Nuts, hit send too early.
So I've added the following to the config;
# Sync LDAP group to role in OTRS
# AuthSyncModule::LDAP::UserSyncRolesDefinition
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
# ldap group
'CN=IT,OU=Groups,OU=IT,OU=Departments' => {
# otrs role
'r_IT' => 1,
},
};
I prefix all my roles in otrs with r_ to try to keep things clear
(group with g_ too)
Does the ldap group use the baseDN specified in the Agent LDAP Auth config
Do I need to use the attributes specified for group syncs when syncing roles?
i.e.
# Attributes needed for group syncs
# (attribute name for group value key)
# $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
# (attribute for type of group content UID/DN for full ldap name)
# $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
# $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
Rory
Support my 365 Challenge in aid of the Irish Cancer Society
www.365challenge.ie
2009/8/7 Rory <[email protected]>:
> Hi Michiel,
>
> Thanks for the info. I'm trying to use the SyncRolesDefinition and
> I've added the following to the config;
>
> # Sync LDAP group to role in OTRS
> # AuthSyncModule::LDAP::UserSyncRolesDefinition
> $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
>
> # ldap group
> 'CN=IT,OU=Groups,OU=IT,OU=Departments' => {
> # otrs role
> 'r_IT' => 1,
> },
>
> };
>
> I prefix all my roles in otrs with r_ to try to keep things clear
> (group with g_ too)
>
>
> Support my 365 Challenge in aid of the Irish Cancer Society
>
> www.365challenge.ie
>
>
>
> 2009/8/7 Michiel Beijen <[email protected]>:
>> Hi Rory and Mauricio,
>>
>> Let me first state that if you have configured the AuthSyncModule the
>> OTRS will sync agent data every time a user logs in to OTRS. If you'd
>> change the user properties in active directory; they would be updated
>> in OTRS as soon as the agent logs in.
>> And of course, if the account is disabled in the AD, the user will not
>> be able to log in to OTRS.
>>
>> the UserSyncInitialGroups can be used to define a standard group for
>> every user from a certain source. For instance, you could define it so
>> that every LDAP user is automatically put in the groups Users and FAQ.
>>
>> If you would like to manage your OTRS groups from your LDAP source,
>> that is also possible. Please look into the Defaults.pm file, under
>> UserSyncGroupsDefinition: modify, unquote and put into your Custom.pm
>>
>> Regards,
>>
>> Michiel
>>
>> # AuthSyncModule::LDAP::UserSyncGroupsDefinition
>> # (If "LDAP" was selected for AuthModule and you want to sync LDAP
>> # groups to otrs groups, define the following.)
>> # $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
>> # # ldap group
>> # 'cn=agent,o=otrs' => {
>> # # otrs group
>> # 'admin' => {
>> # # permission
>> # rw => 1,
>> # ro => 1,
>> # },
>> # 'faq' => {
>> # rw => 0,
>> # ro => 1,
>> # },
>> # },
>> # 'cn=agent2,o=otrs' => {
>> # 'users' => {
>> # rw => 1,
>> # ro => 1,
>> # },
>> # }
>> # };
>>
>> # AuthSyncModule::LDAP::UserSyncRolesDefinition
>> # (If "LDAP" was selected for AuthModule and you want to sync LDAP
>> # groups to otrs roles, define the following.)
>> # $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
>> # # ldap group
>> # 'cn=agent,o=otrs' => {
>> # # otrs role
>> # 'role1' => 1,
>> # 'role2' => 0,
>> # },
>> # 'cn=agent2,o=otrs' => {
>> # 'role3' => 1,
>> # }
>> # };
>>
>>
>>
>> --
>> Michiel Beijen
>> Software Consultant
>> +31 6 - 457 42 418
>> Bee Free IT + http://beefreeit.nl
>>
>>
>>
>> On Thu, Aug 6, 2009 at 16:08, Rory<[email protected]> wrote:
>>> 2009/8/6 Mauricio Tavares <[email protected]>:
>>>
>>>> I have no problems if otrs cannot edit ldap. What I would like is to
>>>> be able to define which group someone belongs to in ldap and then otrs will
>>>> see the groups memberships and then grant the said user rights according to
>>>> the memberships.
>>>
>>> I'm kinda guessing here but you may be able to find more with a quick
>>> google;
>>> I think the following piece of config will add any user, who logs in
>>> for the first time, to the specified group in OTRS
>>>
>>> # AuthSyncModule::LDAP::UserSyncInitialGroups
>>> # (sync following group with rw permission after initial create of
>>> first agent
>>> # login)
>>> $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
>>> 'users',
>>> ];
>>>
>>> But that could be syncing groups from ldap to the DB. I know I've seen
>>> more about this in the docs or on this list but I havn't found it yet.
>>>
>>>
>>>> Well, what I have found so far (I might be wrong) is that the user
>>>> has to be in the local db; the password can be kept in ldap but you have to
>>>> create an user in otrs. What I did was after setting ldap up, I tried to
>>>> login as one of the users from the ldap group (cn=users) I gave otrs as the
>>>> GroupDN. It cheerfully ignored that user. THen I created an user with the
>>>> same username inside otrs but did not give a password. I was able to login
>>>> as the said user.
>>>
>>> That's fits with how I understand this to work. If you don't have the
>>> sync config added it doesn't know to pull the user from ldap so it
>>> can't find them in the DB and fails. Once you create them in the DB
>>> you're golden.
>>> The sync has the benefit that you can pull across some extra info into
>>> the DB e.g.;
>>>
>>> $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
>>> # DB -> LDAP
>>> UserFirstname => 'givenName',
>>> UserLastname => 'sn',
>>> UserEmail => 'mail',
>>> };
>>>
>>> I wonder if that can be used to pull across the group info too?
>>>
>>>>> My ideas on this are all open to questioning tho as I don't know this for
>>>>> fact.
>>>>>
>>>> Do you think I do? =) I am still figuring this program out.
>>>
>>> I was kinda hoping somebody was gonna come along and tell that I was right
>>> :)
>>>
>>> Rory
>>> ---------------------------------------------------------------------
>>> OTRS mailing list: otrs - Webpage: http://otrs.org/
>>> Archive: http://lists.otrs.org/pipermail/otrs
>>> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>>>
>>> NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
>>> http://www.otrs.com/en/support/enterprise-subscription/
>>>
>> ---------------------------------------------------------------------
>> OTRS mailing list: otrs - Webpage: http://otrs.org/
>> Archive: http://lists.otrs.org/pipermail/otrs
>> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>>
>> NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
>> http://www.otrs.com/en/support/enterprise-subscription/
>
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
