LDAP Group and OTRS Group synchronization

[pascalg]

Hi All

I was able to make works the LDAP authentication and create the customers in backend.
I used the German v2 code that linked below on one of the post.
viewtopic.php?f=36&t=7558&p=65094

I was just wondering, how I can attribute each LDAP group to specific OTRS group/queue.

In my LDAP my main OU/folder is IT, and in IT, I have 3 OU/Folders
Building1
Building2
Building3

And in each of these OU/Folders, have 4 OU/Folders:
Admin
Academic
Student
Group

In the OU/Folder Group of each OU/Folder building there is a group named:
B1Group (for the OU Building1\Group)
B2Group (for the OU Building2\Group)
B3Group (for the OU Building3\Group)

The reason of that, we have 3 different IT persons and each take care of 1 building and each building have 3 main sections with different users inside.

I want to manage 3 queues; each queue will be managing 1 building by OTRS Group.
Queue1 for B1Group LDAP group
Queue2 for B2Group LDAP group
Queue3 for B3Group LDAP group

On the OTRS admin side, I already created the group “GBuilding1”, “GBuilding2” and “GBuilding3” and attached to each queues but when I log on one of the customer that is part of the group “B1Group” in the OU/Folder “Building1/Group” on the LDAP and want to create a ticket, I don’t have any choice for any queue.
If I create manually a customer and put in that group manually, it works.

The code used:
#- Groups to otrs groups ---------------------------------- #
$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
# ldap group
'CN=B1Group,OU=Group,OU=Building1,OU=IT,DC=uq,DC=edu,DC=au' => {
# otrs group
'GBuilding1' => {
# permission
rw => 1,
ro => 1,
},
'faq' => {
rw => 0,
ro => 1,
},
},
'CN=B2Group,OU=Group,OU=Building2,OU=IT,DC=uq,DC=edu,DC=au ' => {
'GBuilding2' => {
rw => 1,
ro => 1,
},
}
},
'CN=B3Group,,OU=GroupOU=Building3,OU=IT,DC=uq,DC=edu,DC=au ' => {
'GBuilding3' => {
rw => 1,
ro => 1,
},
}

};

Any clues why it doesn't works? or is there a better way to do it?

Thank you in advance for your time and replies.

Regards

Pascal

[pascalg]

Anyone at least was able to synchronize group between LDAP and OTRS?

Let me know

[crythias]

Group sync is only for agents.

[pascalg]

Group sync is only for agents.

Is there a way to attach/link a customer from LDAP to a OTRS group during the LDAP authentication/Customer Data load?
any advice how I could do that? script in a specific file or module/Map/script I can use in the config.pm, et..

[crythias]

No, and what's the point?
If you want to group customers, do it by CustomerID. viewtopic.php?f=60&t=7531

[pascalg]

No, and what's the point?
If you want to group customers, do it by CustomerID. viewtopic.php?f=60&t=7531

The point is, we have different building managed by different IT officer, and we want that each IT officer will only see their own building's ticket he manage because some tickets can be confidential to one Building only and we don't want other IT officer to see these tickets.
But the Senior IT will see all the tickets and can reassign ticket(s) to another IT officer if one of the IT officer is overload or on holiday.
That is why I was trying to create a group/queue for each building and each IT officer as agent will be part of one of these group.

Correct me if I am wrong, if I group customers by the CustomerID, it means during the customer LDAP DATA load, everyone will have the same group/queue but ticket will be seen by specific group, right?
In that way, is it possible to transfer ticket from one IT officer (building1) to another one (building2) by the Senior IT (who see all tickets) and being seen by the second IT officer?

From the post http://doc.otrs.org/3.0/en/html/x1377.h ... ers-groups, I saw that you can give by default a group when a user fill up the form but I couldn't figured out if it is possible to attach a CustomerID to a group and have a queue per CustomerID during the LDAP data load (all at the same time and in an automatic way).
Each time I log under one of the customer, the Queue field is empty and I can't submit any ticket. where/how do I specify which group/queue by default the customer belong when I do the LDAP Data load.

I found out how to load the LDAP DATA by OU and OU by OU but I wasn't able to attach a CustomerID to value (CustomerID => 'Building1',) or to attach the Customer Data loaded from that OU to a group/queue.

Any clue?

Thank you in advance

[crythias]

I can't tell you in this case. Is an IT officer and agent or a customer?

If the queue doesn't belong to the group a customer belongs to, the customer won't see it.

It appears the officer is an agent.
In general, queues and Groups are for the agent, not the customer.

[crythias]

we have different building managed by different IT officer

building1 is the queue name, building1_grp could be the group name
it officer=agent member of building_grp

Now, tickets pertaining to building can only be seen by agent-members of the building1_grp

But the Senior IT will see all the tickets and can reassign ticket(s) to another IT officer if one of the IT officer is overload or on holiday.

Senior IT will be member of all building_grps

That is why I was trying to create a group/queue for each building and each IT officer as agent will be part of one of these group.

right.

Correct me if I am wrong, if I group customers by the CustomerID, it means during the customer LDAP DATA load, everyone will have the same group/queue but ticket will be seen by specific group, right?

no. CustomerID may be irrelevant if the customers are autonomous entities. Grouping by CustomerID is relevant for "Company Tickets" in the Customer Interface: multiple people with the same "CustomerID" can see tickets raised by others with the same CustomerID. It has nothing to do with groups or queues.

Each time I log under one of the customer, the Queue field is empty and I can't submit any ticket. where/how do I specify which group/queue by default the customer belong when I do the LDAP Data load.

The queue fields is empty because the customers are default and usually only members of the "users" group. It's *generally* okay to provide ALL the buildings_grps for "CustomerGroupsAlwaysGroups" settings. Then the customer will see all the buildings as queues.

