Sync LDAP groups to roles

Moderator: crythias

Locked
sciolto
Znuny newbie
Posts: 16
Joined: 04 Oct 2010, 09:19
Znuny Version: 2.4.7

Sync LDAP groups to roles

Post by sciolto »

Hi Board,
we have some issues configuring the synchronization of OTRS roles with LDAP groups. Here's the scenario:

- OTRS 3.0.8 on CentOS with MySQL as DBMS
- Agents authentication through Shibboleth (Works like HTTPBasicAuth)
- AgentSyncModule activated to gather all agent information into local OTRS db
- 20 different roles defined in OTRS, and associated with Groups
- NO local association between Roles and Agents
- Several Groups defined in LDAP corresponding to OTRS Roles

I am now trying to use the AuthSyncModule::LDAP::UserSyncRolesDefinition Module to dynamically associate LDAP groups to the defined OTRS Roles:

I tried in 2 ways:

1) Here it somehow doesn't know where to start the ldap search (BaseDN missing??) :
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
'cn=GIACOMOZZI*' => {
# otrs role
'amministratore' => 1,
},
[...]
};

RESULT:
[Wed Oct 19 15:20:50 2011][Notice][Kernel::System::Auth::ShibbolethAuth::Auth] User: PER0004675 authentication ok (REMOTE_ADDR: 193.205.206.139).
[Wed Oct 19 15:20:50 2011][Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'PER0004675' sync ldap groups unitn-adaIdAda=GIACOMOZZI* to roles!
[Wed Oct 19 15:20:50 2011][Error][Kernel::System::Auth::Sync::LDAP::Sync][456] Search failed! (cn=GIACOMOZZI*) filter='(unitn-adaIdAda=PER0004675)' No such object
[Wed Oct 19 15:20:50 2011][Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: PER0004675 not in GroupDN='cn=GIACOMOZZI*', Filter='(unitn-adaIdAda=PER0004675)'! (REMOTE_ADDR: 193.205.206.139).

PLEASE NOTE:
unitn-adaIdAda is the identifier attribute in the LDAP tree, which is defined in $Self->{'AuthSyncModule::LDAP::AccessAttr'}

2) This is successful, but there's no point, since instead the group i configured the ldap baseDN:
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
' 'dc=ada,dc=mydc,dc=tld' => {
# otrs role
'amministratore' => 1,
},
[...]
};

RESULT:
[Wed Oct 19 14:39:44 2011][Notice][Kernel::System::Auth::ShibbolethAuth::Auth] User: PER0004675 authentication ok (REMOTE_ADDR: 193.205.206.139).
[Wed Oct 19 14:39:44 2011][Notice][Kernel::System::User::UserUpdate] User: 'PER0004675' updated successfully (1)!
[Wed Oct 19 14:39:44 2011][Notice][Kernel::System::User::SetPassword] User: 'PER0004675' changed password successfully!
[Wed Oct 19 14:39:44 2011][Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'PER0004675' sync ldap groups dc=ada,dc=mydc,dc=tld to roles!
[Wed Oct 19 14:39:44 2011][Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'PER0004675' sync ldap group dc=ada,dc=mydc,dc=tld in amministratore role!

PLEASE NOTE:
This seems to work, but here EVERY authenticated user is given the "amministratore" Role


Has anyone a clue on what's going on here ? Or had similar issues?

Many thanks in advance
Several OTRS 2.4 and 3.0 installations. All on CentOS /w Apache & MySql.
Top
Locked

Return to “Help”