Monday, December 12, 2011

Connecting OTRS into Active Directory.

I was testing out OTRS for work and got it to connect to and integrate with out Active Directory server.  All the Customers and Agents are pulled in from AD, bassed on group membership, along with their contact information.  This took quite a bit of trial and error but here is the config file I ended up with.  Note that this isn't the full file but rather goes into the load method where indicated.

Updated 3/23/2017: Fixes for LDAP connection.


# ---------------------------------------------------- #
# LDAP Integration for MyDomain.local                  #
# ---------------------------------------------------- #

# Enable LDAP lookups for Agent logins. User must be a member of OTRS Agents group.
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'dc01.mydomain.local';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=mydomain,DC=local';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=otrs,CN=Users,DC=mydomain,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'otrs';
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS Agents,CN=Users,DC=mydomain,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Enable LDAP lookups of Agent account informations and default roles.
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'dc01.mydomain.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=mydomain,DC=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=otrs,CN=Users,DC=mydomain,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'otrs';
$Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'AuthSyncModule::LDAP::GroupDN'} = 'CN=OTRS Agents,CN=Users,DC=mydomain,DC=local';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
    'CN=OTRS Agents,CN=Users,DC=mydomain,DC=local' => {
        'Company Agents' => 1,
    'CN=Domain Admins,CN=Users,DC=mydomain,DC=local' => {
        'Tech Support Agents' => 1,

# Enable LDAP lookups for Customer logins.
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = 'dc01.mydomain.local';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=mydomain,DC=local';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs,CN=Users,DC=mydomain,DC=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'otrs';
$Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = '(objectclass=user)';
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'OU=Companies,DC=mydomain,DC=local';
#$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=OTRS Customers,CN=Users,DC=mydomain,DC=local';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';

# Enable LDAP lookups for Customer account information.
$Self->{CustomerUser} = {
  Module => 'Kernel::System::CustomerUser::LDAP',
  Params => {
    Host => 'dc01.mydomain.local',
    BaseDN => 'DC=mydomain,DC=local',
    SSCOPE => 'sub',
    UserDN => 'cn=otrs,cn=Users,DC=mydomain,DC=local',
    UserPw => 'otrs',
    AlwaysFilter => '(objectclass=user)',
    GroupDN => 'OU=Companies,DC=mydomain,DC=local',
    #GroupDN => 'CN=OTRS Customers,CN=Users,DC=mydomain,DC=local',
    AccessAttr => 'member',
    UserAttr => 'DN',
  CustomerKey => 'sAMAccountName',
  CustomerID => '[customer_id]',
  CustomerUserListFields => ['sAMAccountName', 'sn', 'givenname', 'company',  'mail'],
  CustomerUserSearchFields => ['sAMAccountName', 'sn', 'givenname', 'company', 'mail'],
  CustomerUserPostMasterSearchFields => ['mail'],
  CustomerUserNameFields => ['givenname', 'sn'],
  CustomerUserValidFilter => '(company=*)',
  Map => [
    [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
    [ 'UserCustomerID', 'CustomerID', 'company', 0, 1, 'var' ],
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
    [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
    [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
You will need to change all references here to MyDomain.local to your actual domain and the references to dc01 to your domain controller. If you have different AD structures you can change the GroupDN and SearchUserDN as needed.  You can look up your values by doing the following:

  • Go into Active Directory Users and Groups.
  • Check the View -> Advanced Features option.
  • Locate your user or group in question and open its properties.
  • Go to the Attribute Editor tab.
  • Locate the distinguishedName attribute, double click and copy it.
  • Paste it where needed in the config.

Next add a user account names otrs to the root Users folder in AD.  Set the password to otrs and make them a domain user.  This account is simply used for otrs to talk to LDAP.

Now add a group named OTRS Agents to the root Users folder in AD.  Make any agents members of this group and also add the otrs account as a member.

The Customers in the example above will include any user accounts in the Companies OU that I created in my AD server.  You can change the OU=Companies,DC=mydomain,DC=local to reference a different OU or even a group membership, OTRS Customers for example.

In addition the UserSyncRolesDefinitionvariable can be used to map agents to OTRS groups based on AD membership.  In the example above all members of Domain Admins are granted the Tech Support Agents role and members of the OTRS Agents are granted Company Agents.  These are not default groups but created in the OTRS admin screen and can have different permissions and ques.  Domain Admins for example can get to admin areas of OTRS while OTRS Agents can not.

Another thing you make want to consider is customizing the Customers screens to disable add/edit/delete operations as they won't do anything.


Francesco Oliveri said...

im trying to sync my ldap using your guidelines, i change my domain cn and all the groups and user to suit my needs but i cant get this to work.

Roberto Carraro said...

I had to change 'memberUid' to 'member' and 'UID' to 'DN' to make it work in my AD scenario. Btw thanks a lot.

Lime Smart said...
This comment has been removed by the author.
Scott Shackleton said...

I just installed the latest 5.0.18 version of OTRS and have spent over two weeks tweaking settings to get everything working properly. Your post finally allowed me to get my Active Directory sync working while the official documentation rendered my OTRS install inoperable (apache still worked but OTRS sites wouldn't load). Thank you.

Micha said...

The Otrs site wouldn´t load after Save
My Browser say: Save or open File

You have a solution?

Jeremy Pyne said...

That error would generally indicate a configuration error in the apache side not properly identifying script handlers.