A couple of ideas...
Password/user sync: I think you can have it sync the users automatically as
well:
# Create the users in the OTRS DB on first login and populate user data.
# "givenName", "sn" and "mail" fields MUST be populated in AD/LDAP
before login will work.
$Self->{UserSyncLDAPMap} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
Regarding child domains, I'm not sure how this would be done as I've never
tested this. But I would think that one way to do it is to create yet
another LDAP auth section.
Just found this page, sounds like a good explanation:
http://faq.otrs.org/otrs/public.pl?Action=PublicFAQ
<http://faq.otrs.org/otrs/public.pl?Action=PublicFAQ&ItemID=219> &ItemID=219
(the sync above is also mentioned there, also with multiple backends)
Your customer authentication issue...
I see you have "CustomerKey => 'uid'," in your config below.
In mine I have "CustomerKey => 'sAMAccountName',".
It's been a while I've been digging in this, but I'm pretty sure I've seen
issues with this in the past.
Also, if you're using UPNs (<username>@<domain>) you should be looking at
the userPrincipalName attribute instead, I think.
There may be a few more spots in that section that are sensitive with
regards to the attributes used, especially the "Map =>".
I also have a filter on so I don't get too much from the ldap query:
# We only need to see users. !Computers. And no disabled users.
AlwaysFilter =>
'(&(!(objectClass=Computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)
))',
Hope it helps.
--
/Sune T.
From: [email protected] [mailto:[email protected]] On Behalf Of Dave
Glue
Sent: 3. marts 2010 16:00
To: [email protected]
Subject: [otrs] LDAP integration with child domains, LDAP with customer
portal not working with any domain
I have LDAP agent authentication working fine from a single domain (well,
password sync - agents still need to be created in the database first which
as I understand is normal behavior and don't have a problem with it),
however not sure how to proceed for child domains. Most of our agents and
users are in trusted child domains from the root forest. Documentation
seems to be a little sparse in dealing with this situation.
Regarding customer authentication, even from testing from an account in the
root forest domain I have yet to get this working. I receive "Login failed!
Your username or password was entered incorrectly." when trying to login to
a customer portal from a verified AD account. I can select LDAP from the
drop-down in adding a customer from the web admin, but no current user in
the domain can log in. From what I've read there shouldn't be a need to
have an internal account already created for the customer portal.
Here's the relevant portion of my config.pm. My root domain is
testprod.com, GC controller is test-dc1.testprod.com. OTRS access account
is a member of domain users and builtin\Windows Authorization Access Group
Properties. Anything jump out as improperly configured?
Domain is Server 2008 SP2.
#LDAP Authentication for Production Forest
#Agent Authentication
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'test-dc1.testprod.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=testprod,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
Access,cn=Users,dc=testprod,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '*******!';
#LDAP Authentication - Customer
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'test-dc1.testprod.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=testprod,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
Access,cn=Users,dc=testprod,dc=com';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '********!';
#LDAP Getting Customer User Information
# CustomerUser
# (customer user ldap backend and settings)
$Self->{CustomerUser} = {
Name => 'LDAP Data Source',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
# ldap host
Host => 'test-dc1.testprod.com',
# ldap base dn
BaseDN => 'dc=testprod,dc=com',
# search scope (one|sub)
SSCOPE => 'sub',
# # The following is valid but would only be necessary if the
# # anonymous user does NOT have permission to read from the LDAP
tree
UserDN => 'cn=OTRS Access,cn=Users,dc=testprod,dc=com',
UserPw => '********!',
# in case you want to add always one filter to each ldap query,
use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter
=> '(objectclass=user)'
AlwaysFilter => '',
# if your frontend is e. g. iso-8859-1 and the charset of your
# ldap server is utf-8, use these options.
# SourceCharset => 'utf-8',
# DestCharset => 'iso-8859-1',
# if both your frontend and your LDAP are unicode, use this:
# SourceCharset => 'utf-8',
# DestCharset => 'utf-8',
# Net::LDAP new params (if needed - for more info see perldoc
Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
# customer unique id
CustomerKey => 'uid',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add an ldap filter for valid users (expert setting)
# CustomerUserValidFilter => '(!(description=locked))',
# administrator can't change customer preferences
AdminSetPreferences => 0,
# # cache time to live in sec. - cache any database queries
# CacheTTL => 0,
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required,
storage-type, http-link, readonly
[ 'UserSalutation', 'Title', 'title', 1, 0,
'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1,
'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1,
'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1,
'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1,
'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1,
'var', '', 0 ],
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1,
0, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0,
'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0,
'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0,
'var', '', 0 ],
],
};
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
