I'm using OTRS 4.0.1 for my helpdesk.
The Customers authenticate by LDAP on Active Directory.
I want to Map the Active Directory Groups to the OTRS Groups.
Is this possible and if i would be thankfull for any hint?
Yes, it is possible, fairly straightforward.
First, decide if you want groups or roles. The common recommendation I'm finding (I am new to OTRS) is that roles are preferred to manage user permissions rather than (directly) by groups.
A simple approach then is to add AD authentication AND authorization via LDAP. You need both.
Look in the Defaults.pm, and you will find the structure for doing this commented out. Copy this to your Config.pm and modify there (not in Defaults.pm).
The AuthModule section is for authentication (i.e. checking login/password). Set that up, then the AuthSyncModule section is for authorizations (and most importantly on first login to just get a Agent entry built). You cannot log in the first time with ONLY the AuthModule (this is a good time to note that you might loose web access as you experiment, so make sure you have a working copy of the Defaults.pm to restore if you need to start over).
In the AuthModule some confusing parts over history - set UID to SAMAccountName and AccessAtr to member (not memberUID) and UserAttr to DN. Some older documentation shows otherwise.
In the AuthSyncModule you will use the UserSyncMap to map in the basics (name and email). you MUST have an email filled in inside of AD or it won't work. The defaults show all this.
Then use the UserSyncRolesDefinition to map a AD group (NOT an OU, a group - use the full DN of the group) to a specific roles. There's another one for groups. Generally you will not use the attributes version of this you will also see in defaults (which is for a specific attribute, like city, as opposed to group membership).
Note that the UserSyncRolesDefinition (and I presume groups but have not tried it) will match the first one it encounters, so a user who is in multiple groups will only do the updates triggered in the first match. Also, it does not UNSET anything previously set, so if you want to un-set things, set a role to zero explicitly.
Look in the log (syslog frequently, but could be different depending on your flavor) for errors from the authentication, and in (assuming linux) apache2's error.log for errors that result in a server error (usually syntax errors in your Config.pm). Note that windows of later flavors do not generally allow anonymous ldap access so you must define the SearchUserDN and SearchUserPw in both modules to be an account with at least read access to AD via LDAP.