Monday, December 12, 2011

Connecting OTRS into Active Directory.

I was testing out OTRS for work and got it to connect to and integrate with out Active Directory server.  All the Customers and Agents are pulled in from AD, bassed on group membership, along with their contact information.  This took quite a bit of trial and error but here is the config file I ended up with.  Note that this isn't the full file but rather goes into the load method where indicated.

 Kernel/Config.pm


    # ---------------------------------------------------- #
    # LDAP Integration for MyDomain.local                   #
    # ---------------------------------------------------- #

    # Enable LDAP lookups for Agent logins. User must be a member of OTRS Agents group.
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'dc01.mydomain.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,cn=Users,dc=mydomain,dc=local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'otrs';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS Agents,cn=Users,dc=mydomain,dc=local';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';

    # Enable LDAP lookups of Agent account informations and default roles.
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'dc01.mydomain.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=mydomain,dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrs,cn=Users,dc=mydomain,dc=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'otrs';
    $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
    $Self->{'AuthSyncModule::LDAP::GroupDN'} = 'cn=OTRS Agents,cn=Users,dc=mydomain,dc=local';
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
        'cn=OTRS Agents,cn=Users,dc=mydomain,dc=local' => {
            'Company Agents' => 1,
        },
        'cn=Domain Admins,cn=Users,dc=mydomain,dc=local' => {
            'Tech Support Agents' => 1,
        }
    };


    # Enable LDAP lookups for Customer logins.
    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'dc01.mydomain.local';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=local';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,cn=Users,dc=mydomain,dc=local';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'otrs';
    $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
    $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'ou=Companies,dc=mydomain,dc=local';
#    $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS Customers,cn=Users,dc=mydomain,dc=local';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';

    # Enable LDAP lookups for Customer account information.
    $Self->{CustomerUser} = {
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
        Host => 'dc01.mydomain.local',
        BaseDN => 'dc=mydomain,dc=local',
        SSCOPE => 'sub',
        UserDN => 'cn=otrs,cn=Users,dc=mydomain,dc=local',
        UserPw => 'otrs',
        AlwaysFilter => '(objectclass=user)',
        GroupDN => 'ou=Companies,dc=mydomain,dc=local',
#        GroupDN => 'cn=OTRS Customers,cn=Users,dc=mydomain,dc=local',
        AccessAttr => 'memberUid',
        UserAttr => 'UID',
      },
      CustomerKey => 'sAMAccountName',
      CustomerID => '[customer_id]',
      CustomerUserListFields => ['sAMAccountName', 'sn', 'givenname', 'company',  'mail'],
      CustomerUserSearchFields => ['sAMAccountName', 'sn', 'givenname', 'company', 'mail'],
      CustomerUserPostMasterSearchFields => ['mail'],
      CustomerUserNameFields => ['givenname', 'sn'],
      CustomerUserValidFilter => '(company=*)',
      Map => [
        [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
        [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
        [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
        [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
        [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
        [ 'UserCustomerID', 'CustomerID', 'company', 0, 1, 'var' ],
        [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
        [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
        [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
      ],
    };
You will need to change all references here to MyDomain to your actual domain and the references to dc01 to your domain controller.

Next add a user account names otrs to the root Users folder in AD.  Set the password to otrs and make them a domain user.  This account is simply used for otrs to talk to LDAP.

Now add a group named OTRS Agents to the root Users folder in AD.  Make any agents members of this group and also add the otrs account as a member.

The Customers in the example above will include any user accounts in the Companies OU that I created in my AD server.  You can change the ou=Companies,dc=mydomain,dc=local to reference a different OU or even a group membership, OTRS Customers for example.

In addition the UserSyncRolesDefinitionvariable can be used to map agents to OTRS groups based on AD membership.  In the example above all members of Domain Admins are granted the Tech Support Agents role and members of the OTRS Agents are granted Company Agents.  These are not default groups but created in the OTRS admin screen and can have different permissions and ques.  Domain Admins for example can get to admin areas of OTRS while OTRS Agents can not.

Another think you make want to consider is customizing the Customers screens to disable add/edit/delete operations as they won't do anything.
Posted by at 0 comments Links to this post
Labels: , ,

How to retain a users default printer in Citrix when using Session Printers.

