maybe I'm wrong and have a incorrect guess how 'AuthSyncModule::LDAP::UserSyncRolesDefinition' is working or the following situation is missconfigured or a bug. maybe someone here can help me.
I've running ITRS 3.3.6 on Centos 6.5 with kerberos SSO and LDAP sync. I want also to Sync role Definitions via LDAP groups.
here my config:
relevant parts from apache config:
Code: Select all
<Directory "/opt/otrs/bin/cgi-bin/">
AllowOverride None
AuthType Kerberos
AuthName "OTRS"
Krb5Keytab /etc/httpd/conf/itsm.keytab
KrbAuthRealm EXAMPLE.COM
KrbMethodNegotiate on
KrbAuthoritative off
KrbSaveCredentials off
KrbMethodK5Passwd on
KrbLocalUserMapping On
KrbDelegateBasic off
AuthzLdapAuthoritative on
AuthBasicProvider ldap
AuthLDAPURL ldap://dc1.example.com:389/OU=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN CN=q_ldap,OU=ServiceUser,DC=example,DC=com
AuthLDAPBindPassword passwordforuser
Require ldap-group CN=OTRS_Agents,OU=OTRS,DC=example,DC=com
Require ldap-group CN=OTRS_Admins,OU=OTRS,DC=example,DC=com
Options +ExecCGI -Includes
Code: Select all
package Kernel::Config;
use strict;
use warnings;
use utf8;
sub Load {
my $Self = shift;
$Self->{'DatabaseHost'} = 'mysql.example.com';
$Self->{'Database'} = "otrs";
$Self->{'DatabaseUser'} = "otrs";
$Self->{'DatabasePw'} = '{secret}';
$Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";
$Self->{Home} = '/opt/otrs';
$Self->{'LostPassword'} = '0';
$Self->{'CustomerHeadline'} = 'Example Support';
$Self->{'CustomerPanelLostPassword'} = '0';
$Self->{'CustomerPanelCreateAccount'} = '0';
$Self->{'HttpType'} = 'https';
$Self->{'Package::Proxy'} = 'http://proxy.example.com:8080/';
$Self->{'WebUserAgent::Proxy'} = 'http://proxy.example.com:8080/';
$Self->{DefaultUsedLanguages} = {
'de' => 'Deutsch',
'en' => 'English (United States)',
'en_GB' => 'English (United Kingdom)',
};
# LDAPS AD Auth
my @ldaphosts = ( 'dc1.example.com', 'dc2.example.com');
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = \@ldaphosts;
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=example,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=q_ldap,OU=ServiceUser,DC=example,DC=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'passwordforuser';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
'CN=OTRS_Admins,OU=OTRS,DC=example,DC=com' => {
'Admins' => 1,
}
};
$Self->{'AuthSyncModule::LDAP::Params'} = {
port => 636,
scheme => 'ldaps',
timeout => 120,
async => 0,
version => 3,
};
use base qw(Kernel::Config::Defaults);
1;
when I add user xxx to group 'CN=OTRS_Admins,OU=OTRS,DC=example,DC=com' and the user logged in as agent everything works as expected. the user gets the role Admins applied.
But now when I remove the role from Ad ad the next logon the user xxx has still applied this role.
logfile entry:
Code: Select all
Apr 29 15:10:26 itsm-t OTRS-CGI-23[1260]: [Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: xxx authentication ok (REMOTE_ADDR: x.x.x.x).
Apr 29 15:10:26 itsm-t OTRS-CGI-23[1260]: [Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: xxx not in GroupDN='CN=OTRS_Admins,OU=OTRS,DC=example,DC=com', Filter='(member=CN=xxx,OU=USERS,DC=example,DC=com)'! (REMOTE_ADDR: x.x.x.x).