Previously I have created groups and roles, and assigned these to each other using the root@local account on a brand new server.
Following the documentation and as many topics as I could find here, I have successful ldap authenthication with all my users. The only thing I'm now struggling with is the role sync.
When a user successfully authenticates it can see the dashboard, it can set the user preferences (like timezone) and all seems to be fine, it just doesn't have any permissions (groups or roles) attached to it.
In mysql a new user is created in the "users" table, with information like last name pulled from ldap. There are however no added rows in table "role_user" (or even group_user for that matter although I wasn't expected that anyway).
I do not see any errors in the otrs log file, messages or https access/error logs.
My configuration looks as follows:
Code: Select all
$Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '192.168.32.8';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=COMPANY,dc=lan';
$Self->{'AuthModule::LDAP::UID'} = 'SamAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,ou=System Accounts,dc=COMPANY,dc=lan';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Password';
# AuthSyncModule::LDAP::UserSyncInitialGroups
# # (sync following group with rw permission after initial create of first agent
# # login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];
$Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule::LDAP::Host'} = '192.168.32.8';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=COMPANY,dc=lan';
$Self->{'AuthSyncModule::LDAP::UID'} = 'SamAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrs,ou=System Accounts,dc=COMPANY,dc=lan';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Password';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
# ldap group
'cn=SP,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
# otrs role
'SP' => 1,
},
'cn=NOC,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
# otrs role
'NOC' => 1,
},
'cn=SD,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
# otrs role
'SD' => 1,
},
'cn=SALES,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
# otrs role
Sales' => 1,
},
'cn=BD,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
# otrs role
'BD' => 1,
},
'cn=FINANCE,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
# otrs role
'Finance' => 1,
},
'cn=IT,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
# otrs role
'IT' => 1,
'admin' => 1,
},
'cn=DEP HEADS,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
# otrs role
'Management' => 1,
}
};
$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
#ldap group
'cn=SP,ou=GROUPS,ou=Employees,dc=COMPANY,dc=lan' => {
# otrs group
'admin' => {
# permission
rw => 1,
ro => 1,
},
}
};