具体操作步骤可以参考OTRS官方指导手册:
https://doc.otrs.com/doc/manual/admin/6.0/zh_CN/html/external-backends.html#ldap-customer-backend
LDAP配置内容可以从/opt/otrs/Kernel/Config/Defaults.pm文件中找到,然后将对应的内容拷贝到/opt/otrs/Kernel/Config.pm,修改后,重启httpd服务后生效
关于otrs工单系统授权登录和客户或服务人员信息展示与同步是需要分别配置的。
简单来举例。首先我们需要有LDAP的连接信息,我们可以使用LDAP ADMIN工具先测试LDAP是否成功,获取数据是否成功。如果都可以成功,继续下面的步骤:
1、实现LDAP授权服务人员认证登录,同时也启用数据库方式登录,
在/opt/otrs/Kernel/Config.pm文件内增加以下内容:
#启用数据库登录方式,系统默认是数据库登录,由于ldap已经启用了,所以AuthModule1需要在AuthModule后面加1,如果还有其他方式授权登录,需要在后面AuthModule2 AuthModule3等等
$Self->{‘AuthModule1’} = ‘Kernel::System::Auth::DB’;
# This is an example configuration for an LDAP auth. backend.
# (take care that Net::LDAP is installed!)
$Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10..xxx.xxx..xxx';
$Self->{'AuthModule::LDAP::BaseDN'} = 'ou=xxx,o=xxx';
$Self->{'AuthModule::LDAP::UID'} = 'cn';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=6sdfee,ou=xxx,o=xxx';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxx';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};主要是要理解以上参数的含义,其中 $Self->{‘AuthModule1’} = ‘Kernel::System::Auth::DB’;代表允许使用数据库方式校验登录, $Self->{AuthModule} = ‘Kernel::System::Auth::LDAP’;代表允许使用LDAP方式授权认证登录,这个地方我们设置了同时允许这两种认证登录方式。
其他参数如果可以使用LDAP ADMIN连接到LDAP后,就很容易理解了。
第一步只是实现了使用LDAP进行认证登录,但是登录用户没有权限,如果要维护该用户权限,需要在OTRS系统中查询到该用户信息,也就是需要在user表中存在用户名
2、实现LDAP到OTRS的服务人员信息同步,每次登录都会同步一次,如果otrs数据库中与LDAP不一致,LDAP会将数据覆盖otrs数据库中的数据
agent data sync against ldap
$Self->{‘AuthSyncModule’} = ‘Kernel::System::Auth::Sync::LDAP’;
$Self->{‘AuthSyncModule::LDAP::Host’} = ‘ldap://10.xxx.xxx.xx2/’;
$Self->{‘AuthSyncModule::LDAP::BaseDN’} = ‘ou=xxx,o=xxx’;
$Self->{‘AuthSyncModule::LDAP::UID’} = ‘cn’;
$Self->{‘AuthSyncModule::LDAP::SearchUserDN’} = ‘cn=cxxxx,ou=xxx,o=xxxs’;
$Self->{‘AuthSyncModule::LDAP::SearchUserPw’} = ‘cxxxxxxxx’;
$Self->{‘AuthSyncModule::LDAP::UserSyncMap’} = {
# DB -> LDAP
UserFirstname => ‘cn’,
UserLastname => ‘sn’,
UserEmail => ‘mail’,
UserMobile => ‘mobile’,
};
3、实现LDAP授权客户用户认证登录
This is an example configuration for an LDAP auth. backend.
(make sure Net::LDAP is installed!)
