Hi Alberto,
For LDAP authentication you need to differentiate between who are agents and
who are customers. This can be accomplished by group membership. I've had a
look at your code which includes:
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'AuthModule::LDAP::GroupDN'} = ';
# $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
All your group based configuration is commented out. Below is the same
extract from my config (obvious information omitted.
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} =
'cn=OTRS_Agents,ou=OTRS_Groups,dc=companyname,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
# for ldap posixGroups objectclass (just uid)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
In the example above, *only* members of the OTRS_Agents group can use the
agent interface.
I hope this answers your question.
Regards,
David
On Mon, Feb 22, 2010 at 7:29 AM, Alberto Aldrigo <
[email protected]> wrote:
> Hi all,
>
>
>
> I’m trying to configure OTRS 2.4.7 for users in my company.
>
> I want them to authenticate using Active Directory as customer user, but
> each time they try to enter in http://mysite/otrs/Customer.pl they enter
> as agents.
>
> I can’t understand what’s wrong in my Config.pm, can you please help me?
>
> Thenks
>
> * *
>
> *Alberto Aldrigo*
>
> * *
>
>
>
> My config.pm:
>
>
>
> sub Load {
>
> my $Self = shift;
>
> # ---------------------------------------------------- #
>
> # ---------------------------------------------------- #
>
> # #
>
> # Start of your own config options!!! #
>
> # #
>
> # ---------------------------------------------------- #
>
> # ---------------------------------------------------- #
>
>
>
> # ---------------------------------------------------- #
>
> # database settings #
>
> # ---------------------------------------------------- #
>
> # DatabaseHost
>
> # (The database host.)
>
> $Self->{DatabaseHost} = $dbserver || 'localhost';
>
> # Database
>
> # (The database name.)
>
> $Self->{Database} = $dbname || 'otrs';
>
> # DatabaseUser
>
> # (The database user.)
>
> $Self->{DatabaseUser} = $dbuser || 'otrs';
>
> # DatabasePw
>
> # (The password of database user. You also can use bin/CryptPassword.pl
>
> # for crypted passwords.)
>
> $Self->{DatabasePw} = $dbpass;
>
> # DatabaseDSN
>
> # (The database DSN for MySQL ==> more: "man DBD::mysql")
>
> $Self->{DatabaseDSN} =
> "$dsn=$Self->{Database};host=$Self->{DatabaseHost};port=$dbport;";
>
>
>
> # (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
>
> # if you want to use a local socket connection
>
> # $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
>
> # if you want to use a tcpip connection
>
> # $Self->{DatabaseDSN} =
> "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";
>
>
>
> # ---------------------------------------------------- #
>
> # fs root directory
>
> # ---------------------------------------------------- #
>
> $Self->{Home} = '/usr/share/otrs';
>
>
>
> # ---------------------------------------------------- #
>
> # insert your own config settings "here" #
>
> # config settings taken from Kernel/Config/Defaults.pm #
>
> # ---------------------------------------------------- #
>
> # $Self->{SessionUseCookie} = 0;
>
> # $Self->{CheckMXRecord} = 0;
>
>
>
>
>
> $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
>
> $Self->{'AuthModule::LDAP::Host'} = ‘server';
>
> $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=company, dc=local';
>
> $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
>
>
>
> # Check if the user is allowed to auth in a posixGroup
>
> # (e. g. user needs to be in a group xyz to use otrs)
>
> # $Self->{'AuthModule::LDAP::GroupDN'} = ';
>
> # $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
>
> # for ldap posixGroups objectclass (just uid)
>
> # $Self->{'AuthModule::LDAP::UserAttr'} = 'sAMAccountName';
>
> # for non ldap posixGroups objectclass (with full user dn)
>
> # $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
>
>
>
> # The following is valid but would only be necessary if the
>
> # anonymous user do NOT have permission to read from the LDAP tree
>
> $Self->{'AuthModule::LDAP::SearchUserDN'} =
> 'CN=Device,OU=UO-CED,OU=UO-HQ-SITE,DC=company,DC=local';
>
> $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
>
>
>
> # in case you want to add always one filter to each ldap query, use
>
> # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
> '(objectclass=user)'
>
> # $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
>
>
>
> # in case you want to add a suffix to each login name, then
>
> # you can use this option. e. g. user just want to use user but
>
> # in your ldap directory exists u...@domain.
