Re: [otrs] Assigning queue and roles from AD groups

Mon, 09 Jan 2012 14:59:04 -0800 

Hi Jørn-Stian,

In my setup, we currently do something similar.

First of all, our Agents have to be member of the OTRS_Agents group to be able 
to login to OTRS.
We take care of that part in the LDAP Authentication part, with these lines:

    # Check if member of AD group before agent login.
    $Self->{'AuthModule::LDAP::GroupDN'} = 
'CN=OTRS_Agents,OU=OTRS,DC=domain,DC=local';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

Second, we sync to OTRS roles (not groups), and then map the roles to groups in 
OTRS itself.
We do the sync with these lines:

    # AuthSyncModule::LDAP::UserSyncRolesDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs roles, define the following.)
    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
        # AD/LDAP group
        'CN=OTRS_Admins,OU=OTRS,DC=domain,DC=local' => {
            # OTRS role
            'Admins' => 1,
        },
        'CN=OTRS_Queue1,OU=OTRS,DC=domain,DC=local' => {
            'OTRS_Queue1' => 1,
        },
        'CN=OTRS_Queue2,OU=OTRS,DC=domain,DC=local' => {
            'OTRS_Queue2' => 1,
        },
    };

Inside OTRS, we have groups and roles like:

    Queue1
    Queue2
    Admins

The groups have been granted access to the specific queues and admin area.
The groups and roles are then mapped as appropriate.

Hope that helps

--
/Sune T.

From: otrs-boun...@otrs.org [mailto:otrs-boun...@otrs.org] On Behalf Of 
Jørn-Stian Lønsetteig
Sent: 9. januar 2012 17:35
To: otrs@otrs.org
Subject: [otrs] Assigning queue and roles from AD groups

I've installed and configured OTRS to work with AD, and have gotten it to grant 
access to members of two specific groups (basically by duplicating the existing 
directives). I'd like to assign OTRS-roles and/or queue affinity based on this. 
Ideally, I'd create a group structure similar to this:

OTRS_Admin, OTRS_Agent, OTRS_Queue1 and OTRS_Queue2.

Users that's a member of the OTRS_Admin group would be assigned to the Admin 
group, the users that are member of OTRS_Queue1 group would be assigned queue 
access and so on.
In the default/suggested settings, there's a directive that's called 
AuthSyncModule::LDAP::UserSyncInitialGroups that adds the user to the "users" 
group. How can I make that happen for only one of the groups, and then do the 
same for another?

Best regards

Jørn-Stian Lønsetteig


---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

Reply via email to