refresh user account from active directory

[tyrrvk]

Hi -
I've got an OTRS 5.0.7 system, that successfully uses our campus Active Directory directory service for agents and customer logins.

A user changed her name in AD - and it is reflected there. However, in OTRS, it still uses her old firstname field. I tried manually changing her first name in the admin panel under customer users, but got an error - "not supported in this module".

Is there a method to force the user account to refresh it's information from AD? A setting in Config.pm I need to flag? Perhaps under the map section?

Thank you.

[root]

The LDAP connection is read only. That's the reason for 'not supported'. LDAP queries were cached, this is configured in Config.pm or an own .pm file in Kernel/Config/Files. I suggest first to delete the cache and check if the changed name appears in the frontend.

[tyrrvk]

So I tried deleting the cache using the otrs.Console Maint::Cache::Delete then went to the Customer User Management panel to check, and the user account is still listed with her old first name.

Is there some other cache I need to clear? What setting(s) do I need to set in config.pm to force ldap to recheck against the directory?

Thank you.

[root]

Did you use the AD directly w/ CustomerUser or is there any kind of sync into a database table?

[tyrrvk]

I am syncing into a database table. Our campus AD is managed elsewhere due to it's size. I can create the groups, and populate them, but user accounts are autocreated way upstream. The user made the necessary changes to get her 1st name changed and it was pulled down into AD. In Outlook for example, the name change showed up a day after she requested the change.

Here's the relevant portion of the Config.pm with any sensitive data removed. If there is a flag or setting I can set to force a refresh that would be perfect.

Code: Select all

    # Now sync data with OTRS DB
    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldaps://ad.blah.edu';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=ad,DC=blah,DC=edu';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=ADLookup Service Account,OU=SU Accounts,OU=blah,OU=blah,DC=ad,DC=blah,DC=edu';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxxx';

   $Self->{'AuthModule::LDAP::Params'} = {
        port => 636,
        timeout => 120,
        async => 0,
        version => 3,
        verify => 'none',
        };

  $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
    };
    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
       'users',
     ];

    # Second Agent backend, internal OTRS DB

    $Self->{'AuthModule2'} = 'Kernel::System::Auth::DB';
    $Self->{'AuthModule2::DB::CryptType2'} = 'crypt';


snip

# ----------------------------------------------------   #
# OTRS Active Directory Integration Backed DB Customers  #
# ----------------------------------------------------   #

    $Self->{CustomerUser} = {
        Name => 'Library OTRS Users',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => 'ldaps://ad.blah.edu',
            BaseDN => 'DC=ad,DC=blah,DC=edu',
            SSCOPE => 'sub',
                        UserDN => 'CN=ADLookup Service Account,OU=SU Accounts,OU=Blah,OU=Blah,DC=ad,DC=blah,DC=edu',
                        UserPw => 'xxxxxxxxxxx',
            #Import Filter to not clutter up customer listing!
            AlwaysFilter => '(&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=OTRS-Customers-Group,OU=Blah OTRS,OU=Service Groups,OU=Blah,OU=Blah,DC=ad,DC=blah,DC=edu))',
            Params => {
                port => 636,
                timeout => 120,
                async => 0,
                version => 3,
            },
        },
        CustomerKey => 'sAMAccountName',
        CustomerID => 'mail',
        CustomerUserListFields => ['cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        CustomerUserExcludePrimaryCustomerID => 0,
        AdminSetPreferences => 0,
        Map => [
           [ 'UserSalutation', 'Title',      'title',           1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',   'sAMAccountName',             1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
            [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
        #    [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
        #    [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
        ],
    };

[tyrrvk]

well I think I found the issue myself.
The powers that be left her "givenName" attribute as it was - her original name.
The displayname shows her new name, but shows it as {lastname, newfirstname} so I am not sure how well that'll map into OTRS...
Kind of a long shot, but do I have any reasonable options here?

[jojo]

ask the LDAP guys for a LDIF to get the fieldnames