Another question about the group sync.
What is the AccessAttr and what are the possible parameters?
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
Is the parameter for this setting an ldap attribute?
Rory
Support my 365 Challenge in aid of the Irish Cancer Society
www.365challenge.ie
2009/8/7 Rory <[email protected]>:
> Nuts, hit send too early.
>
> So I've added the following to the config;
>
> # Sync LDAP group to role in OTRS
> # AuthSyncModule::LDAP::UserSyncRolesDefinition
> $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
>
> # ldap group
> 'CN=IT,OU=Groups,OU=IT,OU=Departments' => {
> # otrs role
> 'r_IT' => 1,
> },
>
> };
>
> I prefix all my roles in otrs with r_ to try to keep things clear
> (group with g_ too)
> Does the ldap group use the baseDN specified in the Agent LDAP Auth config
>
> Do I need to use the attributes specified for group syncs when syncing roles?
>
> i.e.
> # Attributes needed for group syncs
> # (attribute name for group value key)
> # $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
> # (attribute for type of group content UID/DN for full ldap name)
> # $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
> # $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
>
>
> Rory
>
> Support my 365 Challenge in aid of the Irish Cancer Society
>
> www.365challenge.ie
>
>
>
> 2009/8/7 Rory <[email protected]>:
>> Hi Michiel,
>>
>> Thanks for the info. I'm trying to use the SyncRolesDefinition and
>> I've added the following to the config;
>>
>> # Sync LDAP group to role in OTRS
>> # AuthSyncModule::LDAP::UserSyncRolesDefinition
>> $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
>>
>> # ldap group
>> 'CN=IT,OU=Groups,OU=IT,OU=Departments' => {
>> # otrs role
>> 'r_IT' => 1,
>> },
>>
>> };
>>
>> I prefix all my roles in otrs with r_ to try to keep things clear
>> (group with g_ too)
>>
>>
>> Support my 365 Challenge in aid of the Irish Cancer Society
>>
>> www.365challenge.ie
>>
>>
>>
>> 2009/8/7 Michiel Beijen <[email protected]>:
>>> Hi Rory and Mauricio,
>>>
>>> Let me first state that if you have configured the AuthSyncModule the
>>> OTRS will sync agent data every time a user logs in to OTRS. If you'd
>>> change the user properties in active directory; they would be updated
>>> in OTRS as soon as the agent logs in.
>>> And of course, if the account is disabled in the AD, the user will not
>>> be able to log in to OTRS.
>>>
>>> the UserSyncInitialGroups can be used to define a standard group for
>>> every user from a certain source. For instance, you could define it so
>>> that every LDAP user is automatically put in the groups Users and FAQ.
>>>
>>> If you would like to manage your OTRS groups from your LDAP source,
>>> that is also possible. Please look into the Defaults.pm file, under
>>> UserSyncGroupsDefinition: modify, unquote and put into your Custom.pm
>>>
>>> Regards,
>>>
>>> Michiel
>>>
>>> # AuthSyncModule::LDAP::UserSyncGroupsDefinition
>>> # (If "LDAP" was selected for AuthModule and you want to sync LDAP
>>> # groups to otrs groups, define the following.)
>>> # $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
>>> # # ldap group
>>> # 'cn=agent,o=otrs' => {
>>> # # otrs group
>>> # 'admin' => {
>>> # # permission
>>> # rw => 1,
>>> # ro => 1,
>>> # },
>>> # 'faq' => {
>>> # rw => 0,
>>> # ro => 1,
>>> # },
>>> # },
>>> # 'cn=agent2,o=otrs' => {
>>> # 'users' => {
>>> # rw => 1,
>>> # ro => 1,
>>> # },
>>> # }
>>> # };
>>>
>>> # AuthSyncModule::LDAP::UserSyncRolesDefinition
>>> # (If "LDAP" was selected for AuthModule and you want to sync LDAP
>>> # groups to otrs roles, define the following.)
>>> # $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
>>> # # ldap group
>>> # 'cn=agent,o=otrs' => {
>>> # # otrs role
>>> # 'role1' => 1,
>>> # 'role2' => 0,
>>> # },
>>> # 'cn=agent2,o=otrs' => {
>>> # 'role3' => 1,
>>> # }
>>> # };
>>>
>>>
>>>
>>> --
>>> Michiel Beijen
>>> Software Consultant
>>> +31 6 - 457 42 418
>>> Bee Free IT + http://beefreeit.nl
>>>
>>>
>>>
>>> On Thu, Aug 6, 2009 at 16:08, Rory<[email protected]> wrote:
>>>> 2009/8/6 Mauricio Tavares <[email protected]>:
>>>>
>>>>> I have no problems if otrs cannot edit ldap. What I would like is
>>>>> to
>>>>> be able to define which group someone belongs to in ldap and then otrs
>>>>> will
>>>>> see the groups memberships and then grant the said user rights according
>>>>> to
>>>>> the memberships.
>>>>
>>>> I'm kinda guessing here but you may be able to find more with a quick
>>>> google;
>>>> I think the following piece of config will add any user, who logs in
>>>> for the first time, to the specified group in OTRS
>>>>
>>>> # AuthSyncModule::LDAP::UserSyncInitialGroups
>>>> # (sync following group with rw permission after initial create of
>>>> first agent
>>>> # login)
>>>> $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
>>>> 'users',
>>>> ];
>>>>
>>>> But that could be syncing groups from ldap to the DB. I know I've seen
>>>> more about this in the docs or on this list but I havn't found it yet.
>>>>
>>>>
>>>>> Well, what I have found so far (I might be wrong) is that the user
>>>>> has to be in the local db; the password can be kept in ldap but you have
>>>>> to
>>>>> create an user in otrs. What I did was after setting ldap up, I tried to
>>>>> login as one of the users from the ldap group (cn=users) I gave otrs as
>>>>> the
>>>>> GroupDN. It cheerfully ignored that user. THen I created an user with the
>>>>> same username inside otrs but did not give a password. I was able to login
>>>>> as the said user.
>>>>
>>>> That's fits with how I understand this to work. If you don't have the
>>>> sync config added it doesn't know to pull the user from ldap so it
>>>> can't find them in the DB and fails. Once you create them in the DB
>>>> you're golden.
>>>> The sync has the benefit that you can pull across some extra info into
>>>> the DB e.g.;
>>>>
>>>> $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
>>>> # DB -> LDAP
>>>> UserFirstname => 'givenName',
>>>> UserLastname => 'sn',
>>>> UserEmail => 'mail',
>>>> };
>>>>
>>>> I wonder if that can be used to pull across the group info too?
>>>>
>>>>>> My ideas on this are all open to questioning tho as I don't know this for
>>>>>> fact.
>>>>>>
>>>>> Do you think I do? =) I am still figuring this program out.
>>>>
>>>> I was kinda hoping somebody was gonna come along and tell that I was right
>>>> :)
>>>>
>>>> Rory
>>>> ---------------------------------------------------------------------
>>>> OTRS mailing list: otrs - Webpage: http://otrs.org/
>>>> Archive: http://lists.otrs.org/pipermail/otrs
>>>> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>>>>
>>>> NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
>>>> http://www.otrs.com/en/support/enterprise-subscription/
>>>>
>>> ---------------------------------------------------------------------
>>> OTRS mailing list: otrs - Webpage: http://otrs.org/
>>> Archive: http://lists.otrs.org/pipermail/otrs
>>> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
>>>
>>> NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
>>> http://www.otrs.com/en/support/enterprise-subscription/
>>
>
---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
