend with AD
    $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'UYDC01.domain.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'OU=AMS,OU=Departments,DC=domain,DC=com';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'mail';

#AccessAttr see above
    $Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';

# User with permission to read from the LDAD tree
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'cn=otrs,OU=Service accounts,OU=AMS,DC=domain,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'somepass';

# Map if agent should create/synced from LDAP to DB after successful login
    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
           # DB -> LDAP
           UserFirstname => 'givenName',
           UserLastname  => 'sn',
           UserEmail     => 'mail',
           Firstname => 'givenName',
           UserTitle => 'description',
           UserPhone => 'userAccountControl',
           Email => 'mail',
           #Login => 'uid',
           Login => 'mail',
    };

# This is to sync existing AD groups with OTRS Roles so permissions are assigned automatically
    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition1'} = {
           'CN=Technician,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'Technician' => 1,
           },
           'CN=TAM,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'TAM' => 1,
           },
           'CN=SD,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'SD' => 1,
           },
           'CN=SDO,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'SDO' => 1,
           },
           'CN=Customer Care,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'Customer Care' => 1,
           },
           'CN=Compliance Team,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'Compliance Team' => 1,
           },
           'CN=Team Leader,OU=AMS,DC=domain,DC=com' => {
                # OTRS role
                'TL' => 1,
           },
    };

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthSyncModule::LDAP::Params1'} = {
           port    => 389,
           timeout => 120,
           async   => 0,
           version => 3,
    };

#End of Agent AD conf

#Begin of Customer AD conf

#Enable LDAP authentication for Customers / Users
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'UYDC01.domain.com';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=Clients,OU=AMS,DC=domain,DC=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'mail';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,OU=Service accounts,OU=AMS,DC=domain,DC=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'somepassword';

    # CustomerUser
    # (customer user database backend and settings)
    $Self->{CustomerUser} = {
       Module => 'Kernel::System::CustomerUser::LDAP',
       Name => 'domain AD',
       Params => {
          Host => 'UYDC01.domain.com',
          BaseDN => 'OU=Clients,OU=AMS,DC=domain,DC=com',
          SSCOPE => 'sub',
          AlwaysFilter => '(objectclass=user)',
          UserDN =>'cn=otrs,OU=Service accounts,OU=AMS,DC=domain,DC=com',
          UserPw => 'somepass',
       },

       # customer unique id
       CustomerKey => 'mail',
       # customer #
       CustomerID => 'company',
       #Note that you can search for fields that you don't List. 
       CustomerUserListFields => ['givenname', 'sn', 'mail'],
       CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
       CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 250,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       Map => [
          # note: Login, Email and CustomerID needed!
          # var, frontend, storage, shown, required, storage-type
          #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
          [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
          [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
          [ 'UserLogin', 'Login', 'mail', 1, 1, 'var' ],
          [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
          [ 'UserCustomerID', 'CustomerID', 'company', 0, 1, 'var' ],
          [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#OBI AD password for customer users sync
          [ 'OBIPassword', 'OBIPassword', 'protocolSettings', 1, 0, 'var' ],
          #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
          #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
       ],
    };

#End of Customer AD conf

#################################################################
#             Configuration for Active Directory                #
#################################################################
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Top
rvaldomir
Znuny expert
Posts: 155
Joined: 04 Aug 2014, 23:59
Znuny Version: 3.3.8
Real Name: Roberto A. Valdomir

Re: login with email account using AD [SOLVED]

Post by rvaldomir »

thanks crythias,

solved now replacing
sAMAccountName
by
mail
​Roberto A. Valdomir
Mobile: (+598) 93 868 147 | Skype: roberto.a.valdomir
@roberto.valdomir | re.vu/robertovaldomir

----------------------------------------------------------------------------------------
OTRS 3.3.8 | RHEL 6 x64 | Oracle 11g | Custom Development by OTRS365
Top
Locked

Return to “General”