Re: [otrs] LDAP tls authentication Fun
Hi Rory and Mauricio,
Let me first state that if you have configured the AuthSyncModule the
OTRS will sync agent data every time a user logs in to OTRS. If you'd
change the user properties in active directory; they would be updated
in OTRS as soon as the agent logs in.
And of course, if the account is disabled in the AD, the user will not
be able to log in to OTRS.
the UserSyncInitialGroups can be used to define a standard group for
every user from a certain source. For instance, you could define it so
that every LDAP user is automatically put in the groups Users and FAQ.
If you would like to manage your OTRS groups from your LDAP source,
that is also possible. Please look into the Defaults.pm file, under
UserSyncGroupsDefinition: modify, unquote and put into your Custom.pm
Regards,
Michiel
# AuthSyncModule::LDAP::UserSyncGroupsDefinition
# (If LDAP was selected for AuthModule and you want to sync LDAP
# groups to otrs groups, define the following.)
#$Self-{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
## ldap group
#'cn=agent,o=otrs' = {
## otrs group
#'admin' = {
## permission
#rw = 1,
#ro = 1,
#},
#'faq' = {
#rw = 0,
#ro = 1,
#},
#},
#'cn=agent2,o=otrs' = {
#'users' = {
#rw = 1,
#ro = 1,
#},
#}
#};
# AuthSyncModule::LDAP::UserSyncRolesDefinition
# (If LDAP was selected for AuthModule and you want to sync LDAP
# groups to otrs roles, define the following.)
#$Self-{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
## ldap group
#'cn=agent,o=otrs' = {
## otrs role
#'role1' = 1,
#'role2' = 0,
#},
#'cn=agent2,o=otrs' = {
#'role3' = 1,
#}
#};
--
Michiel Beijen
Software Consultant
+31 6 - 457 42 418
Bee Free IT + http://beefreeit.nl
On Thu, Aug 6, 2009 at 16:08, Roryrcler...@gmail.com wrote:
2009/8/6 Mauricio Tavares raubvo...@gmail.com:
I have no problems if otrs cannot edit ldap. What I would like is to
be able to define which group someone belongs to in ldap and then otrs will
see the groups memberships and then grant the said user rights according to
the memberships.
I'm kinda guessing here but you may be able to find more with a quick google;
I think the following piece of config will add any user, who logs in
for the first time, to the specified group in OTRS
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of
first agent
# login)
$Self-{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
But that could be syncing groups from ldap to the DB. I know I've seen
more about this in the docs or on this list but I havn't found it yet.
Well, what I have found so far (I might be wrong) is that the user
has to be in the local db; the password can be kept in ldap but you have to
create an user in otrs. What I did was after setting ldap up, I tried to
login as one of the users from the ldap group (cn=users) I gave otrs as the
GroupDN. It cheerfully ignored that user. THen I created an user with the
same username inside otrs but did not give a password. I was able to login
as the said user.
That's fits with how I understand this to work. If you don't have the
sync config added it doesn't know to pull the user from ldap so it
can't find them in the DB and fails. Once you create them in the DB
you're golden.
The sync has the benefit that you can pull across some extra info into
the DB e.g.;
$Self-{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB - LDAP
UserFirstname = 'givenName',
UserLastname = 'sn',
UserEmail = 'mail',
};
I wonder if that can be used to pull across the group info too?
My ideas on this are all open to questioning tho as I don't know this for
fact.
Do you think I do? =) I am still figuring this program out.
I was kinda hoping somebody was gonna come along and tell that I was right :)
Rory
-
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
-
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
Re: [otrs] LDAP tls authentication Fun
Hi Michiel,
Thanks for the info. I'm trying to use the SyncRolesDefinition and
I've added the following to the config;
# Sync LDAP group to role in OTRS
# AuthSyncModule::LDAP::UserSyncRolesDefinition
$Self-{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
# ldap group
'CN=IT,OU=Groups,OU=IT,OU=Departments' = {
# otrs role
'r_IT' = 1,
},
};
I prefix all my roles in otrs with r_ to try to keep things clear
(group with g_ too)
Support my 365 Challenge in aid of the Irish Cancer Society
www.365challenge.ie
2009/8/7 Michiel Beijen mich...@beefreeit.nl:
Hi Rory and Mauricio,
Let me first state that if you have configured the AuthSyncModule the
OTRS will sync agent data every time a user logs in to OTRS. If you'd
change the user properties in active directory; they would be updated
in OTRS as soon as the agent logs in.
