Using OTRS with Active Directory as a source for agents

From OtterHub - OTRS Community Wiki
Jump to: navigation, search

This is an example configuration for how to use Microsoft Active Directory as a source for OTRS "Agents" or users. In this case, you no longer have to create user accounts in OTRS but you can add them to the Active Directory and add them to the special OTRS_Agents permission group. If they log in to OTRS and are a member of the group, their account is automatically created.

    # This is an example configuration for using an MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'servername.companyname.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=companyname,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=OTRS_Groups,dc=companyname,dc=local';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
 
    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS Searcher,OU=OTRS LDAP Searcher,DC=companyname,DC=local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'searcherpassword';
 
    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
 
    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '';
 
    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };
 
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'servername.companyname.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=companyname, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=OTRS Searcher,ou=OTRS LDAP Searcher,dc=companyname,dc=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'searcherpassword';
 
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];


Tips and Hints for the above code which also works with Windows Server 2008 R2,

  • To search recursively below the BaseDN add sscope => 'sub' to the AuthModule::LDAP:Params section
  • The agent username for login is simply the "User logon name" on the Account tab in the users properties in Active Directory Users and Computers...
  • The SearchUserDN can also be specified as simply 'user@ad.domain.com' if you don't want to type out the entire LDAP notation.
  • If you are unsure of how to type out the entire LDAP notation for the distinguishedName (dN), you can also check it and cut and paste it from Active Directory Users and Computers in Windows 2008 R2 (may work on earlier version of Windows as well)
 1) Open Active Directory Users and Computers
 2) Select 'Advanced Features' from View
 3) Right click and select Properties on the User / Group you wish to get the dN from
 4) Select the Attribute Editor tab
 5) Scroll down to distinguishedName (alternatively start typing 'dis' within the tab)
 6) Double click on the entry and copy the entry
 7) Paste it into the required fields.
  • If you are using Microsoft's DNS in conjunction with Active Directory, you can also specify the host as simply <ad name>@<domain> to load balance between the AD servers,e.g. ad.domain.com.
  • A quick way to test authentication to your Windows Active Directory is to use ldapsearch,

ldapsearch -x -h ad.domain.com -b dc=ad,dc=domain,dc=com -D myldap@ad.domain.com -W

-h <hostname>
-b <baseDn>
-D use the user@domain notation

It will prompt you for the users (-D) password and if successful, LDAP will return entries from the AD. If you receive an error, continue troubleshooting until you can log in using the credentials to ensure that you are not chasing different errors in OTRS.