Ansicht von 1 Antwort-Thema
  • Autor
    Beiträge
    • #11317
      Michael Rombach
      Teilnehmer

        Hallo zusammen,

        Ich bin mittlerweile ratlos bei der Integration der Config.pm zur LDAP Anbindung.

        Was muss ich dort einstellen, damit alle meine Benutzer aus einer OU als Agenten in das Otobo gesynced werden?

        Immer wenn ich die Anpassung in den Config.pm einfüge und den Apache neustarte komm ich nicht mehr ins Otobo, da die Webseite nicht angezeigt wird oder wenn sie angezeigt wird hat er nichts importiert.

        Gibt es einen Log wo ich sehen könnte was er importiert?

        Anbei meine aktuelle Config.pm.

        Um Hilfe wäre ich sehr dankbar, da wir das Otobo bei ü350 Usern gerne übers AD anbinden wollen.

         

        # This is an example configuration for an LDAP auth. backend.
        # (take care that Net::LDAP is installed!)
        my $Self = shift;
        ### Backend 1

        $Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
        $Self->{'AuthModule::LDAP::Host'} = 'srv-dc3.xxxx.xxxx';
        $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=mitarbeiter,ou=xxxx xxxx xxxx,dc=xxxx,dc=local';
        $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

        ### Backend 2
        $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
        $Self->{'AuthModule::LDAP::Host1'} = 'srv-dc2.xxxx.xxxx';
        $Self->{'AuthModule::LDAP::BaseDN1'} = 'ou=mitarbeiter,ou=xxxx xxxx xxxx,dc=xxxx,dc=local';
        $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

        # Check if the user is allowed to auth in a posixGroup
        # (e. g. user needs to be in a group xyz to use otobo)
        # $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otoboallow,ou=posixGroups,dc=example,dc=com';
        # $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
        # for ldap posixGroups objectclass (just uid)
        # $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
        # for non ldap posixGroups objectclass (with full user dn)
        # $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

        # The following is valid but would only be necessary if the
        # anonymous user do NOT have permission to read from the LDAP tree
        $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=ldap,ou=mitarbeiter,ou=xxxx xxxx xxxx,dc=xxxx,dc=local';
        $Self->{'AuthModule::LDAP::SearchUserPw'} = '??????????';

        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        # or if you want to filter with a locigal OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))'
        # $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

        # in case you want to add a suffix to each login name, then
        # you can use this option. e. g. user just want to use user but
        # in your ldap directory exists user@domain.
        # $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

        # In case you want to convert all given usernames to lower letters you
        # should activate this option. It might be helpful if databases are
        # in use that do not distinguish selects for upper and lower case letters
        # (Oracle, postgresql). User might be synched twice, if this option
        # is not in use.
        # $Self->{'AuthModule::LDAP::UserLowerCase'} = 0;

        # In case you need to use OTOBO in iso-charset, you can define this
        # by using this option (converts utf-8 data from LDAP to iso).
        # $Self->{'AuthModule::LDAP::Charset'} = 'iso-8859-1';

        # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
        $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
        };

        # Die if backend can't work, e. g. can't connect to server.
        # $Self->{'AuthModule::LDAP::Die'} = 1;

        $Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

        $Self->{'AuthModule::UseSyncBackend1'} = 'AuthSyncBackend1';

        # This is an example configuration for an LDAP auth sync. backend.
        # (take care that Net::LDAP is installed!)
        $Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
        $Self->{'AuthSyncModule::LDAP::Host'} = 'srv-dc3.xxxx.xxxx';
        $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'ou=mitarbeiter,ou=xxxx xxxx xxxx,dc=xxxx,dc=local';
        $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';

        $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
        $Self->{'AuthSyncModule::LDAP::Host1'} = 'srv-dc2.xxxx.xxxx';
        $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'ou=mitarbeiter,ou=xxxx xxxx xxxx,dc=xxxx,dc=local';
        $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';

        # The following is valid but would only be necessary if the
        # anonymous user do NOT have permission to read from the LDAP tree
        $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=ldap,ou=mitarbeiter,ou=xxxx xxxx xxxx,dc=xxxx,dc=local';
        $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '?????????';

        # in case you want to add always one filter to each ldap query, use
        # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
        # or if you want to filter with a logical OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))'
        # $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

        # AuthSyncModule::LDAP::UserSyncMap
        # (map if agent should create/synced from LDAP to DB after successful login)
        # you may specify LDAP-Fields as either
        # * list, which will check each field. first existing will be picked ( ["givenName","cn","_empty"] )
        # * name of an LDAP-Field (may return empty strings) ("givenName")
        # * fixed strings, prefixed with an underscore: "_test", which will always return this fixed string
        $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname => 'sn',
        UserEmail => 'mail',d
        };

         

      • #11758
        Sebastian Nickel
        Teilnehmer

          Hi Michael,

          hat sich das Problem bereits behoben?

          Falls nein:

          Im Bereich “# Check if the user is allowed to auth in a posixGroup” musst du

          $Self->{‘AuthModule::LDAP::GroupDN’} = ‘cn=otoboallow,ou=posixGroups,dc=example,dc=com’;

          and

          $Self->{‘AuthModule::LDAP::AccessAttr’} = ‘member’;

          Aktivieren und entsprechend Anpassen. Im ersten definierst du auf welche Gruppe im AD geachtet werden soll und im 2. definierst du dass Mitglieder genommen werden. Wichtig ist: nicht memberUID verwenden sondern nur Member.

      Ansicht von 1 Antwort-Thema
      • Du musst angemeldet sein, um auf dieses Thema antworten zu können.