i'm trying to add a second Authentication Backend for customers, this is ok in first test but adding some specific needs is not working:
I have to sync 2 backends from same AD, In the AD I have grouped customer users in two sections:
externals are created under the followin OU and is working fine:
-OU=AMSCC-Customers,OU=AMS,DC=HCDC01,DC=com
internals are created in diferents OUs example but not all users created unders these OUs will be allowed to login as customer:
-OU=Techno AMS,OU=Departments,DC=HCDC01,DC=com
-OU=EPM Technology,OU=Departments,DC=HCDC01,DC=com
-OU=Information Technology,OU=Departments,DC=HCDC01,DC=com
Only those who are grouped in this group should be allowed:
-CN=AMSCC-IntCustomers,OU=AMS,DC=HCDC01,DC=com
how to achieve this?
this is my config and what I have tryied:
Code: Select all
#Enable LDAP authentication for External Customers / Users
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'HCDC01.HCDC01.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'OU=AMSCC-Customers,OU=AMS,DC=HCDC01,DC=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'mail';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,OU=Service accounts,OU=AMS,DC=HCDC01,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';
# CustomerUser
# (customer user database backend and settings)
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Name => 'Answerthink AD Ext Customers',
Params => {
Host => 'HCDC01.com',
BaseDN => 'OU=AMSCC-Customers,OU=AMS,DC=HCDC01,DC=com',
SSCOPE => 'sub',
AlwaysFilter => '(objectclass=user)',
UserDN =>'cn=otrs,OU=Service accounts,OU=AMS,DC=HCDC01,DC=com',
UserPw => 'password',
},
# customer unique id
CustomerKey => 'mail',
# customer #
CustomerID => 'company',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'mail', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'company', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#OBI AD password for customer users sync
[ 'OBIPassword', 'OBIPassword', 'protocolSettings', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
#Enable LDAP authentication for Internal Customers / Users
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'HCDC01.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'CN=AMSCC-IntCustomers,OU=AMS,DC=HCDC01,DC=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'mail';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,OU=Service accounts,OU=AMS,DC=HCDC01,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';
# CustomerUser
# (customer user database backend and settings)
$Self->{CustomerUser1} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Name => 'Answerthink AD Int Customers',
Params => {
Host => 'HCDC01.com',
BaseDN => 'CN=AMSCC-IntCustomers,OU=AMS,DC=HCDC01,DC=com',
SSCOPE => 'sub',
AlwaysFilter => '(objectclass=user)',
UserDN =>'cn=otrs,OU=Service accounts,OU=AMS,DC=HCDC01,DC=com',
UserPw => 'password',
},
# customer unique id
CustomerKey => 'mail',
# customer #
CustomerID => 'company',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'mail', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'company', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#OBI AD password for customer users sync
[ 'OBIPassword', 'OBIPassword', 'protocolSettings', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};