Have a Question?

<All Topics
Print

Integração com Active Directory (ou LDAP) local

Note: This article does not apply to LigeroSmart SaaS, only to installations with access to the container in this time.

The integration that allows AD users to authenticate with LigeroSmart or even that allows LigeroSmart to see customer information in AD must be parameterized in the file /opt/otrs/Kernel/Config.pm

In this document, we provide code snippets that must be pasted into this file, according to the need for integration and, adapted to the reality of your organization.

To carry out such integration, it is necessary that LigeroSmart have a service account created in Active Directory or LDAP.

An interesting way to check if the linux server is accessing the AD directory server, is using the command below:

ldapsearch -h 192.168.1.10 -b "DC = DOMAIN, DC = LOCAL" -D "CN = dialer, CN = Users, DC = DOMAIN, DC = LOCAL" -w password "(objectClass = person)"

This command lists your user directory. It is necessary to install ldapsearch on your server. In CentOS it can be installed with the command:

yum install openldap-clients

Attendant Authentication

########################################################################## # Attendants Authentication # #- Here we define the integration that allows the LigeroSmart authenticate users # # from Active Directory in your organization. # #- Important: the user must have the field "email" filled # # in AD to be able to authenticate # ########################################################################## $Self -> {} = AuthModule1 Kernel :: System :: Auth :: LDAP '; # Below, we put the IP or hostname of the $Self server -> {'AuthModule :: LDAP :: Host1'} = '192.168.30.50'; # Next, the DistinguishedName (DN) where we will search for users $Self -> {'AuthModule :: LDAP :: BaseDN1'} = 'DC = complement, DC = net, DC = br'; # Next, the AD property where we will find the username $Self -> {'AuthModule :: LDAP :: UID1'} = 'sAMAccountName'; # Here we define which group the user must be in to be able to log in to LigeroSmart, # This parameter is optional and can be commented with # $Self -> {'AuthModule :: LDAP :: GroupDN1'} = 'CN = Attendants, OU = LigeroSmart Groups, DC = complement, DC = net, DC = br '; # The parameter below must not be modified $Self -> {'AuthModule :: LDAP :: AccessAttr1'} = 'member'; # Here we define the username and password for an account that is allowed to search for information in the tree of our AD. # It is advisable to create an exclusive user for LigeroSmart $Self -> {'AuthModule :: LDAP :: SearchUserDN1'} = 'CN = LigeroSmart, CN = Users, DC = add-on, DC = net, DC = br'; $Self -> {'AuthModule :: LDAP :: SearchUserPw1'} = 'Brasil123!'; # Note that there is the number “1” at the end of the settings made between “{}” # LigeroSmart allows you to connect with up to 9 different authentication modules, or 9 different ADs for example.

Synchronization of Attendants with AD

    # Here we can map the attendants and their attributes, such as first and last name, e-mail etc. # The values below are for a standard installation. Adapt to your system. $Self -> {AuthSyncModule} = 'Kernel :: System :: Auth :: Sync :: LDAP'; $Self -> {'AuthSyncModule :: LDAP :: UserAttr'} = 'DN'; $Self -> {'AuthModule :: LDAP :: UserAttr'} = 'DN'; $Self -> {'AuthSyncModule :: LDAP :: Host'} = '192.168.30.50'; $Self -> {'AuthSyncModule :: LDAP :: BaseDN'} = 'DC = complement, DC = net, DC = br'; $Self -> {'AuthSyncModule :: LDAP :: UID'} = 'sAMAccountName'; $Self -> {'AuthSyncModule :: LDAP :: SearchUserDN'} = 'CN = LigeroSmart, CN = Users, DC = add-on, DC = net, DC = br'; $Self -> {'AuthSyncModule :: LDAP :: SearchUserPw'} = 'Brasil123!'; $Self -> {'AuthSyncModule :: LDAP :: UserSyncMap'} = {# DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', UserCargo => 'description', UserPhoneNumber => 'telephoneNumber',}; $Self -> {'AuthSyncModule :: LDAP :: AccessAttr'} = 'member'; # You can choose default groups for your users. Just uncomment the 3 lines below and define the groups # $Self -> {'AuthSyncModule :: LDAP :: UserSyncInitialGroups'} = [# 'users', #];

