ConfiguringLDAP/345

From Sit

The information in this article (or section) is out of date needs updating. Please help us and our readers by clicking the edit link above and updating/improving this text.

The information in this article (or section) relates to SiT! v3.45 only. Other versions may behave differently, check the version you are using and the documentation carefully. The LDAP features were introduced in v3.45 and did not exist in earlier versions

Note: This documentation references the LDAP implementation in 3.45, 3.50 has a reworked implementation.

Contents 1 Configuring LDAP Support 1.1 Prerequisites 1.2 Configuration 2 Design 3 LDAP User/Agent Authentication 4 Import/Creating a user/agent account from LDAP 5 Update/Resync a user account from LDAP 6 Customer authentication 7 Auto creation of customer from incident

Configuring LDAP Support

LDAP support currently covers the following areas:

• Admin, Manager, User and Contact authentication based on group membership
• Auto creation of Contacts from incident requests

Prerequisites

• OpenLDAP (Not tested anything else yet)

Configuration

To use LDAP you must set the following config variables:

• $CONFIG['use_ldap']
  • Set this to TRUE if you want LDAP support

• $CONFIG['ldap_host']
  • This should be your ldap host, eg: "ldap.example.com"

• $CONFIG['ldap_dn_base']
  • This should be set to the part of the LDAP tree your user accounts reside. Example: If a test user account was at "uid=johndoe,ou=Users,dc=example,dc=com" then this variable would be set to "ou=Users,dc=example,dc=com"

• $CONFIG['ldap_user_attr']
  • This is used in conjunction with the ldap_dn_base variable. SiT! will look for accounts at "$ldap_user_attr=<username>,$ldap_dn_base". In the above example, this would be set to "uid".

• $CONFIG['ldap_attr_map']
  • This variable is used to map LDAP attributes to SiT! attributes. Valid key values here are: realname, forenames, surname, jobtitle, email, phone, mobile and fax

• $CONFIG['ldap_default_user_status']
  • This variable determines the status that is given to a user when their account is imported. Default is 1 (In Office)

• $CONFIG["ldap_user_group"]
  • This variable defines the dn where standard SiT! user (agents) accounts reside in LDAP. Example: In our tree we have a dn of "cn=situsers,ou=Groups,dc=example,dc=com" and in this entry we have multiple entries of the form "memberUid: <username>". For this example we would set this variable to "cn=situsers,ou=Groups,dc=example,dc=com"

• CONFIG["ldap_user_group_attr"]
  • This is used in conjuction with ldap_user_group. This defines what attribute the agent's usernames are stored under. In our example this is "memberUid"

• $CONFIG["ldap_admin_group"] / $CONFIG["ldap_admin_group_attr"]
  • As per the ldap_user_group/ldap_user_group_attr variables above, but this defines the group for admins.

• $CONFIG["ldap_manager_group"] / $CONFIG["ldap_manager_group_attr"]
  • As per the ldap_user_group/ldap_user_group_attr variables above, but this defines the group for managers.

• $CONFIG["ldap_customer_group"] / $CONFIG["ldap_customer_group_attr"]
  • As per the ldap_user_group/ldap_user_group_attr variables above, but this defines the group for customers/contacts.

• $CONFIG["ldap_default_customer_siteid"]
  • When a customer account is created for the first time, a default siteid must be given to them. This variable defines that siteid.

• $CONFIG["ldap_autocreate_customer"]
  • When this is set to TRUE, SiT! is able to create customer accounts in SiT! directly from an email in the holding queue once it is turned into an incident.

Design

The LDAP functionaliy of SiT! has been designed to sit transparently in front of the existing database.

LDAP User/Agent Authentication

• Is username/password in local SiT! database?
  • YES: Are we using LDAP?
    • YES: Resync user details from LDAP to local database
  • NO: Are we using LDAP?
    • YES: Is the Username/Password in LDAP?
    • YES: Create & Import user account

Import/Creating a user/agent account from LDAP

• Get the usertype of the user from LDAP (determined by group membership)
• Extract details of user from LDAP based on $CONFIG["ldap_attr_map"]
• Create the account for the user in the database

Update/Resync a user account from LDAP

This is identical to Import/Create however it updates the database record rather than creates it.

Customer authentication

When a customer logs on for the first time, exactly the same process occurs as outlined for a user.

Auto creation of customer from incident

If a customer/contact emails the helpdesk, but they have never logged on, they will not as yet have an account created in the database. This means that incidents cannot be created. However, if $CONFIG["ldap_autocreate_customer"] is set, then SiT! will do a lookup for people in the customer LDAP group that match the incoming email address. If a match is found, the customer's details are imported into a new contact account.