Re: [otrs] child domain auth (multiple baseDN)

Tue, 10 Apr 2012 01:47:01 -0700 

Also, perhaps take a quick look here:
http://doc.otrs.org/3.1/en/html/config.html#Framework:Frontend::Customer::Auth

Search for "suffix".
With "Customer::AuthModule::LDAP::UserSuffix" you can append the UPN part to 
the username, and have them login with just that.

That does not solve the duplicate usernames though, I'm not sure how it will 
handle that, but it may be worth a shot.

--
/Sune T.

From: otrs-boun...@otrs.org [mailto:otrs-boun...@otrs.org] On Behalf Of Eddie
Sent: 5. april 2012 20:34
To: User questions and discussions about OTRS.
Subject: Re: [otrs] child domain auth (multiple baseDN)


On Tue, Apr 3, 2012 at 2:13 AM, Sune T. Tougaard 
<s...@lyngsoesystems.com<mailto:s...@lyngsoesystems.com>> wrote:
How about "just" adding yet another customer authentication (and data) backend 
pointing at the child domain?

http://doc.otrs.org/3.1/en/html/auth-backends.html#customer-auth-backends
http://doc.otrs.org/3.1/en/html/customer-user-backend.html#multiple-customer-backends

--


Thanks for the links. After reading those docs I had a better a idea of what I 
should be searching for and found this:

http://faq.otrs.org/otrs/public.pl?Action=PublicFAQZoom;ItemID=219


Now I have users and agents working for parent and child domain. Only issue is 
that if a username is in both domains it will give me problems. Using 
userPrincipalName instead of sAMAccount should help with this but it seems it 
needs the username in the format username@domain so It might confuse users a 
little. Our emails are different from user@domain and the closest thing they 
know besides their email is the occasional domain\username.

Going to try to set it to log in using the users email address as it will be 
more "natural"


How does the sysconfig page work now that there are a "duplicate" sections ?


config section:


------------------------------------------------------------
#LDAP1 START

$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';

   $Self->{'AuthModule::LDAP::Host1'} = '192.168.0.1';
   $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=parentdomain, dc=com';
   $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

   $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'cn=bind 
user,ou=Users,dc=parentdomain,dc=com';
   $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'password';


  $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host1'} = '192.168.0.1';
  $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'dc=parentdomain, dc=com';
  $Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
  $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'cn=bind 
user,ou=Users,dc=parentdomain,dc=com';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'password';


  $Self->{CustomerUser1} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
                 Host => '192.168.0.1',
                 BaseDN => 'dc=parentdomain, dc=com',
                 SSCOPE => 'sub',
                 UserDN => 'cn=bind user,ou=Users,dc=parentdomain,dc=com',
                 UserPw => 'password',
               },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
#   CustomerID => 'o',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
#       [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
#       [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#       [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#       [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  };




    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=helpdesk_agents,ou=Security 
Groups,ou=Groups,dc=parentdomain,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';




   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = '192.168.0.1';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=parentdomain, dc=com';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'cn=bind 
user,ou=Users,dc=parentdomain,dc=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'password';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first 
agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
        'users',
    ];


#LDAP1 END








#LDAP2 START

$Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';

   $Self->{'AuthModule::LDAP::Host2'} = '192.168.0.2';
   $Self->{'AuthModule::LDAP::BaseDN2'} = 'dc=childdomain,dc=parentdomain, 
dc=com';
   $Self->{'AuthModule::LDAP::UID2'} = 'sAMAccountName';

   $Self->{'AuthModule::LDAP::SearchUserDN2'} = 'cn=bind 
user,ou=Users,dc=childdomain,dc=parentdomain,dc=com';
   $Self->{'AuthModule::LDAP::SearchUserPw2'} = 'password';


  $Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host2'} = '192.168.0.2';
  $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 
'dc=childdomain,dc=parentdomain, dc=com';
  $Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';
  $Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'cn=bind 
user,ou=Users,dc=childdomain,dc=parentdomain,dc=com';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'password';


  $Self->{CustomerUser2} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
                 Host => '192.168.0.2',
                 Port => '3268',
                 BaseDN => 'dc=childdomain,dc=parentdomain, dc=com',
                 SSCOPE => 'sub',
                 UserDN => 'cn=bind 
user,ou=Users,dc=childdomain,dc=parentdomain,dc=com',
                 UserPw => 'password',
               },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
#   CustomerID => 'o',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
#       [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
#       [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#       [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#       [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  };




    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    #$Self->{'AuthModule::LDAP::GroupDN2'} = 'cn=helpdesk_agents,ou=Security 
Groups,ou=FP_Groups,dc=parentdomain,dc=com';
    $Self->{'AuthModule::LDAP::GroupDN2'} = 
'cn=helpdesk_agents,ou=FP_Groups,dc=childdomain,dc=parentdomain,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr2'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr2'} = 'DN';




   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule2'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host2'} = '192.168.0.2';
    $Self->{'AuthSyncModule::LDAP::BaseDN2'} = 'dc=childdomain,dc=parentdomain, 
dc=com';
    $Self->{'AuthSyncModule::LDAP::UID2'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN2'} = 'cn=bind 
user,ou=Users,dc=childdomain,dc=parentdomain,dc=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw2'} = 'password';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap2'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first 
agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups2'} = [
        'users',
    ];


#LDAP2 END










    # 3rd backend, internal OTRS DB
    $Self->{'AuthModule3'} = 'Kernel::System::Auth::DB';
    $Self->{'AuthModule::DB::CryptType3'} = 'crypt';

------------------------------------------------------------

---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

Reply via email to