$Self->{‘Customer::AuthModule’} = ‘Kernel::System::CustomerAuth::LDAP’;
$Self->{‘Customer::AuthModule::LDAP::Host’} = ‘10.xxx.xx.52’;
$Self->{‘Customer::AuthModule::LDAP::BaseDN’} = ‘ou=xxx,o=xxx’;
$Self->{‘Customer::AuthModule::LDAP::UID’} = ‘cn’;
The following is valid but would only be necessary if the
anonymous user does NOT have permission to read from the LDAP tree
$Self->{‘Customer::AuthModule::LDAP::SearchUserDN’} = ‘cn=xxx,ou=xxx,o=xxx’;
$Self->{‘Customer::AuthModule::LDAP::SearchUserPw’} = ‘cxxxxxxxx’;
Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{‘Customer::AuthModule::LDAP::Params’} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
4、实现客户用户的数据库认证登录方式,这也是默认的登录认证方式,由于已经启用ldap同步,因此,数据库登录时需要Customer::AuthModule1后面都加上1,如果还要之前第三种或第四种授权登录方式,需要在后面加上3 或4
This is the auth. module against the otrs db
$Self->{‘Customer::AuthModule1’} = ‘Kernel::System::CustomerAuth::DB’;
$Self->{‘Customer::AuthModule::DB::Table1’} = ‘customer_user’;
$Self->{‘Customer::AuthModule::DB::CustomerKey1’} = ‘login’;
$Self->{‘Customer::AuthModule::DB::CustomerPassword1’} = ‘pw’;
5、实现客户用户只读方式从LDAP同步,如果做了第5步,则客户用户界面可看到LDAP中的客户用户信息,但是是只读的,不能进行编辑。有编辑的需求主要是想更改客户用户所属的客户,如果LDAP中有二者对应关系,在做映射时可以直接引入也就没有编辑客户用户的需求了,但是由于有些LDAP不维护二者的关系或者根本没有客户的概念,因此,我们只能舍弃第5步。采用一种折中的方案实现:使用LDAP进行客户用户的认证登录,也就是启用第3步的内容。不启用客户用户的数据库登录方式,将第4步的内容使用#号注释掉,然后手工在客户用户界面先增加上要登录的用户信息,然后使用LDAP的用户口令登录就可以成功了。
CustomerUser
(customer ldap backend and settings)
$Self->{CustomerUser} = {
Name => ‘LDAP Data Source’,
Module => ‘Kernel::System::CustomerUser::LDAP’,
Params => {
# ldap host
Host => ‘10.xxx.xxx.xx2’,
# ldap base dn
BaseDN => ‘ou=xxx,o=xxx’,
# search scope (one|sub)
SSCOPE => ‘sub’,
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => ‘cn=6xxxxxe,ou=xxx,o=xxx’,
UserPw => ‘coxxxxxxx’,
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => ‘(mail=)’ or AlwaysFilter => ‘(objectclass=user)’
AlwaysFilter => ‘’,
# if the charset of your ldap server is iso-8859-1, use this:
SourceCharset => ‘utf-8’,
DestCharset => ‘utf-8’,
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
# customer unique id
CustomerKey => ‘cn’,
# customer #
CustomerID => ‘cn’,
CustomerUserListFields => [‘cn’, ‘mail’],
CustomerUserSearchFields => [‘cn’, ‘cn’, ‘mail’],
CustomerUserSearchPrefix => ‘’,
CustomerUserSearchSuffix => '’,
CustomerUserSearchListLimit => 100,
CustomerUserPostMasterSearchFields => [‘mail’],
CustomerUserNameFields => [ ‘sn’],
# show not own tickets in customer panel, CompanyTickets
CustomerUserExcludePrimaryCustomerID => 0,
# add an ldap filter for valid users (expert setting)
CustomerUserValidFilter => ‘(!(description=locked))’,
# administrator can't change customer preferences
AdminSetPreferences => 0,# cache time to live in sec. - cache any database queries
CacheTTL => 0,
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly, http-link-target, link class(es)
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'fullname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'cn', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'cn', 0, 1, 'var', '', 0 ],[ ‘UserCustomerIDs’, ‘CustomerIDs’, ‘second_customer_ids’, 1, 0, ‘var’, ‘’, 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],};
