OTRS ACTIVE DIRECTORY AUTHENTICATION INTEGRATION

Otrs_admin_group : Member of this group will have access to OTRS System Administration.

Otrs_agent_group : member of this group is an agents and will have access to Queues.

Otrs_user_group : OTRS User group and will be customer in our case.

Otrs_allow : All Admins and Agents users should be member of this group.

Otrs_sync : user for Active Directory synchronization with OTRS.

STEP-1 : Pre-Requisites

1) Find Hostname and IP Address of AD Server

2) Add Hostname in Linux Server /etc/hosts file

3) Set Time Zone ( date and time must me same with AD and OTRS Server )

a. timedatectl list-timezones

b. timedatectl set-timezone Asia/Kolkata

STEP-2 : Copy Config Files from OTRS Server.

· Open WinSCP and Connect to the Server via “SCP” protocol with root username and password. ( or any elevated user )

· Navigate to Directory “/opt/otrs/Kernel/”

· Download “Config.pm” File.

· Navigate to Directory “/opt/otrs/Kernel/Config/”

· Download “Default.pm” File.

STEP-3 : Edit Config.pm File.

· Open Default.pm and Config.pm file side by side in Notepad ++.

· Copy Code from Default.pm file to Config.pm file ( line no 425 to 566 )

· Uncomment lines and Make Changes.

#-------------- Config Start -----------

# This is an example configuration for an LDAP auth. backend.

# (take care that Net::LDAP is installed!)

$Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';

$Self->{'AuthModule::LDAP::Host1'} = 'ad-srv.corp.local';

$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=corp,dc=local';

$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

$Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=otrs_allow,OU=OTRS,DC=corp,DC=local';

$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';

$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=otrs sync,OU=OTRS,DC=corp,DC=local';

$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'abc@123';

$Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';

$Self->{'AuthModule::LDAP::Params'} = {

port => 389,

timeout => 120,

async => 0,

version => 3,

};

# --------------------------------------------------- #

# authentication sync settings #

# (enable agent data sync. after succsessful #

# authentication) #

# --------------------------------------------------- #

# This is an example configuration for an LDAP auth sync. backend.

# (take care that Net::LDAP is installed!)

$Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';

$Self->{'AuthSyncModule::LDAP::Host1'} = 'ad-srv.corp.local';

$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=corp,dc=local';

$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';

$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=otrs sync,OU=OTRS,DC=corp,DC=local';

$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'abc@123';

$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {

# # DB -> LDAP

UserFirstname => 'givenName',

UserLastname => 'sn',

UserEmail => 'mail',

};

#----------------------- Config End -------------------------------

# ---------------------- Active Directory Group Synchronization with OTRS config Start here ----------

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [

'users',

];

# AuthSyncModule::LDAP::UserSyncGroupsDefinition

# (If "LDAP" was selected for AuthModule and you want to sync LDAP

# groups to otrs groups, define the following.)

$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition1'} = {

# # ldap group

'CN=otrs_admin_group,OU=OTRS,DC=corp,DC=local' => {

# otrs group

'admin' => {

# permission

rw => 1,

ro => 1,

'Hardware Group Users' => {

# permission

rw => 1,

ro => 1,

'faq' => {

rw => 0,

ro => 1,

'CN=otrs_agent_group,OU=OTRS,DC=corp,DC=local' => {

'users' => {

rw => 1,

ro => 1,

'Hardware Group Users' => {

# permission

rw => 1,

ro => 1,

}

};

#----------------------- Config End -------------------------------

#--------------- Customer user config Start here ---------------

# --------------------------------------------------- #

# customer authentication settings #

# (enable what you need, auth against otrs db, #

# against a LDAP directory, against HTTP basic #

# authentication and against Radius server) #

# --------------------------------------------------- #

# This is the auth. module for the otrs db

# you can also configure it using a remote database

$Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';

$Self->{'Customer::AuthModule::LDAP::Host2'} = 'ad-srv.CORP.LOCAL';

$Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=CORP,dc=LOCAL';

$Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';

$Self->{'Customer::AuthModule::LDAP::GroupDN2'} = 'CN=OTRS_Users,OU=OTRS,DC=CORP,DC=LOCAL';

$Self->{'Customer::AuthModule::LDAP::AccessAttr2'} = 'member';

# for ldap posixGroups objectclass (just uid)

# $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';

# for non ldap posixGroups objectclass (full user dn)

$Self->{'Customer::AuthModule::LDAP::UserAttr2'} = 'DN';

# The following is valid but would only be necessary if the

# anonymous user do NOT have permission to read from the LDAP tree

$Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=otrs sync,OU=OTRS,DC=CORP,DC=LOCAL';

$Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'abc@123';

# in case you want to add always one filter to each ldap query, use

# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'

$Self->{'Customer::AuthModule::LDAP::AlwaysFilter2'} = '';

$Self->{'CustomerUser2'} = {

Module => 'Kernel::System::CustomerUser::LDAP',

Params => {

Host => 'ad-srv.CORP.LOCAL',

BaseDN => 'DC=CORP,DC=LOCAL',

SSCOPE => 'sub',

UserDN =>'CN=otrs sync,OU=OTRS,DC=CORP,DC=LOCAL',

UserPw => 'abc@123',

AlwaysFilter => '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',

SourceCharset => 'utf-8',

DestCharset => 'utf-8',

CustomerKey => 'sAMAccountName',

CustomerID => 'company',

CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],

CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],

CustomerUserSearchPrefix => '',

CustomerUserSearchSuffix => '*',

CustomerUserSearchListLimit => 10000,

CustomerUserPostMasterSearchFields => ['mail'],

CustomerUserNameFields => ['givenname', 'sn'],

Map => [

# # note: Login, Email and CustomerID needed!

[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],

[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],

[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],

[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],

[ 'UserCustomerID', 'CustomerID', 'company', 1, 1, 'var' ],

[ 'UserPhone', 'Phone', 'telephoneNumber', 1, 0, 'var' ],

};

# ---------------------------- Customer config End here --------------------------

STEP-4: SAVE CONFIG FILE AND UPLOAD TO THE OTRS SERVER

· Open WinSCP.

· Right Click on Local path “Config.pm” file and select “Upload” to “/opt/otrs/Kernel/” path.

· It will give warning, select “yes”

STEP-5 : login with Ad username and password in agent portal and Troubleshoot

· Open http://<otrs ip>/otrs/index.pl

· Login with AD credentials.

· If you face any error, login with root and check logs.

o Disable MX checking

o Check date and time

o Check DN Name is given appropriate or not.

o Check AD sync username and password.

o AD must be reachable via hostname.

PART 1:

PART 2:

PART 3 :

PART 4 :

SAMPLE FILE LINK

SAMPLE FILE DOWNLOAD LINK

Search This Blog

The G-Tech Show Technical Blog

OTRS ACTIVE DIRECTORY AUTHENTICATION INTEGRATION

PART 1:

Comments

Post a Comment

Popular posts from this blog

Step by Step installation for OTRS Community Edition 6.x on CentOS Linux

Virtual Disk ( HDD ) stuck in locked status ( ovirt, rhv, olvm )