Share |

Configuring OTRS to make Customers / Users authenticate via LDAP (MS Windows Active Directory)

The goal is to let our already existing users in active directory login via LDAP authentication, based on group membership.

A problem I came across is that from Windows 2003 you cannot query the LDAP directory anonymous, so we have to create a user that has the permission to query the LDAP directory.

Open your Active Directory Users And Computers console and create a user for example "otrs_ldap" with default settings, assign a password and make it never expire.

Go to the "Builtin" OU and open the "Windows Authorisation Access Group" and add the user you just created, in this case "otrs_ldap"

Add user to group

Next we need to create two groups, one for the Customers / users and one for the agents.
The agents group is only applicable when you want to use also LDAP authentication for agent users instead of the internal database.

Create a group "otrs_allow_A" and "otrs_allow_C", agents and customers group respectively.

In these groups resides the users or groups you want to give access to the OTRS system.

Following we need to edit the file "/opt/otrs/Kernel/"

At the bottom of the file above the "End of your own config options!!!" paste the following code which is explained where necesary:

#Enable LDAP authentication for Customers / Users
  $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host'} = '';
  $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=BaseOU,dc=example,dc=com';
  $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
  $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'otrs_ldap';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'PASSWORD';

#(customer user database backend and settings)
    $Self->{CustomerUser} = {
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
      Host => '',
      BaseDN => 'OU=BaseOU,DC=example,DC=com',
      SSCOPE => 'sub',
      UserDN =>'otrs_ldap',
      UserPw => 'PASSWORD',
# customer unique id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
      #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
      #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
#example: $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=BaseOU, dc=example, dc=com';
  $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'CN=otrs_ldap_allow_C,OU=Groups,OU=BaseOU,DC=example,DC=com';
  $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
  $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'


Next: Configuring OTRS to make Agents authenticate via LDAP (MS Windows Active Directory)

Updated: February 2, 2015