Relating AD groups to LigeroSmart roles

########################################################################## #- system roles Management # #- You should make associations between # # Active Directory groups and roles in LigeroSmart. # #- You must add lines here whenever you create a new role # # in LigeroSmart or group in Active Directory # ########################################################################## $Self -> { 'AuthSyncModule :: LDAP :: UserSyncRolesDefinition'} = {# First mapped group # Group in Active Directory - LigeroSmart Administrators in AD 'CN = LigeroSmart Administrators, OU = LigeroSmart Groups, DC = add-on, DC = net, DC = br' => {# Role in LigeroSmart - Administrator 'Administrator' => 1,}, # Second Mapping 'CN = Service Desk, OU = LigeroSmart Groups, DC = complete nto, DC = net, DC = br '=> {# Role in LigeroSmart' First Level Attendant '=> 1,}, # Third Mapping' CN = Developers, OU = LigeroSmart Groups, DC = complement, DC = net, DC = br '=> {' Developer '=> 1, # You can define more than one role for the same group as AD #' Role 2 '=> 1,},};

AD users as LigeroSmart Customers

################################################################### # Displays AD employees as # # internal customers Remember that users in AD must have the field mail # # filled out correctly # ################################################################### $Self -> {CustomerUser1} = {Name => 'Active Directory complement', Module = > 'Kernel :: System :: CustomerUser :: LDAP', Params => {Host => '192.168.30.50', BaseDN => 'DC = complement, DC = net, DC = br', SSCOPE => 'sub', UserDN => 'CN = LigeroSmart, CN = Users, DC = complement, DC = net, DC = br ', UserPw =>' Brasil123! ', # The line below is for not bringing disabled users: # Source: http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm AlwaysFilter => '(& (objectclass = user) (! (objectclass = computer)) (! (userAccountControl: 1.2.840.113556.1.4.803: = 2)))', 'SourceCharset =>' utf-8 ', DestCharset => 'utf-8', Params => {port => 389, timeout => 120, async => 0, version => 3,},}, CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields = > ['cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail', 'givenname', 'sn'], CustomerUserSearchPrefix => '*', CustomerUserSearchSuf fix => '*', CustomerUserSearchListLimit => 500, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], CustomerUserEmailUniqCheck => 0, CustomerUserExcludePrimaryCustomerID => 0, AdminSetPreferences = => 1, CacheTTL => 180, Map => [# note: Login, Email and CustomerID are mandatory! # var, frontend, storage, shown (1 = always, 2 = lite), required, storage-type, http-link, readonly ['UserTitle', 'Title', 'title', 1, 0, 'var', '', 0], ['UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0], ['UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0], ['UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0], ['UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0], ['UserCustomerID', 'CustomerID', 'sAMAccountName', 0, 1, 'var', '', 0], ['UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0], ['UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0], ['UserComment', 'Comment', 'dn', 1, 0, 'var', '', 0], ['DN', 'DN', 'dn', 1, 0, 'var', '', 0],] ,};

Client Authentication in Active Directory

$Self -> {'Customer :: AuthModule1'} = 'Kernel :: System :: CustomerAuth :: LDAP'; $Self -> {'Customer :: AuthModule :: LDAP :: Host1'} = '192.168.30.50'; $Self -> {'Customer :: AuthModule :: LDAP :: BaseDN1'} = 'DC = complement, DC = net, DC = br'; $Self -> {'Customer :: AuthModule :: LDAP :: UID1'} = 'sAMAccountName'; $Self -> {'Customer :: AuthModule :: LDAP :: AccessAttr1'} = 'member'; $Self -> {'Customer :: AuthModule :: LDAP :: SearchUserDN1'} = 'CN = LigeroSmart, CN = Users, DC = add-on, DC = net, DC = br'; $Self -> {'Customer :: AuthModule :: LDAP :: SearchUserPw1'} = 'Brasil123!'; # The line below is for not bringing disabled users: (! (UserAccountControl: 1.2.840.113556.1.4.803: = 2)) # Source: http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm $Self -> { 'Customer :: AuthModule :: LDAP :: AlwaysFilter1'} = '(& (objectclass = user) (! (Objectclass = computer)) (! (UserAccountControl: 1.2.840.113556.1.4.803: = 2)))'; # $Self -> {'Customer :: AuthModule :: LDAP :: Die1'} = 0; # The line below is to allow only users of a certain group to access the system as clients # $Self -> {'Customer :: AuthModule :: LDAP :: GroupDN1'} = 'CN = LigeroSmart Customers, OU = LigeroSmart Groups, DC = complement, DC = net, DC = br ';

Leave a Reply

Your email address will not be published. Required fields are marked *

summary