Update: 2/27/2011
Rewrote the scripts as they didnt work is some situations and caused some very strange errors.
Aslo to remove some potential errors with client session printers a network printer shuold now be set in the policies though this will get changed by the scripts.

I just covered how to push down Session Printers in Citrix based on Active Directory membership in my last post.  This method does however have one problem and that is that the users Default Printer preference will be discarded upon logout.  To get around that the with some scripts can be set up in the users login script to restore the previous default printer.  Also the free Defset utility will also need to be added as a published application for the users to use to change their default printer instead of the normal way.

You will need to download and save theDefSet utility onto each citrix server available form http://www.ctrl-alt-del.com.au/CAD_Utils.htm.  In my case I just saved it to %windir%.

Once downloaded you will need to add a plublished application for the user to run this tool and set their default printer.  It should use the following command line to execute.
%windir%\defset.exe /PA

Also save the following  VBScript onto your Citrix servers where you put DefSet. The Adobe PDF printer is a default that will be used if no preference is set of if there is some error in the proccess though it can be changed here.

SetDefault.vbs
On Error Resume Next
Err.Clear
Set WSHNetwork = CreateObject("WScript.Network")
Set ArgObj = WScript.Arguments
if ArgObj(0) = "Document" then
WSHNetwork.SetDefaultPrinter "Adobe PDF"
Else
WSHNetwork.SetDefaultPrinter ArgObj(0)
End if
if Err.Number <> 0 then
WSHNetwork.SetDefaultPrinter "Adobe PDF"
End if

After that you will need to create a Group Policy that will apply to all the Citrix users.  In this policy you will need to add the following login scripts.

SetPrinterDefault.bat
rem @echo off
echo Waiting for network printers to appear.
timeout 15
echo Setting user default printer.
FOR /F "eol=; tokens=3 delims=\" %%i in (%userprofile%\Windows\defset.ini) do (
cscript.exe %windir%\SetPrinterDefault.vbs "%%i"
)
 This will in essence work now but any client side printers published to the session will not save properly.  To fix this add the following Citrix Policy to the Group Policy we already created.
Policy: Client printer names
Value: Legacy printer names

We also need to set a default printer in the policy so that client side printers not cause errors durring startup.  Specificly what will happen is that if one of them gets assigned as a default durring the normal winodws logon proccess then the utilities will not work properly.  To get around this we will set a server side default printer and then the login script will change it.  This printer will need to be a session printer shared out to all the citrix users, though the default will just be changed so they won't really be printing to it.  We just use our support printer but you could jsut as easily use a fake printer. Add the following Citrix Policy to the Group Policy we already created.
Policy: Default Printer
Value: \\PrintServer\GlobalSharedPrinter

Please note that changing the default printer must be done with the DefSet tool and changing the printer in Windows will still be ignored on logoff.
Posted by at 0 comments Links to this post
Labels: , ,

Granting users Session Printers bassed on Active Directory Membership with Citrix.

I have been setting up the new Citrix environment where I work on one of the biggest problems we have run into is that of printing.  In the end I set the system up to use Citrix Group Policies to configure Session Printers at login time.  Furthermore I have it configured to discard the printers at log off.  The primary benefit to this approach is a one to one relationship between the printers a user has access to and the group membership in Active Directory.  There is one group for each printer in AD those groups are granted to user/department groups as needed. 

The Active Directory groups are named to match the printer names.
Printer - PNT001, Printer - PNT002-Color, Etc.

The Citrix Policies can be configured in the GPO or the Citrix Delivery Services Console as User Policies, one entry per printer. and look like so.
Name: Printer - PNT001
Setting: Session Printers   \\print01\PNT001
Filter:  Allow when user is in DOMIAN\Printer - PNT001 


When the user logs in the Citrix policy is applied.  It has one session printer line for each printer that is only applied if the user is a member of that printers security group.  As a result when adding or removing printers in AD any changes will be reflected when the users log in again.  This does not set or force down a default printer and any default set by the user will be lost on log out as the printers are discarded.  Please see the next post for dealing with allowing users to set and store their default printer preference.
Posted by at 0 comments Links to this post
Labels: , ,
Subscribe to: Posts (Atom)