Agent LDAP - Initial sync with otrs role

[Giulio Soleni]

Hi,
I've tested the Agent LDAP (actually MS ActiveDirectory) integration with success.
Now I have defined a Role in otrs and I'd like to find a way to set up a sync of the agents with this role at their first logon to the system.

Up till now I tested the sync with the otrs group 'users' with the code suggested in the manuals:

Code: Select all

# sync following group with rw permission after initial create of first agent login
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
    'users',
];

I'd like to use something like that, but for otrs roles.

I think I found something, browsing the forum, about a UserSyncLRolesDefinition ... but it's all in German and, alas, I cannot understand

Any help appreciated.

Giulio

[crythias]

Did you see this?
http://forums.otrs.org/viewtopic.php?f=62&t=6325

[Giulio Soleni]

Hi crythias,
yes I have seen that link and I checked for that solution... but it doesn't seem to work.
This is the Agent authentication part of my Config.pm adapted to my environment:

Code: Select all

$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'x-dc1.iks.local';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=iks,DC=local';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=OTRS_Agents,OU=Liste e Gruppi,DC=iks,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=x-ldap,OU=Utenze di Servizio,DC=iks,DC=local';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'xxxxxx';
# in case you want to normalize each login name to lowercase
$Self->{'AuthModule::LDAP::UserLowerCase1'} = 0;
# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params1'} = {
    port => 389,
    timeout => 120,
    async => 0,
    version => 3,
};
$Self->{'AuthModule::LDAP::Die1'} = 1;

# Sync data from MS ActiveDirectory to OTRS DB
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'x-dc1.iks.local';
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'DC=iks,DC=local';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=x-ldap,OU=Utenze di Servizio,DC=iks,DC=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'xxxxxx';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
};

$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition1'} = {
    # ldap group
    'CN=OTRS_Agents,OU=Liste e Gruppi,DC=iks,DC=local' => {
        # otrs role
        'IKS_Interni_role' => 1,
    }
};

The otrs role I defined is 'IKS_Interni_role' and the LDAP group is OTRS_Agents, guessing it should be the same I defined to "segregate" the AD users in $Self->{'AuthModule::LDAP::GroupDN1'}

Do you see any mistake?

thank you
Giulio

Edit: ... a typo in my original post, 'AuthSyncModule::LDAP::UserSyncRolesDefinition' instead of 'AuthSyncModule::LDAP::UserSyncRolesDefinition1' ... nevertheless the issue still persists...

[crythias]

This is the entry from Defaults.pm:

Code: Select all

    # AuthSyncModule::LDAP::UserSyncRolesDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs roles, define the following.)
#    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
#        # ldap group
#        'cn=agent,o=otrs' => {
#            # otrs role
#            'role1' => 1,
#            'role2' => 0,
#        },
#        'cn=agent2,o=otrs' => {
#            'role3' => 1,
#        }
#    };

[Giulio Soleni]

Thank you crythias,
indeed I checked that solution as you could see from my post above, but I have quite an opposite behavior than the expected:
as soon as I login with an agent (say agent1) to the system, not only the role permissions are not assigned to that user but, in case they were before assigned via root@localhost to agent1, they are revoked any time agent1 try a login to the console.

Just to repeat my settings and what I'd like to have:
1. I have defined some groups, say grp1; grp2; grp3;
2. I have defined some queues related to these groups: say que1 -> grp1; que2 -> grp2; que3 -> grp3;
3. I have defined the 'IKS_Interni_role'
4. I have mapped (Role<->Group) full control over grp1; grp2; grp3; for 'IKS_Interni_role'

What I'd like to have is that on a logon, agent1 could automatically be granted to have full control over grp1; grp2; grp3; that is... I'd like to assign 'IKS_Interni_role' to agent1 as soon as he may login for the 1st time to the console.

Maybe I misunderstood the meaning of this parameter... but If this actually is the case I think that I will only use groups as I did before... even if the role assignment would be really easier to maintain.

There are also some other "sync" settings in the Default.pm file that I would like to understand, but I cannot find any doc about them...

[crythias]

it has been suggested to ignore *agent* groups altogether and go straight to roles, if that's your goal, probably because of this reason.