Problem with sync LDAP groups to OTRS

rpacek · Post by **rpacek** » 16 Apr 2015, 15:34

Hi everyone,
I had problem with sync my LDAP groups to OTRS and give access to RO/RW rigts for them..

Customers are synced and i see them in Customer-s .. When I try sync groups , atributs, roles with OTRS group noting happend.. Custem can login to Customer.pl portal but when trying create new ticket they see nothing in "To:" (Queue).

After I add manualy rights RW to "user" in Customer<>Groups then customer see Queue. I've try so many version to get this right but now I give up .. :/

Can anyone help me? plsssss

My Config.pm

Code: Select all

#--------------------Agents Authentication-------------#
	$Self->{'AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'AuthModule::LDAP::Host1'} = 'xxx.yyy.lan';
  $Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=xxx,DC=lan';
  $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
  $Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=OTRS_Access_A,OU=Poland,OU=Fileshares  access,OU=Groups,OU=xxx,DC=yyy,DC=lan';
  $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS AD Reader,OU=Service,DC=xxx,DC=lan';
  $Self->{'AuthModule::LDAP::SearchUserPW1'} = 'xxxxxxxxx';
  $Self->{'Customer::AuthModule::LDAP::AlwaysFilter1'} = '(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=lan)(userAccountControl=512)(sn=*)';
  # $Self->{'AuthModule::LDAP::UserSuffix1'} = '';
  
 # # $Self->{'AuthModule::LDAP::UserAttr1'} = 'UID';
     # $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
     # $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
  
  $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        #DB -> LDAP,
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
#	  $Self->{'AuthModule::UseSyncBackend'} = 'LDAP';
	  $Self->{'AuthSyncModule::LDAP::Params1'} = {
       port    => 389,
       timeout => 120,
       async   => 0,
       version => 3,
     #  inet4 => 1,
    };
  
    # $Self->{'AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition1'} = {
        # # ldap group
        # 'CN=OTRS_Access_C,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan' => {
            # # otrs group
            # 'admin' => {
                # # permission
                # rw => 1,
                # ro => 1,
				# movet_into => 1,
				# create => 1,
				# note => 1,
				# owner => 1,
				# priority => 1,				
            # },
           # 'faq' => {
               # rw => 0,
               # ro => 1,
			   # create => 1,
			   # note => 1,
			   # owner => 1,
			   # priority => 1,
           # },
       # },
      # 'CN=OTRS_Access_C,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan'=> {
           # 'users' => {
              # rw => 1,
              # ro => 1,
            # },
     # },
  # };
  
  
 # Attributes needed for group syncs
 #   (attribute name for group value key)
   $Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';
#    (attribute for type of group content UID/DN for full ldap name)
   $Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'UID';
   $Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'DN';

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
   $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
       'users',
   ];

    # AuthSyncModule::LDAP::UserSyncGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs groups, define the following.)
   $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition1'} = {
       # ldap group
       'CN=OTRS_Access_A,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan' => {
           # otrs group
           'admin' => {
               # permission
               rw => 1,
               ro => 1,
           },
           'faq' => {
               rw => 0,
               ro => 1,
           },
       },
      'CN=OTRS_Access_C,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan' => {
           'users' => {
               rw => 1,
               ro => 1,
           },
       }
   };

    # AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # attributes to otrs groups, define the following.)
   $Self->{'AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition1'} = {
       # ldap attribute
       'distinguishedName' => {
           # ldap attribute value
           'CN=OTRS_Access_A,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan' => {
               # otrs group
               'admin' => {
                   # permission
                   rw => 1,
                   ro => 1,
               },
               'faq' => {
                   rw => 0,
                   ro => 1,
               },
           },
       },
       'distinguishedName' => {
           'CN=OTRS_Access_C,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan' => {
               'users' => {
                   rw => 1,
                   ro => 1,
               },
           },
        }
   };
   
       # # AuthSyncModule::LDAP::UserSyncRolesDefinition
    # # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # # groups to otrs roles, define the following.)
    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition1'} = {
       # # ldap group
       'CN=OTRS_Access_C,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan' => {
           # # otrs role
            'admin1' => 1,
           # 'role2' => 0,
        },
       # 'cn=agent2,o=otrs' => {
           # 'role3' => 1,
       # }
    };
    # # AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition
    # # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # # attributes to otrs roles, define the following.)
   $Self->{'AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition1'} = {
       # ldap attribute
       'distinguishedName' => {
           # ldap attribute value
           'CN=OTRS_Access_A,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan' => {
               # otrs role
               'admin1' => 1,
               
           },
       },
       'distinguishedName' => {
           'CN=OTRS_Access_A,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan' => {
               'admin1' => 1,
           },
       },
   };
  
