OTRS offers the possiblity to authentificate agents and customers against different backends.
The backend to authenticate agents which is used per default by OTRS is the OTRS database. Agents can be added and edited via the user management interface in the admin area
Example 11.6. Authenticate agents agains a DB backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::DB';
If a LDAP directory has all your agent data stored you can use the LDAP module to authenticate your users in OTRS. This module has only read access to the LDAP tree, that means you can't edit your users via the user management interface
Example 11.7. Authenticate agents against a LDAP backend
# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'ldap.example.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'uid'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com'; $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid'; # for ldap posixGroups objectclass (just uid) # $Self->{'AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (with full user dn) # $Self->{'AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'AuthModule::LDAP::SearchUserDN'} = ''; $Self->{'AuthModule::LDAP::SearchUserPw'} = ''; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. # $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };
The following configuration parameters can be used to synchronize the user data from your LDAP directory into your local OTRS database. This reduces the requests to your LDAP server and speeds up the authentification with OTRS. The data sync is done when the agent authenticates the first time. Allthough the data can be synched into the local OTRS database the LDAP directory is the last instance for the authentification, so a inactive user in the LDAP tree can't authenticate to OTRS even when the account data are allready stored in the OTRS database. The agent data in the LDAP directory can't be edited via the web interface of OTRS, because only read access is given, so the data have to be managed directly in the LDAP tree.
# UserSyncLDAPMap # (map if agent should create/synced from LDAP to DB after login) $Self->{UserSyncLDAPMap} = { # DB -> LDAP UserFirstname => 'givenName', UserLastname => 'sn', UserEmail => 'mail', }; # UserSyncLDAPGroups # (If "LDAP" was selected for AuthModule, you can specify # initial user groups for first login.) $Self->{UserSyncLDAPGroups} = [ 'users', ]; # UserTable $Self->{DatabaseUserTable} = 'system_user'; $Self->{DatabaseUserTableUserID} = 'id'; $Self->{DatabaseUserTableUserPW} = 'pw'; $Self->{DatabaseUserTableUser} = 'login';
If you want to implement a "single sign on" solution for all your agents, you can use http basic authentification (for all your systems) and the HTTPBasicAuth module for OTRS (the OTRS login is not needed any more).
Example 11.8. Authenticate agents via HTTPBasic
# This is an example configuration for an apache ($ENV{REMOTE_USER}) # auth. backend. Use it if you want to have a singe login through # apache http-basic-auth $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth'; # Note: # # If you use this module, you should use as fallback # the following config settings if user isn't login through # apache ($ENV{REMOTE_USER}) $Self->{LoginURL} = 'http://host.example.com/not-authorised-for-otrs.html'; $Self->{LogoutURL} = 'http://host.example.com/thanks-for-using-otrs.html';
The following configuration parameters can be used to authenticate agents against a radius server.
Example 11.9. Authenticate agents against a radius backend
# This is example configuration to auth. agents against a radius server $Self->{'AuthModule'} = 'Kernel::System::Auth::Radius'; $Self->{'AuthModule::Radius::Host'} = 'radiushost'; $Self->{'AuthModule::Radius::Password'} = 'radiussecret';
The authentification backend for customer users which is used per default by OTRS is the OTRS database. With this backend all customer data can be edited via the web interface of OTRS.
Example 11.10. Customer user authentification against a DB backend
# This is the auth. module againt the otrs db $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::DB'; $Self->{'Customer::AuthModule::DB::Table'} = 'customer_user'; $Self->{'Customer::AuthModule::DB::CustomerKey'} = 'login'; $Self->{'Customer::AuthModule::DB::CustomerPassword'} = 'pw'; # $Self->{'Customer::AuthModule::DB::DSN'} = "DBI:mysql:database=customerdb;host=customerdbhost"; # $Self->{'Customer::AuthModule::DB::User'} = "some_user"; # $Self->{'Customer::AuthModule::DB::Password'} = "some_password";
If you have a LDAP directory with all your customer data you can use the LDAP module to authenticate your customer users to OTRS. Because this module has only read access to the LDAP backend, it is not possible to edit the customer data via the web interface of OTRs.
Example 11.11. Customer user authentification against a LDAP backend
# This is an example configuration for an LDAP auth. backend. # (take care that Net::LDAP is installed!) $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'ldap.example.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=example,dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid'; # Check if the user is allowed to auth in a posixGroup # (e. g. user needs to be in a group xyz to use otrs) $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com'; $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid'; # for ldap posixGroups objectclass (just uid) $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID'; # for non ldap posixGroups objectclass (full user dn) # $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN'; # The following is valid but would only be necessary if the # anonymous user do NOT have permission to read from the LDAP tree $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = ''; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = ''; # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' $Self->{'Customer::AuthModule::LDAP::AlwaysFilter'} = ''; # in case you want to add a suffix to each customer login name, then # you can use this option. e. g. user just want to use user but # in your ldap directory exists user@domain. # $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '@domain.com'; # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) $Self->{'Customer::AuthModule::LDAP::Params'} = { port => 389, timeout => 120, async => 0, version => 3, };
If you want to implement a "single sign on" solution for all your customer users, you can use HTTPBasic authentification (for all your systems) and use the HTTPBasicAuth module with OTRS (no login is needed with OTRS any more).
Example 11.12. Customer user authentification with HTTPBasic
# This is an example configuration for an apache ($ENV{REMOTE_USER}) # auth. backend. Use it if you want to have a singe login through # apache http-basic-auth $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth'; # Note: # If you use this module, you should use the following # config settings as fallback, if user isn't login through # apache ($ENV{REMOTE_USER}) $Self->{CustomerPanelLoginURL} = 'http://host.example.com/not-authorised-for-otrs.html'; $Self->{CustomerPanelLogoutURL} = 'http://host.example.com/thanks-for-using-otrs.html';
The following settings can be used to authenticate your customer users against a radius server.
Example 11.13. Customer user authentification against a radius backend
# This is a example configuration to auth. customer against a radius server $Self->{'Customer::AuthModule'} = 'Kernel::System::Auth::Radius'; $Self->{'Customer::AuthModule::Radius::Host'} = 'radiushost'; $Self->{'Customer::AuthModule::Radius::Password'} = 'radiussecret';