Silke Meyer

In the last few months, I worked a lot on connecting different services to OpenLDAP. My general impression is that, in many cases, there could be a more detailed documentation about it. So here is a little collection – no long articles, just the configuration part. This is part 1: How to integrate the free ticket system software OTRS to OpenLDAP?

• There are no configuration options related to OpenLDAP in the web interface. You do the configuration in the file Kernel/Config.pm file.
• It’s really worth reading the file Kernel/Config/Defaults.pm! It contains more than defaults, it’s rather a missing manual. 😉

Here is a working example with two agent groups and a customer group in Ldap. I worked with groupOfNames and the memberOf overlay.

    # OpenLDAP
    # part 1: authenticate agents against ldap
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = '127.0.0.1';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=users,dc=example,dc=org';
    $Self->{'AuthModule::LDAP::UID'} = 'uid';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=binduser,dc=example,dc=org';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'secret';
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(|(memberOf=cn=group1,ou=otrs,dc=example,dc=org)(memberOf=cn=group2,ou=otrs,dc=example,dc=org))';
    $Self->{'AuthModule::LDAP::UserSuffix'} = '';
    $Self->{'AuthModule::LDAP::Params'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
    };

    # sync agents from ldap to mysql
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = '127.0.0.1';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'ou=users,dc=example,dc=org';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=binduser,dc=example,dc=org';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'secret';
    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    # Use these lines from the example file to sync everyone to the group "users" in the database, without differentiation.
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

    # User this to sync ldap groups to otrs groups
    # what to look for
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
    # where to put them
    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
        'cn=group1,ou=otrs,dc=example,dc=org' => {
            'admin' => {
                rw => 1,
                ro => 1,
            },
            'faq' => {
                rw => 1,
                ro => 0,
            },
            'users' => {
                rw => 1,
                ro => 1,
            },
        },
        'cn=group2,ou=otrs,dc=example,dc=org' => {
            'it' => {
                rw => 1,
                ro => 1,
            },
            'faq' => {
                rw => 1,
                ro => 0,
            },
            'users' => {
                rw => 1,
                ro => 1,
            },
        },


    # part 2: authenticate customers against ldap
    # the "2" at the end of everything adds ldap authentication and keeps allowing authentication against the database
    $Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host2'} = '127.0.0.1';
    $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'ou=users,dc=example,dc=org';
    $Self->{'Customer::AuthModule::LDAP::UID2'} = 'uid';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'cn=binduser,dc=example,dc=org';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'secret';
    $Self->{'Customer::AuthModule::LDAP::AlwaysFilter2'} = '(memberOf=cn=group3,ou=otrs,dc=example,dc=org)';
    $Self->{'Customer::AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };


    # map customer attributes
        $Self->{CustomerUser2} = {
            Name => 'LDAP-Backend',
            Module => 'Kernel::System::CustomerUser::LDAP',
            Params => {
                Host => '127.0.0.1',
                BaseDN => 'ou=users,dc=example,dc=org',
                SSCOPE => 'sub',
                UserDN => 'cn=binduser,dc=example,dc=org',
                UserPw => 'secret',
                AlwaysFilter => '(memberOf=cn=group3,ou=otrs,dc=example,dc=org)',
            },
            CustomerKey => 'uid',
            CustomerID => 'mail',
            # show these fields when searching in admin interface
            CustomerUserListFields => ['uid', 'cn', 'mail'],
            # search for these fields in ldap
            CustomerUserSearchFields => ['uid', 'cn', 'mail'],
            CustomerUserSearchPrefix => '',
            CustomerUserSearchSuffix => '*',
            CustomerUserSearchListLimit => 250,
            CustomerUserPostMasterSearchFields => ['mail'],
            CustomerUserNameFields => ['givenname', 'sn'],
            Map => [
                # note: Login, Email and CustomerID needed!
                # var, frontend, storage, shown, required, storage-type
                [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
                [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
                [ 'UserLogin', 'Login', 'uid', 1, 1, 'var' ],
                [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
                [ 'UserCustomerID', 'CustomerID', 'uid', 0, 1, 'var' ],
                ],
            };
        # customers are not synced to mysql