[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

OTRS LDAP integration

Posted on 2011-04-20
10
Medium Priority
?
2,983 Views
Last Modified: 2013-11-13
I have installed OTRS and it works quite nicely when using DB authentication.  However, I am unable to get it to work with Ad (LDAP) authentication.  Any help is appreciated.





 
0
Comment
Question by:traoher
  • 4
  • 4
9 Comments
 
LVL 27

Expert Comment

by:lenamtl
ID: 35437566
0
 
LVL 6

Author Comment

by:traoher
ID: 35441759

Yes, I have followed the doc.  Still no luck.  The one thing I didn't do was to use the group they suggested.  Maybe I should replicate exactly what's in the example.
0
 
LVL 27

Expert Comment

by:lenamtl
ID: 35442552
Yes try it it's should work...

Do you get any error message or it's just don't work?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 6

Author Comment

by:traoher
ID: 35443811
No error.  However, when I capture the transmission session on the OTRS, I can see that it is unable to correctly use AD.  Here is the reply message from my AD server:


"comment: In order to perform this operation a successful bind must be completed on the connection."
0
 
LVL 27

Expert Comment

by:lenamtl
ID: 35448004
First did you put username and password for your ldap connexion?
You have to make a Bind I think this is why it's not working
0
 
LVL 6

Author Comment

by:traoher
ID: 35448113
I got it to work.  The step I missed was to create an account on the DB first then add the configure it to OTRS.  This however, poses a problem, I really don't want to maintain 2 user databases.  In other words, I got it to where the password is verified against AD, but the account must exist on the OTRS local DB.  Is there a way I can pull the information from AD periodically within the config file?
0
 
LVL 27

Expert Comment

by:lenamtl
ID: 35448144
I don't know if this is possible I will check and get back to you.
0
 
LVL 6

Accepted Solution

by:
traoher earned 0 total points
ID: 35709129
OK, I got it to work. Finally!

Do not use the GUI to do the configuration.  Leave it alone (at least for the AD stuff).  Modify your config.pm file as follow:  


# --
# Kernel/Config.pm - Config file for OTRS kernel
# Copyright (C) 2001-2010 OTRS AG, http://otrs.COM/
# --
# $Id: Config.pm.dist,v 1.23 2010/01/13 22:25:00 martin Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.COM/licenses/agpl.txt.
# --
#  Note:
#
#  -->> OTRS does have a lot of config settings. For more settings
#       (Notifications, Ticket::ViewAccelerator, Ticket::NumberGenerator,
#       LDAP, PostMaster, Session, Preferences, ...) see
#       Kernel/Config/Defaults.pm and copy your wanted lines into "this"
#       config file. This file will not be changed on update!
#
# --

package Kernel::Config;

sub Load {
    my $Self = shift;
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #         Start of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # database settings                                    #
    # ---------------------------------------------------- #
    # DatabaseHost
    # (The database host.)
    $Self->{'DatabaseHost'} = 'localhost';
    # Database
    # (The database name.)
    $Self->{'Database'} = 'otrs';
    # DatabaseUser
    # (The database user.)
    $Self->{'DatabaseUser'} = 'otrs';
    # DatabasePw
    # (The password of database user. You also can use bin/otrs.CryptPassword.pl
    # for crypted passwords.)
    $Self->{'DatabasePw'} = 'hot';
    # DatabaseDSN
    # (The database DSN for MySQL ==> more: "man DBD::mysql")
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";

    # (The database DSN for PostgreSQL ==> more: "man DBD::Pg")
    # if you want to use a local socket connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};";
    # if you want to use a tcpip connection
#    $Self->{DatabaseDSN} = "DBI:Pg:dbname=$Self->{Database};host=$Self->{DatabaseHost};";

    # ---------------------------------------------------- #
    # fs root directory
    # ---------------------------------------------------- #
    $Self->{Home} = 'C:/PROGRA~2/OTRS/OTRS';

    # ---------------------------------------------------- #
    # insert your own config settings "here"               #
    # config settings taken from Kernel/Config/Defaults.pm #
    # ---------------------------------------------------- #
    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;

    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #

    $Self->{LogModule}          = 'Kernel::System::Log::File';
    $Self->{LogModule::LogFile} = 'C:/PROGRA~2/OTRS/OTRS/var/log/otrs.log';
    # $DIBI$
    $Self->{'DefaultCharset'} = 'utf-8';

# START of DOMAIN config for Agents

   $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
   $Self->{'AuthModule::LDAP::Host'} = 'HOST.DOMAIN.COM';
   $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=DOMAIN, dc=COM';
   $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
   $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=DOMAIN-ACCOUNT,CN=Users,DC=DOMAIN,DC=COM';
   $Self->{'AuthModule::LDAP::SearchUserPw'} = 'PASSWORD';
   
   # UserSyncLDAPMap
   # (map if agent should create/synced from LDAP to DB after login)
       $Self->{UserSyncLDAPMap} = {
           # DB -> LDAP
           UserFirstname => 'givenName',
           UserLastname => 'sn',
           UserEmail => 'mail',
    };
   
    # UserSyncLDAPGroups
    # (If "LDAP" was selected for AuthModule, you can specify
    # initial user groups for first login.)
        $Self->{UserSyncLDAPGroups} = [
            'users',
        ];
   
    # UserTable
        $Self->{DatabaseUserTable} = 'users';
        $Self->{DatabaseUserTableUserID} = 'id';
        $Self->{DatabaseUserTableUserPW} = 'pw';
        $Self->{DatabaseUserTableUser} = 'login';

# END of DOMAIN config for Agents

# Start of DOMAIN config for Customers

#Enable LDAP authentication for Customers / Users
  $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host'} = 'HOST.DOMAIN.COM';
  $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=DOMAIN,dc=COM';
  $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
  $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'DOMAIN-ACCOUNT';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'PASSWORD';

#CustomerUser
#(customer user database backend and settings)
    $Self->{CustomerUser} = {
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
      Host => 'HOST.DOMAIN.COM',
      BaseDN => 'dc=DOMAIN,dc=COM',
      SSCOPE => 'sub',
      UserDN =>'DOMAIN-ACCOUNT',
      UserPw => 'PASSWORD',
    },
# customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
      #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
      #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  };
 
#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
#example: $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=BaseOU, dc=DOMAIN, dc=COM';
#  $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=ldap_allow_C,OU=Groups,OU=BaseOU,dc=DOMAIN,dc=COM';
#  $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
#  $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'





# End of DOMAIN config for Customers
   

    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    #           End of your own config options!!!          #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
}

# ---------------------------------------------------- #
# needed system stuff (don't edit this)                #
# ---------------------------------------------------- #
use strict;
use warnings;

use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.23 $)[1];

use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

# -----------------------------------------------------#

1;


0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 37485300
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question