I have configured an OTRS 5.0.6 with LDAP auth for the Agents.
I use also the AuthSyncModule and it is syncs LDAP groups to otrs groups.
The following is sometimes in the log but nothing else:
[Mon Feb 15 10:46:43 2016] Config.pm: Subroutine Load redefined at /opt/otrs//Kernel/Config.pm line 24.
But: If I login first as an admin user I can see the administration and stats menus. After that I click to logout then relogin and those 2 menus are missing. I can't see them on every 2nd login.
If I comment the stats group from the config and re-enable before I won't see the admin menu then I will see the stats but won't see the admin menu and vica versa on the next login.
What could be the problem?
Here you are my config:
Code: Select all
# This is an example configuration for an LDAP auth. backend.
# (Make sure Net::LDAP is installed!)
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldaps://iaa.mycompany.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=mycompany,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
# $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=mycompany,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
# $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'uid=otrs,ou=systems,dc=mycompany,dc=com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '**************';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.com
# $Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 636,
timeout => 120,
async => 0,
version => 3,
};
# defines AuthSyncBackend (AuthSyncModule) for AuthModule
# # if this key exists and is empty, there won't be a sync.
# # example values: AuthSyncBackend, AuthSyncBackend2
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
#
# # agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'uniqueMember';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldaps://iaa.mycompany.com/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=mycompany,dc=com';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'uid=otrs, ou=systems, dc=mycompany, dc=com';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = '************';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
#
# # DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
# [...]
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
#$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
# 'users',
#];
# AuthSyncModule::LDAP::UserSyncGroupsDefinition
# (If "LDAP" was selected for AuthModule and you want to sync LDAP
# groups to otrs groups, define the following.)
$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
# # ldap group
'cn=administrator,ou=otrs,ou=groups,dc=mycompany,dc=com' => {
# otrs group
'admin' => {
# permission
rw => 1,
ro => 1,
},
'stats' => {
rw => 1,
ro => 1,
},
},
# 'cn=agent2,o=otrs' => {
# 'users' => {
# rw => 1,
# ro => 1,
# },
# }
};