>
> #$Self->{'AuthModule::LDAP::UserSuffix'} = '';
>
>
>
>
>
> # Now sync data with OTRS DB
>
> $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
>
> $Self->{'AuthSyncModule::LDAP::Host'} = 'server';
>
> $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=company, dc=local';
>
> $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
>
> $Self->{'AuthSyncModule::LDAP::SearchUserDN'} =
> 'CN=Device,OU=UO-CED,OU=UO-HQ-SITE,DC=company,DC=local';
>
> $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';
>
> $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
>
> # DB -> LDAP
>
> UserFirstname => 'givenName',
>
> UserLastname => 'sn',
>
> UserEmail => 'mail',
>
> };
>
>
>
>
>
> # AuthSyncModule::LDAP::UserSyncInitialGroups
>
> # (sync following group with rw permission after initial create of
> first agent
>
> # login)
>
> $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
>
> 'users',
>
> ];
>
> # CustomerUser
>
> # (customer user ldap backend and settings)
>
> $Self->{CustomerUser} = {
>
> Name => 'Active Directory',
>
> Module => 'Kernel::System::CustomerUser::LDAP',
>
> Params => {
>
> Host => 'server',
>
> BaseDN => 'OU=UO-HQ-SITE,DC=company,DC=local',
>
> SSCOPE => 'sub',
>
> UserDN => '[email protected]',
>
> UserPw => ‘password',
>
> },
>
> CustomerKey => 'sAMAccountName',
>
> CustomerID => 'sAMAccountName',
>
> CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
>
> CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
>
> CustomerUserPostMasterSearchFields => ['mail'],
>
> CustomerUserNameFields => ['givenname', 'sn'],
>
> Map => [
>
> # note: Login, Email and CustomerID are mandatory!
>
> # var, frontend, storage, shown (1=always,2=lite), required,
> storage-type, http-link, readonly
>
> # [ 'UserSalutation', 'Title', 'title', 1, 0,
> 'var', '', 0 ],
>
> [ 'UserFirstname', 'Firstname', 'givenname', 1, 1,
> 'var', '', 0 ],
>
> [ 'UserLastname', 'Lastname', 'sn', 1, 1,
> 'var', '', 0 ],
>
> [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1,
> 'var', '', 0 ],
>
> [ 'UserEmail', 'Email', 'mail', 1, 1,
> 'var', '', 0 ],
>
> [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1,
> 'var', '', 0 ],
>
> # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1,
> 0, 'var', '', 0 ],
>
> # [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0,
> 'var', '', 0 ],
>
> # [ 'UserAddress', 'Address', 'postaladdress', 1, 0,
> 'var', '', 0 ],
>
> # [ 'UserComment', 'Comment', 'description', 1, 0,
> 'var', '', 0 ],
>
> ],
>
> };
>
> # ---------------------------------------------------- #
>
> # switch off the web based installer for the Debian package
>
> $Self->{SecureMode} = 1;
>
>
>
> # ---------------------------------------------------- #
>
> # data inserted by installer #
>
> # ---------------------------------------------------- #
>
> # $DIBI$
>
>
>
> # ---------------------------------------------------- #
>
> # ---------------------------------------------------- #
>
> # #
>
> # End of your own config options!!! #
>
> # #
>
> # ---------------------------------------------------- #
>
> # ---------------------------------------------------- #
>
> }
>
> ---------------------------------------------------------------------
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>
> NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
> http://www.otrs.com/en/support/enterprise-subscription/
>
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
