Agenten Sync

[Martin_]

Hallo liebes Forum,

ich würde gerne die Agenten mit meinem AD Synchronisieren habe dann auch alles in die config.pm eingrtragen und getestet. Der Binduser wird ohne Probeleme Synchronisiert, jedoch werden alle anderen Accounts nicht mit gesynct. Aufgrund dieses fehlers können sich die anderen Adminuser nicht im OTRS anmelden. Könnt ihr mir sagen woran das liegen könnte das der Sync nicht klappt?

Bei den Customer Usern klappt alles ohne Probleme.

Hier meine config.pm:

Code: Select all

#Agenten Login

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.1.100.1';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=mm-bbs,DC=de';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN1'} = 'OU=EDV,DC=mm-bbs,DC=de';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=Surf,OU=EDV,DC=mm-bbs,DC=de';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '*****';

# User in die lokale Datenbank schreiben

    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = '10.1.100.1';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=mm-bbs, DC=de';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
    # Username / Passwort zum anmelden am AD #
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=Surf,OU=EDV,DC=mm-bbs,DC=de';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '*****';

    # AuthSyncModule::LDAP::UserSyncMap
    # (map if agent should create/synced from LDAP to DB after successful login)
    $Self->{'UserSyncLDAPMap'} = {
      # DB -> LDAP
      UserFirstname => 'givenName',
      UserLastname  => 'sn',
      UserEmail     => 'mail',
    };

    # (sync following group with rw permission after initial create of first agent login)
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
      'Users',
    ];

[Wolfgangf]

Hast Du die adminuser auch als User im OTRS angelegt? Sonst funktioniert das nämlich nicht und hat nichts mit dem Syncen per Se zu tun
LG

[Martin_]

Ja habe ich mit angelegten Usern funktioniert es einwandfrei, aber gibt es nicht eine möglichkeit das die User mit dem AD synchronisiert werden wie es bei den Kunden der Fall ist?

[Wolfgangf]

soweit mir bekannt ist: nein

[Martin_]

Also ist meine einzige möglichkeit die Agenten händisch einzutragen? Das Passwort wird dann aber schon mit dem AD abgeglichen oder?

[jojo]

Dazu musst Du einen Sync in der Config.pm eintragen (auth Sync Modul) schau mal in der Defaults.pm

[Martin_]

Code: Select all

# This is an example configuration for an LDAP auth sync. backend.
    # (take care that Net::LDAP is installed!)
#    $Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
#    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap.example.com';
#    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=example,dc=com';
#    $Self->{'AuthSyncModule::LDAP::UID'} = 'uid';

    # The following is valid but would only be necessary if the
    # anonymous user do NOT have permission to read from the LDAP tree
#    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = '';
#    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '';

    # in case you want to add always one filter to each ldap query, use
    # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#    $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '';

    # AuthSyncModule::LDAP::UserSyncMap
    # (map if agent should create/synced from LDAP to DB after successful login)
#    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
#        # DB -> LDAP
#        UserFirstname => 'givenName',
#        UserLastname  => 'sn',
#        UserEmail     => 'mail',
#    };

    # In case you need to use OTRS in iso-charset, you can define this
    # by using this option (converts utf-8 data from LDAP to iso).
#    $Self->{'AuthSyncModule::LDAP::Charset'} = 'iso-8859-1';

    # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
#    $Self->{'AuthSyncModule::LDAP::Params'} = {
#        port    => 389,
#        timeout => 120,
#        async   => 0,
#        version => 3,
#    };

    # Die if backend can't work, e. g. can't connect to server.
#    $Self->{'AuthSyncModule::LDAP::Die'} = 1;

    # Attributes needed for group syncs
    # (attribute name for group value key)
#    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
    # (attribute for type of group content UID/DN for full ldap name)
#    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
#    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';

    # AuthSyncModule::LDAP::UserSyncInitialGroups
    # (sync following group with rw permission after initial create of first agent
    # login)
#    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
#        'users',
#    ];

    # AuthSyncModule::LDAP::UserSyncGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs groups, define the following.)
#    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
#        # ldap group
#        'cn=agent,o=otrs' => {
#            # otrs group
#            'admin' => {
#                # permission
#                rw => 1,
#                ro => 1,
#            },
#            'faq' => {
#                rw => 0,
#                ro => 1,
#            },
#        },
#        'cn=agent2,o=otrs' => {
#            'users' => {
#                rw => 1,
#                ro => 1,
#            },
#        }
#    };

    # AuthSyncModule::LDAP::UserSyncRolesDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs roles, define the following.)
#    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
#        # ldap group
#        'cn=agent,o=otrs' => {
#            # otrs role
#            'role1' => 1,
#            'role2' => 0,
#        },
#        'cn=agent2,o=otrs' => {
#            'role3' => 1,
#        }
#    };

    # AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # attributes to otrs groups, define the following.)
#    $Self->{'AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition'} = {
#        # ldap attribute
#        'LDAPAttribute' => {
#            # ldap attribute value
#            'LDAPAttributeValue1' => {
#                # otrs group
#                'admin' => {
#                    # permission
#                    rw => 1,
#                    ro => 1,
#                },
#                'faq' => {
#                    rw => 0,
#                    ro => 1,
#                },
#            },
#        },
#        'LDAPAttribute2' => {
#            'LDAPAttributeValue' => {
#                'users' => {
#                    rw => 1,
#                    ro => 1,
#                },
#            },
#         }
#    };

    # AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # attributes to otrs roles, define the following.)
#    $Self->{'AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition'} = {
#        # ldap attribute
#        'LDAPAttribute' => {
#            # ldap attribute value
#            'LDAPAttributeValue1' => {
#                # otrs role
#                'role1' => 1,
#                'role2' => 1,
#            },
#        },
#        'LDAPAttribute2' => {
#            'LDAPAttributeValue1' => {
#                'role3' => 1,
#            },
#        },
#    };

    # UserTable
    $Self->{DatabaseUserTable}       = 'users';
    $Self->{DatabaseUserTableUserID} = 'id';
    $Self->{DatabaseUserTableUserPW} = 'pw';
    $Self->{DatabaseUserTableUser}   = 'login';

du meinst diesen teil oder?

[Martin_]

Ich habe leider das Problem das die Rechtevergabe bei mir nicht so klappt wie ich das gerne hätte. Das heißt kein Agent kann auf den Adminbereich zugreifen, wie kann man dies ändern?

[Martin_]

#Agenten Login

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '10.1.100.1';
$Self->{'AuthModule::LDAP::BaseDN'} = 'DC=mm-bbs,DC=de';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN1'} = 'OU=EDV,DC=mm-bbs,DC=de';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'CN=Surf,OU=EDV,DC=mm-bbs,DC=de';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '*****';

# User in die lokale Datenbank schreiben

$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = '10.1.100.1';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'DC=mm-bbs, DC=de';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
# Username / Passwort zum anmelden am AD #
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'CN=Surf,OU=EDV,DC=mm-bbs,DC=de';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '*****';

# AuthSyncModule::LDAP::UserSyncMap
# (map if agent should create/synced from LDAP to DB after successful login)
$Self->{'UserSyncLDAPMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# (sync following group with rw permission after initial create of first agent login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'Users',
];