I found out how to load the LDAP DATA by OU and OU by OU but I wasn't able to attach a CustomerID to value (CustomerID => 'Building1',) or to attach the Customer Data loaded from that OU to a group/queue.

There is no such way to do this through customer ldap, though you can filter after the fact with ACL:
http://doc.otrs.org/3.1/en/html/ch17s03.html

You will want to include in your CustomerUser Map some attribute that is relevant to group

Code: Select all

#        Map => [
            # note: Login, Email and CustomerID needed!
            # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
            [ 'UserTitle',      'Title',      'title',           1, 0, 'var', '', 0 ],
            [ 'UserFirstname',  'Firstname',  'givenname',       1, 1, 'var', '', 0 ],
            [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
            [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
            [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
            [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
            [ 'UserBuilding', 'Building', 'building', 0, 1, 'var', '', 0]. #maybe like this ?
            # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
            [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
            [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
            [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
        ],

'd be something like:

Code: Select all

$Self->{TicketAcl}->{'200-ACL-Building1'} = {
   Properties => {
      CustomerUser => {
         UserBuilding => ['Building1'],
      }
   },
   Possible => {
      Ticket => {
          Queue => ['Building1']
      }
   }
}
 

Your results may vary, and you may need PossibleNot to remove unwanted buildings.

[pascalg]

Thank you Crythias for the information.

just confirmation, by doing that way, all the customer loaded will be in the default group 'user' and all I need to do is to setup with ACL to redirect the ticket to the group/queue, right?
But when the customer create a ticket, he will have only the queues attached to the group 'user', right?
The problem is, I want the LDAP Mapped user only able to see the queue related to his Building when he create a ticket. Is it possible?

I was also wondering if it is possible to give a value to a field by default in my CustomerUser Map?

something like when this map is loaded, I have BUILDING1 at the front end in the field building ,
I tried to put "building => ['BUILDING1']," or "building => 'BUILDING1'," before the map load, it didn't work because I am not sure how I can put the value BUILDING1

building => ['BUILDING1'],
# Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserBuilding', 'Building', 'building', 0, 1, 'var', '', 0]. #maybe like this ?
# [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],

[crythias]

building => ['BUILDING1'],

Don't do this. You should have some sort of indicator as an ldap attribute what building a customer belongs to. If you're only using OU for this purpose, I can't help you. You *might* be successful in parsing out this information from the DN, but I won't be the first to work with you on that. However, if you select all of the people in an OU in ADUC, you can easily assign a value to an ldap attribute to everyone at once. Boom. problem solved. Now use that attribute's name in the map.

the Map is a mapping between the variable used internally to OTRS and the attribute that the variable is stored in LDAP. You need ALL of CustomerUser for this.

all the customer loaded will be in the default group t 'user' and all I need to do is to play with ACL to redirect the ticket to the group/queue, right?

No. All the customers will be loaded into all the groups listed in CustomerGroupsAlwaysGroups. viewtopic.php?t=16064&p=63132#p63132
BY DEFAULT, a customer is a member of "users", BUT when you start segregating your queues among groups for agents, the customer is not a member of those groups, and therefore cannot see or post to the queues in those groups.

I hope not to confuse matters by indicating that customers will be able to see the queues once members of the queue's group(s), but not other people's tickets for those queues.

[pascalg]

you can easily assign a value to an ldap attribute to everyone at once. Boom. problem solved. Now use that attribute's name in the map.

I thought of that but I was thinking to avoid that way in case someone create a new user on LDAP and doesn't do a copy from an existing user or doesn't fill up that field. That is why I was trying to do a mapping by OU and fill up one of the field in a automatic way. Wish I can fill up one of the field in the mapping with a specific value.

No. All the customers will be loaded into all the groups listed in CustomerGroupsAlwaysGroups. viewtopic.php?t=16064&p=63132#p63132
BY DEFAULT, a customer is a member of "users", BUT when you start segregating your queues among groups for agents, the customer is not a member of those groups, and therefore cannot see or post to the queues in those groups.

I see, so when the customer create a ticket, he will have only the queues attached to the group 'user' or define in CustomerGroupsAlwaysGroups, right?
The problem is, I want the LDAP Mapped user only able to see the queue related to his Building when he create a ticket. Is it possible?

Or maybe I should just take off the option of selecting which queue since the ticket is redirected to a group. Can I take off the option of queue when the customer create a ticket? will it work?

[crythias]

You must select a queue. Group membership tells you queues you can select. ACL restricts them.

Like I said, if you don't have an ldap attribute that tells the building, all you have left is parsing out the ou from the dn. Your question has been answered.

[pascalg]

You must select a queue. Group membership tells you queues you can select. ACL restricts them.

Like I said, if you don't have an ldap attribute that tells the building, all you have left is parsing out the ou from the dn. Your question has been answered.

It is what i am doing, upload map by OU from the dn but I wasnt able to figured out how to fill up one of the field during the mapping with a specific value, like BUILDING1 at the front end in the field building. So I can use the ACL to put these ticket by using UserBuilding in the right group and queue.

I added the line in my mapping " [ 'UserBuilding', 'Building', 'building', 0, 1, 'var', '', 0]," but I dont have any value of building on my ldap for building or others, that is why I do by OU from dn, and like I said previously I wasn't able to put a value by default to the storage/variable "building"

If I am able just to put a value on userbuilding by default (such like building1 for map dn1, building2 for map dn2), all my issue will be solve.

Any clue for that one?

[crythias]

No. There is no provision for what you want. It has to be developed.

[pascalg]

No. There is no provision for what you want. It has to be developed.

Thank you for the information

[crythias]

is it all i need? Do I need to add more information/code?

You should be able to answer that question yourself. If it works the way you want, that's all that's needed. If it does not, you'd ask a different question.