Kernel/Config.pm
# ---------------------------------------------------- #
# LDAP Integration for MyDomain.local #
# ---------------------------------------------------- #
# Enable LDAP lookups for Agent logins. User must be a member of OTRS Agents group.
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'dc01.mydomain.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,cn=Users,dc=mydomain,dc=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'otrs';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS Agents,cn=Users,dc=mydomain,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# Enable LDAP lookups of Agent account informations and default roles.
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'dc01.mydomain.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=mydomain,dc=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrs,cn=Users,dc=mydomain,dc=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'otrs';
$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthSyncModule::LDAP::GroupDN'} = 'cn=OTRS Agents,cn=Users,dc=mydomain,dc=local';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
'cn=OTRS Agents,cn=Users,dc=mydomain,dc=local' => {
'Company Agents' => 1,
},
'cn=Domain Admins,cn=Users,dc=mydomain,dc=local' => {
'Tech Support Agents' => 1,
}
};
# Enable LDAP lookups for Customer logins.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc01.mydomain.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,cn=Users,dc=mydomain,dc=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'otrs';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'ou=Companies,dc=mydomain,dc=local';
# $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS Customers,cn=Users,dc=mydomain,dc=local';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
# Enable LDAP lookups for Customer account information.
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'dc01.mydomain.local',
BaseDN => 'dc=mydomain,dc=local',
SSCOPE => 'sub',
UserDN => 'cn=otrs,cn=Users,dc=mydomain,dc=local',
UserPw => 'otrs',
AlwaysFilter => '(objectclass=user)',
GroupDN => 'ou=Companies,dc=mydomain,dc=local',
# GroupDN => 'cn=OTRS Customers,cn=Users,dc=mydomain,dc=local',
AccessAttr => 'memberUid',
UserAttr => 'UID',
},
CustomerKey => 'sAMAccountName',
CustomerID => '[customer_id]',
CustomerUserListFields => ['sAMAccountName', 'sn', 'givenname', 'company', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'sn', 'givenname', 'company', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserValidFilter => '(company=*)',
Map => [
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'company', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
Next add a user account names otrs to the root Users folder in AD. Set the password to otrs and make them a domain user. This account is simply used for otrs to talk to LDAP.
Now add a group named OTRS Agents to the root Users folder in AD. Make any agents members of this group and also add the otrs account as a member.
The Customers in the example above will include any user accounts in the Companies OU that I created in my AD server. You can change the ou=Companies,dc=mydomain,dc=local to reference a different OU or even a group membership, OTRS Customers for example.
In addition the UserSyncRolesDefinitionvariable can be used to map agents to OTRS groups based on AD membership. In the example above all members of Domain Admins are granted the Tech Support Agents role and members of the OTRS Agents are granted Company Agents. These are not default groups but created in the OTRS admin screen and can have different permissions and ques. Domain Admins for example can get to admin areas of OTRS while OTRS Agents can not.
Another think you make want to consider is customizing the Customers screens to disable add/edit/delete operations as they won't do anything.
0 comments:
Post a Comment