How to authenticate ‘agents’ and ‘customers’ via LDAP/AD for OTRS (www.otrs.com).

Hi,

Sorry the delay, but I've been really really busy lately.
This week I had to setup LDAP authentication for agents and customers for our Open Source  
helpdesk software and an IT Service Management software  OTRS  server. This OTRS server is
running on Linux OS. Before all this work, OTRS authenticate via local DB.
Well, after some hours, here's what you need to add to add to file
/opt/otrs/Kernel/Config.pm
Before begin, it would be a good idea to make a backup of Config.pm file. File /opt/otrs/Kernel/Config.pm is very important for OTRS, if you made a mistake you probably will have issues on the OTRS system, so we have to be careful where to change inside this file. In our case you should add your code betwwn this lines:
    # ---------------------------------------------------- #

    # ---------------------------------------------------- #
    # data inserted by installer                           #
    # ---------------------------------------------------- #
    # $DIBI$
#xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PUT YOUR CODE HERE
#xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
    #                                                      #
    # end of your own config options!!!                    #
    #                                                      #
    # ---------------------------------------------------- #
    # ---------------------------------------------------- #
Now, insert this code to Config.pm file to configure LDAP.
# Autenticacion LDAP para agents. At the end you have a second backend using local DB.
# For LDAP
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'dc0.domain.net';
$Self->{'AuthModule::LDAP::BaseDN'} = 'OU=Users,OU=domain,DC=net';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'bind_user_ldap';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'passwd';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};

# Second backend, internal OTRS DB
$Self->{'AuthModule2'} = 'Kernel::System::Auth::DB';
$Self->{'AuthModule::DB::CryptType2'} = 'crypt';

# Autenticacion LDAP para customers.
####### Autenticacion LDAP para customers.
# CustomerUser
# (customer ldap backend and settings)
$Self->{CustomerUser} = {
    Name => 'LDAP Lookup',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        # ldap host
        Host => 'dc0.domain.net',
        # ldap base dn
        BaseDN => 'OU=Users,OU=domain,DC=net',
        # search scope (one|sub)
        SSCOPE => 'sub',
        # The following is valid but would only be necessary if the
        # anonymous user does NOT have permission to read from the LDAP tree
        # in case you want to add always one filter to each ldap query, use
        UserDN => 'CN=User BIND LDAP,OU=Users,OU=domain,DC=net',
        UserPw => 'passwd',
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        AlwaysFilter => '(title=*)',
            # if both your frontend and your LDAP are unicode, use this:
            SourceCharset => 'utf-8',
            DestCharset   => 'utf-8',
            # if your frontend is unicode and the charset of your
            # ldap server is iso-8859-1, use these options.
            # SourceCharset => 'iso-8859-1',
            # DestCharset => 'utf-8',
            # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
            Params => {
                port => 389,
                timeout => 120,
                async => 0,
                version => 3,
            },
    },
    # customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'sn' ,'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 1000,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    # show not own tickets in customer panel, CompanyTickets
    CustomerUserExcludePrimaryCustomerID => 0,
    # add an ldap filter for valid users (expert setting)
#    CustomerUserValidFilter => '(!(description=locked))',
    # administrator can't change customer preferences
    AdminSetPreferences => 0,
#    # cache time to live in sec. - cache any database queries
#    CacheTTL => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
        [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
        [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
        [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
        [ 'UserLogin',      'Username',   'sAMAccountName',  1, 1, 'var', '', 0 ],
        [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
        [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
#        [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
        [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
        [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
        [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
    ],
};
 
How to add a new LDAP agent to OTRS? See this images:
 goagent 
goagent2 
goagent3
 goagent4 
How to add LDAP customers to OTRS? See this images? 

gocustomer 
gocustomer2 
This has worked for me. Hope this helps.

Just thanks if the post was helpful :-)
Advertisements

About igalvarez

More than 20 years experiences on IT industry. 20+ years in Unix experience : IBM-AIX, HMC/SDMC/IVM, SVC, Protectier, PureFlex Systems, VIOservers, IBM Bladecenters, IBM System Power, RedHat Linux, SuSE Linux, Debian/Ubuntu Linux. Solaris, SCO Unix, Tru64 Unix, Linux Virtualization: XEN, KVM, databases sb2, oracle, postgreSQL, Find more information here: http://en.gravatar.com/igalvarez
This entry was posted in ldap, linux, otrs and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s