  	 
	# #-------------------------------------------------------------------------------------------#
# #                                  Customer Authentication                                  #
# #-------------------------------------------------------------------------------------------#
  $Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host1'} = 'xxx.yyy.lan';
  $Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'DC=xxx,DC=lan';
  $Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
 $Self->{'Customer::AuthModule::LDAP::GroupDN1'} = 'CN=OTRS_Access_A,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=xxx,DC=lan';
  $Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS AD Reader,OU=Service,DC=xxx,DC=lan';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'Dj4}#V[%hD#1wghB';
 # $Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'CN';
  #$Self->{'AuthModule::LDAP::UserSuffix'} = '';
  $Self->{'Customer::AuthModule::LDAP::AlwaysFilter1'} = '(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=lan)(userAccountControl=512)';
 # $Self->{'Customer::AuthModule::LDAP::UserSuffix'} = '';
#-------------------------------------------------------------------------------------------# 
#                                     Customerdata                                          #
#-------------------------------------------------------------------------------------------#
   $Self->{CustomerUser1} = {
    Name => 'LDAP1',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      Host => 'xxx.xxx.lan',
      BaseDN => 'DC=xxx,DC=lan',
      SSCOPE => 'sub',
      UserDN => 'CN=OTRS AD Reader,OU=Service,DC=xxx,DC=lan',
      UserPw => 'xxxxxxx',
	  AlwaysFilter => '(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=lan)(userAccountControl=512)',
    },
	GroupDN => 'CN=OTRS_Access_A,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan',
    CustomerKey => 'sAMAccountName',
        CustomerID => 'sAMAccountName',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchPrefix => '',
       # CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 20500,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
		SourceCharset => 'utf-8',
		DestCharset => 'utf-8',
		AdminSetPreferences => 0,
		CacheTTL => 0,
		CustomerUserExcludePrimaryCustomerID => 0,
		#UserSuffix => '',
		#CustomerUserValidFilter => '(distinguishedName=CN=OTRS_Access_A,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=yyy,DC=lan)',
    Map => [		
		#['UserSalutation', 'Title', 'title', '1', '0', 'var'], 
['UserFirstname', 'Firstname', 'givenname', '1', '1', 'var'], 
['UserLastname', 'Lastname', 'sn', '1', '1', 'var'], 
['UserLogin', 'Login', 'sAMAccountName', '1', '1', 'var',], 
['UserEmail', 'Email', 'userPrincipalName','1', '1', 'var',], 
['UserCustomerID', 'CustomerID', 'sAMAccountName', '0', '1', 'var'], 
#['UserPhone', 'Phone', 'telephonenumber', '1', '0', 'var'], 
#['UserAddress', 'Address', 'postaladdress', '1', '0', 'var'], 
#['UserComment', 'Comment', 'description', '1', '0', 'var'], 

    ],
  };
  
   $Self->{CustomerUser2} = {
    Name => 'LDAP2',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      Host => 'xxx.yyy.lan',
      BaseDN => 'OU=Service,DC=xxx,DC=lan',
      SSCOPE => 'sub',
      UserDN => 'CN=OTRS AD Reader,OU=Service,DC=xxx,DC=lan',
      UserPw => 'xxxxxx',
	  AlwaysFilter => '(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=lan)(userAccountControl=512)',
    },
	GroupDN => 'CN=OTRS_Access_A,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=xxx,DC=lan',
    CustomerKey => 'sAMAccountName',
        CustomerID => 'sAMAccountName',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 20500,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
		SourceCharset => 'utf-8',
		DestCharset => 'utf-8',
		AdminSetPreferences => 0,
		CacheTTL => 0,
		CustomerUserExcludePrimaryCustomerID => 0,
		#UserSuffix => '',
		#CustomerUserValidFilter => '(distinguishedName=CN=OTRS_Access_A,OU=Poland,OU=Fileshares access,OU=Groups,OU=xxx,DC=xxx,DC=lan)',
    Map => [		
		#['UserSalutation', 'Title', 'title', '1', '0', 'var'], 
['UserFirstname', 'Firstname', 'givenname', '1', '1', 'var'], 
['UserLastname', 'Lastname', 'sn', '1', '1', 'var'], 
['UserLogin', 'Login', 'sAMAccountName', '1', '1', 'var'], 
['UserEmail', 'Email', 'userPrincipalName', '1', '1', 'var',], 
['UserCustomerID', 'CustomerID', 'sAMAccountName', '0', '1', 'var'], 
#['UserPhone', 'Phone', 'telephonenumber', '1', '0', 'var'], 
#['UserAddress', 'Address', 'postaladdress', '1', '0', 'var'], 
#['UserComment', 'Comment', 'description', '1', '0', 'var'], 

    ],
  };

Post by **crythias** » 16 Apr 2015, 16:06

Customers don't need groups or roles.
LDAP is read only.

rpacek · Post by **rpacek** » 17 Apr 2015, 07:25

So how to give them rights RW to send tikets in Customer portal in One or two command?

Post by **crythias** » 17 Apr 2015, 12:50

rpacek wrote:when trying create new ticket they see nothing in "To:" (Queue).

Customers aren't members of the group(s) to which the queues are assigned.
If CustomerGroupSupport is off/disabled, customers are members of all the groups.
If CustomerGroupSupport is enabled, customers are members of directly assigned groups and CustomerGroupsAlwaysGroups settings (by default, "users" group.)

There isn't *generally* a need to use customer based groups unless you have a true need for segregation. Suggested valid segregation would be by language or location. In general, Queues are for [groups of] agent that are able to handle tickets.

Giulio Soleni · Post by **Giulio Soleni** » 22 Apr 2015, 16:35

Hallo,
I have solved writing a script that sync Customer's OTRS groups with LDAP (or ActiveDirectory) groups:
in other words, the assignment of RO or RW permissions to customers on their OTRS groups is based on a map (specified within a configuration file) where for each LDAP group is specified a corresponding OTRS group and a permission.

You may found here the code and the details.

The version is available for OTRS 3.3.x but with some small adjustment you may run it for OTRS 4 also.

HTH
Giulio

Edit: by the way you need to activate CustomerGroupSupport of course.

Znuny Open Source Ticketsystem

Problem with sync LDAP groups to OTRS

Problem with sync LDAP groups to OTRS

Re: Problem with sync LDAP groups to OTRS

Re: Problem with sync LDAP groups to OTRS

Re: Problem with sync LDAP groups to OTRS

Re: Problem with sync LDAP groups to OTRS