And of course, if the account is disabled in the AD, the user will not
be able to log in to OTRS.
the UserSyncInitialGroups can be used to define a standard group for
every user from a certain source. For instance, you could define it so
that every LDAP user is automatically put in the groups Users and FAQ.
If you would like to manage your OTRS groups from your LDAP source,
that is also possible. Please look into the Defaults.pm file, under
UserSyncGroupsDefinition: modify, unquote and put into your Custom.pm
Regards,
Michiel
# AuthSyncModule::LDAP::UserSyncGroupsDefinition
# (If LDAP was selected for AuthModule and you want to sync LDAP
# groups to otrs groups, define the following.)
# $Self-{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
# # ldap group
# 'cn=agent,o=otrs' = {
# # otrs group
# 'admin' = {
# # permission
# rw = 1,
# ro = 1,
# },
# 'faq' = {
# rw = 0,
# ro = 1,
# },
# },
# 'cn=agent2,o=otrs' = {
# 'users' = {
# rw = 1,
# ro = 1,
# },
# }
# };
# AuthSyncModule::LDAP::UserSyncRolesDefinition
# (If LDAP was selected for AuthModule and you want to sync LDAP
# groups to otrs roles, define the following.)
# $Self-{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
# # ldap group
# 'cn=agent,o=otrs' = {
# # otrs role
# 'role1' = 1,
# 'role2' = 0,
# },
# 'cn=agent2,o=otrs' = {
# 'role3' = 1,
# }
# };
--
Michiel Beijen
Software Consultant
+31 6 - 457 42 418
Bee Free IT + http://beefreeit.nl
On Thu, Aug 6, 2009 at 16:08, Roryrcler...@gmail.com wrote:
2009/8/6 Mauricio Tavares raubvo...@gmail.com:
I have no problems if otrs cannot edit ldap. What I would like is to
be able to define which group someone belongs to in ldap and then otrs will
see the groups memberships and then grant the said user rights according to
the memberships.
I'm kinda guessing here but you may be able to find more with a quick google;
I think the following piece of config will add any user, who logs in
for the first time, to the specified group in OTRS
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of
first agent
# login)
$Self-{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
But that could be syncing groups from ldap to the DB. I know I've seen
more about this in the docs or on this list but I havn't found it yet.
Well, what I have found so far (I might be wrong) is that the user
has to be in the local db; the password can be kept in ldap but you have to
create an user in otrs. What I did was after setting ldap up, I tried to
login as one of the users from the ldap group (cn=users) I gave otrs as the
GroupDN. It cheerfully ignored that user. THen I created an user with the
same username inside otrs but did not give a password. I was able to login
as the said user.
That's fits with how I understand this to work. If you don't have the
sync config added it doesn't know to pull the user from ldap so it
can't find them in the DB and fails. Once you create them in the DB
you're golden.
The sync has the benefit that you can pull across some extra info into
the DB e.g.;
$Self-{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB - LDAP
UserFirstname = 'givenName',
UserLastname = 'sn',
UserEmail = 'mail',
};
I wonder if that can be used to pull across the group info too?
My ideas on this are all open to questioning tho as I don't know this for
fact.
Do you think I do? =) I am still figuring this program out.
I was kinda hoping somebody was gonna come along and tell that I was right :)
Rory
Re: [otrs] LDAP tls authentication Fun
Nuts, hit send too early.
So I've added the following to the config;
# Sync LDAP group to role in OTRS
# AuthSyncModule::LDAP::UserSyncRolesDefinition
$Self-{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
# ldap group
'CN=IT,OU=Groups,OU=IT,OU=Departments' = {
# otrs role
'r_IT' = 1,
},
};
I prefix all my roles in otrs with r_ to try to keep things clear
(group with g_ too)
Does the ldap group use the baseDN specified in the Agent LDAP Auth config
Do I need to use the attributes specified for group syncs when syncing roles?
i.e.
# Attributes needed for group syncs
# (attribute name for group value key)
#$Self-{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
# (attribute for type of group content UID/DN for full ldap name)
#$Self-{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
#$Self-{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
Rory
Support my 365 Challenge in aid of the Irish Cancer Society
www.365challenge.ie
2009/8/7 Rory rcler...@gmail.com:
Hi Michiel,
Thanks for the info. I'm trying to use the SyncRolesDefinition and
I've added the following to the config;
# Sync LDAP group to role in OTRS
# AuthSyncModule::LDAP::UserSyncRolesDefinition
$Self-{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
# ldap group
'CN=IT,OU=Groups,OU=IT,OU=Departments' = {
# otrs role
'r_IT' = 1,
},
};
I prefix all my roles in otrs with r_ to try to keep things clear
(group with g_ too)
Support my 365 Challenge in aid of the Irish Cancer Society
www.365challenge.ie
2009/8/7 Michiel Beijen mich...@beefreeit.nl:
Hi Rory and Mauricio,
Let me first state that if you have configured the AuthSyncModule the
OTRS will sync agent data every time a user logs in to OTRS. If you'd
change the user properties in active directory; they would be updated
in OTRS as soon as the agent logs in.
