AD OTRS agent group DN: "CN=OTRS,DC=mydomain,DC=com"
We allow all other users within AD to auth as customers so no separate grouping is needed for this.
note that I also tried setting cn=OTRS on this line: $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=com';
Config.pm:
Code: Select all
package Kernel::Config;
sub Load {
my $Self = shift;
$Self->{'DatabaseHost'} = 'localhost';
$Self->{'Database'} = 'otrs';
$Self->{'DatabaseUser'} = 'otrs';
$Self->{'DatabasePw'} = '**PASSWD**';
$Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
$Self->{Home} = '/opt/otrs';
$Self->{'DefaultCharset'} = 'utf-8';
$Self->{'LogModule'} = 'Kernel::System::Log::File';
$Self->{'LogModule::LogFile'} = '/opt/otrs/var/log/otrs.log';
$Self->{FQDN} = 'otrshost.mydomain.com';
$Self->{AdminEmail} = 'otrshost@mydomain.com';
$Self->{ProductName} = 'My Company Name';
$Self->{AuthModule} = 'Kernel::System::Auth::DB';
$Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'firstdc.mydomain.com';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=com';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=OTRS,dc=mydomain,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = '**THEPASSWORD**';
$Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'firstdc.mydomain.com';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=com';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = '**THEPASSWORD**';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
'users',
];
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'firstdc.mydomain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '**THEPASSWORD**';
$Self->{CustomerUser} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'firstdc.mydomain.com',
BaseDN => 'dc=mydomain,dc=com',
SSCOPE => 'sub',
UserDN => 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com',
UserPw => '**THEPASSWORD**',
AlwaysFilter =>
'(&(objectcategory=person)(objectclass=user)(!(description=built-In))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
],
};
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@MYDOMAIN.COM';
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@MYDOMAIN.COM';
}
use strict;
use warnings;
use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.23 $)[1];
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');
1;
/etc/krb5.conf:
Code: Select all
[logging]
default = FILE:/var/log/krb5-lib.log
kdc = FILE:/var/log/krb5-kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MYDOMAIN.COM
#dns_lookup_realm = false
#dns_lookup_kdc = false
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[realms]
MYDOMAIN.COM = {
kdc = firstdc.mydomain.com
kdc = nextdc.mydomain.com
admin_server = firstdc
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false
Code: Select all
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Directory "/opt/otrs/bin/cgi-bin/">
AllowOverride None
AuthType Kerberos
AuthName "MYDOMAIN.COM"
Krb5Keytab /etc/krb5.keytab
KrbAuthRealms MYDOMAIN.COM
KrbMethodNegotiate on
KrbSaveCredentials off
Require valid-user
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>