Agents on different groups

Moderator: crythias

Post Reply
germesnsk
Znuny newbie
Posts: 6
Joined: 13 Jan 2014, 10:52
Znuny Version: 3.3.3

Agents on different groups

Post by germesnsk »

Hello all. I want to mapping agent to OTRS groups based security groups in AD

Code: Select all

 # ADMIN AGENTS
    $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Replace1'} = 'domain\\';
    $Self->{'AuthModule::LDAP::Host1'} = 'dc.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=OTRS Agents,CN=Builtin,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=helpdesk,CN=Builtin,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'PW';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';

    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    $Self->{'AuthModule:LDAP::UserSuffix1'} = '';

    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'dc.domain.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=domain, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=helpdesk,CN=Builtin,DC=domain,DC=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'PW';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
     
    # Heads AGENTS
    $Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Replace2'} = 'domain\\';
    $Self->{'AuthModule::LDAP::Host2'} = 'dc.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN2'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID2'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN2'} = 'CN=Test,CN=Builtin,DC=cloud,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr2'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr2'} = 'DN';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN2'} = 'CN=helpdesk,CN=Builtin,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::SearchUserPw2'} = 'Pw';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter2'} = '';

    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    $Self->{'AuthModule:LDAP::UserSuffix2'} = '';

    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule2'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host2'} = 'dc.domain.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN2'} = 'dc=domain, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID2'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN2'} = 'CN=helpdesk,CN=Builtin,DC=domain,DC=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw2'} = 'PW';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap2'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups2'} = [
        'Heads'
    ];

    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
       'stats'
    ];
But users always mapping only to group "stats". Sorry my english)
Top
diginin
Znuny expert
Posts: 213
Joined: 11 Feb 2008, 12:04
Znuny Version: CVS

Re: Agents on different groups

Post by diginin »

I am missing your OTRS Version.

I do not see the use of:

# defines AuthSyncBackend (AuthSyncModule) for AuthModule
# if this key exists and is empty, there won't be a sync.
# example values: AuthSyncBackend, AuthSyncBackend2
# $Self->{'AuthModule::UseSyncBackend'} = '';

Look at your Defaluts.pm again for more help.
Shawn Beasley
Contact me per XING
Contact me per LinkedIN

OTRS CVS on Ubuntu Stable.

Image
signature by diginin74, on Flickr

Computers are like air conditioners, when you open windows they are useless.



P.S. (für Leser meiner Deutschtexte) Rechtschreibfehler bitte mit s/.*/$KORREKTUR/ ersetzen.
Top
reneeb
Znuny guru
Posts: 5018
Joined: 13 Mar 2011, 09:54
Znuny Version: 6.0.x
Real Name: Renée Bäcker
Company: Perl-Services.de
Contact:
Contact reneeb

Re: Agents on different groups

Post by reneeb »

All Users that belong to "'CN=OTRS Agents,CN=Builtin,DC=domain,DC=local'" get the group stats all Users that do *not* belong to "'CN=OTRS Agents,CN=Builtin,DC=domain,DC=local'" but to "'CN=Test,CN=Builtin,DC=domain,DC=local'" get the group Heads.

So you have to check where the users belong to...
Perl / Znuny development: http://perl-services.de
Free Znuny add ons from the community: http://opar.perl-services.de
Commercial add ons: http://feature-addons.de
Top
germesnsk
Znuny newbie
Posts: 6
Joined: 13 Jan 2014, 10:52
Znuny Version: 3.3.3

Re: Agents on different groups

Post by germesnsk »

diginin wrote:I am missing your OTRS Version.

I do not see the use of:

# defines AuthSyncBackend (AuthSyncModule) for AuthModule
# if this key exists and is empty, there won't be a sync.
# example values: AuthSyncBackend, AuthSyncBackend2
# $Self->{'AuthModule::UseSyncBackend'} = '';

Look at your Defaluts.pm again for more help.
In Defaults.pm $Self->{'AuthModule::UseSyncBackend'} = ''; is commented
Added $Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncModule1(2)'; in both AuthModules but dont work... They map user to "stats"

OTRS v3.3.3

All Users that belong to "'CN=OTRS Agents,CN=Builtin,DC=domain,DC=local'" get the group stats all Users that do *not* belong to "'CN=OTRS Agents,CN=Builtin,DC=domain,DC=local'" but to "'CN=Test,CN=Builtin,DC=domain,DC=local'" get the group Heads.

So you have to check where the users belong to...
Test users have two groups -- "domain users" and (Test or OTRS Agents)
Top
germesnsk
Znuny newbie
Posts: 6
Joined: 13 Jan 2014, 10:52
Znuny Version: 3.3.3

Re: Agents on different groups

Post by germesnsk »

Code: Select all

 $Self->{'AuthModule::UseSyncBackend2'} = 'AuthSyncBackend';
Don't work too... Webserver error 500 and user not created
Top
germesnsk
Znuny newbie
Posts: 6
Joined: 13 Jan 2014, 10:52
Znuny Version: 3.3.3

Re: Agents on different groups

Post by germesnsk »

Assign to roles dont work too :(((

Code: Select all

   [code] # ADMIN AGENTS
    $Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Replace1'} = 'domain\\';
    $Self->{'AuthModule::LDAP::Host1'} = 'dc.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=OTRS Agents,CN=Builtin,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=helpdesk,CN=Builtin,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'PW';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';

    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    $Self->{'AuthModule:LDAP::UserSuffix1'} = '';

    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'dc.domain.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=domain, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=helpdesk,CN=Builtin,DC=domain,DC=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'PW';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
     
    # Heads AGENTS
    $Self->{'AuthModule2'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Replace2'} = 'domain\\';
    $Self->{'AuthModule::LDAP::Host2'} = 'dc.domain.local';
    $Self->{'AuthModule::LDAP::BaseDN2'} = 'dc=domain,dc=local';
    $Self->{'AuthModule::LDAP::UID2'} = 'sAMAccountName';

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN2'} = 'CN=Test,CN=Builtin,DC=cloud,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr2'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr2'} = 'DN';

    # Bind credentials to log into AD
    $Self->{'AuthModule::LDAP::SearchUserDN2'} = 'CN=helpdesk,CN=Builtin,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::SearchUserPw2'} = 'Pw';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
    $Self->{'AuthModule::LDAP::AlwaysFilter2'} = '';

    # in case you want to add a suffix to each login name,  then
    # you can use this option. e. g. user just want to use user but
    # in your ldap directory exists user@domain.
    $Self->{'AuthModule:LDAP::UserSuffix2'} = '';

    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule2'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host2'} = 'dc.domain.local';
    $Self->{'AuthSyncModule::LDAP::BaseDN2'} = 'dc=domain, dc=local';
    $Self->{'AuthSyncModule::LDAP::UID2'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN2'} = 'CN=helpdesk,CN=Builtin,DC=domain,DC=local';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw2'} = 'PW';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap2'} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
 $Self->{'AuthSyncModule::LDAP:::LDAP::UserSyncRolesDefinition2'} = {
	'CN=Test,CN=Builtin,DC=domain,DC=local'=>{
	    'Heads'=>1,
	}
    };

    $Self->{'AuthSyncModule::LDAP:::LDAP::UserSyncRolesDefinition'} = {
	'CN=Test,CN=Builtin,DC=domain,DC=local'=>{
	    'Heads'=>1,
	}
    };
    $Self->{'AuthSyncModule::LDAP:::LDAP::UserSyncRolesDefinition1'} = {
	'CN=Test,CN=Builtin,DC=domain,DC=local'=>{
	    'Heads'=>1,
	}
    };
Top
Post Reply

Return to “Help”