Share |

Configuring OTRS to make Agents authenticate via LDAP (MS Windows Active Directory)

The goal is to let our already existing (Agent) users in active directory login via LDAP authentication, based on group membership.

#Enable LDAP authentication for Customers / Users
  $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
  $Self->{'AuthModule::LDAP::Host'} = 'host.example.com';
  $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=BaseOU,dc=example,dc=com';
  $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
 
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
  $Self->{'AuthModule::LDAP::SearchUserDN'} = 'otrs_ldap';
  $Self->{'AuthModule::LDAP::SearchUserPw'} = 'PASSWORD';

# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login)
    $Self->{UserSyncLDAPMap} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname => 'sn',
        UserEmail => 'mail',
    };

# UserSyncLDAPGroups
# (If "LDAP" was selected for AuthModule, you can specify
# initial user groups for first login.)
    $Self->{UserSyncLDAPGroups} = [
        'users',
    ];

# UserTable
    $Self->{DatabaseUserTable} = 'users';
    $Self->{DatabaseUserTableUserID} = 'id';
    $Self->{DatabaseUserTableUserPW} = 'pw';
    $Self->{DatabaseUserTableUser} = 'login';

#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
  $Self->{'AuthModule::LDAP::GroupDN'} =''CN=otrs_ldap_allow_A,OU=Groups,OU=BaseOU,DC=example,DC=com';
  $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

 

Maybe more following soon!

 

 

 

 

Updated: February 2, 2015