Happy Blogging


OTRS double Authentication in MS Active Directory and local DB

OTRS is a very powerful free / open source ticket system for helpdesk and in general for IT service management. By implementing OTRS this year, we've faced some problems with Active Directory authentication. Below the steps we've followed to get it running in double authentication mode.

1. First create an Active Directory group named like "mydomain OTRS agents", where all AD users that should have access to the ticket system, should be members of the group

2. Second create an Active Directory user named like "otrs_ldap", in order to authenticate OTRS through this user to your Active Directory Controller(s).

3. Edit your configuration file - ubuntu@my-otrs:/opt/otrs/Kernel$  sudo nano Config.pm - in OTRS like in the example below (both authentication methods are supported in this way, local and AD). Just modify the script to meet your AD naming structure.

********************************sample script begin**************************************

   # This is the first Authenication MS AD backend
    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'mydc.mydomain.local';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=local';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=mydomain OTRS Agents,ou=mydomain Groups,ou=mydomain Users and Groups,ou=mydomain Staff,dc$
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN'} ='otrs_ldap@mydomain.local';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = '***********************';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    #$Self->{'AuthModule::LDAP::UserSuffix'} = '';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
       timeout => 120,
        async => 0,
        version => 3,
   # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'mydc.mydomain.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=mydomain, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otrs_ldap@mydomain.local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '*************************';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    # Second backend, internal OTRS DB
    $Self->{'AuthModule2'} = 'Kernel::System::Auth::DB';

    $Self->{'AuthModule::DB::CryptType2'} = 'crypt';

******************************sample script end*********************************************

This should do it!

Total: 0 Comment(s)