And of course, if the account is disabled in the AD, the user will not
be able to log in to OTRS.
the UserSyncInitialGroups can be used to define a standard group for
every user from a certain source. For instance, you could define it so
that every LDAP user is automatically put in the groups Users and FAQ.
If you would like to manage your OTRS groups from your LDAP source,
that is also possible. Please look into the Defaults.pm file, under
UserSyncGroupsDefinition: modify, unquote and put into your Custom.pm
Regards,
Michiel
# AuthSyncModule::LDAP::UserSyncGroupsDefinition
# (If LDAP was selected for AuthModule and you want to sync LDAP
# groups to otrs groups, define the following.)
# $Self-{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
# # ldap group
# 'cn=agent,o=otrs' = {
# # otrs group
# 'admin' = {
# # permission
# rw = 1,
# ro = 1,
# },
# 'faq' = {
# rw = 0,
# ro = 1,
# },
# },
# 'cn=agent2,o=otrs' = {
# 'users' = {
# rw = 1,
# ro = 1,
# },
# }
# };
# AuthSyncModule::LDAP::UserSyncRolesDefinition
# (If LDAP was selected for AuthModule and you want to sync LDAP
# groups to otrs roles, define the following.)
# $Self-{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
# # ldap group
# 'cn=agent,o=otrs' = {
# # otrs role
# 'role1' = 1,
# 'role2' = 0,
# },
# 'cn=agent2,o=otrs' = {
# 'role3' = 1,
# }
# };
--
Michiel Beijen
Software Consultant
+31 6 - 457 42 418
Bee Free IT + http://beefreeit.nl
On Thu, Aug 6, 2009 at 16:08, Roryrcler...@gmail.com wrote:
2009/8/6 Mauricio Tavares raubvo...@gmail.com:
I have no problems if otrs cannot edit ldap. What I would like is to
be able to define which group someone belongs to in ldap and then otrs will
see the groups memberships and then grant the said user rights according to
the memberships.
I'm kinda guessing here but you may be able to find more with a quick
google;
I think the following piece of config will add any user, who logs in
for the first time, to the specified group in OTRS
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of
first agent
# login)
$Self-{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
But that could be syncing groups from ldap to the DB. I know I've seen
more about this in the docs or on this list but I havn't found it yet.
Well, what I have found so far (I might be wrong) is that the user
has to be in the local db; the password can be kept in ldap but you have to
create an user in otrs. What I did was after setting ldap up, I tried to
login as one of
Re: [otrs] LDAP tls authentication Fun
2009/8/6 Mauricio Tavares raubvo...@gmail.com:
I have no problems if otrs cannot edit ldap. What I would like is to
be able to define which group someone belongs to in ldap and then otrs will
see the groups memberships and then grant the said user rights according to
the memberships.
I'm kinda guessing here but you may be able to find more with a quick google;
I think the following piece of config will add any user, who logs in
for the first time, to the specified group in OTRS
# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of
first agent
# login)
$Self-{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
But that could be syncing groups from ldap to the DB. I know I've seen
more about this in the docs or on this list but I havn't found it yet.
Well, what I have found so far (I might be wrong) is that the user
has to be in the local db; the password can be kept in ldap but you have to
create an user in otrs. What I did was after setting ldap up, I tried to
login as one of the users from the ldap group (cn=users) I gave otrs as the
GroupDN. It cheerfully ignored that user. THen I created an user with the
same username inside otrs but did not give a password. I was able to login
as the said user.
That's fits with how I understand this to work. If you don't have the
sync config added it doesn't know to pull the user from ldap so it
can't find them in the DB and fails. Once you create them in the DB
you're golden.
The sync has the benefit that you can pull across some extra info into
the DB e.g.;
$Self-{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB - LDAP
UserFirstname = 'givenName',
UserLastname = 'sn',
UserEmail = 'mail',
};
I wonder if that can be used to pull across the group info too?
My ideas on this are all open to questioning tho as I don't know this for
fact.
Do you think I do? =) I am still figuring this program out.
I was kinda hoping somebody was gonna come along and tell that I was right :)
Rory
-
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW!
http://www.otrs.com/en/support/enterprise-subscription/
