LDAP group inheritance issue

[cbruigom]

Hi There,

I am having an issue with LDAP inheritance. Basically OTRS is setup to connect to and LDAP backend, with sync option on as well as role sync. Whats happening is that if the permission is assigned directly to the person in AD that person can sign into OTRS, if its assigned indirectly through a group in AD the user cant login, the error received in the log is No user Found.

There is already on old OTRS instance using this same LDAP configuration and it is working ok, with installing OTRS 5 on a new instance and replicating the LDAP config we experience this issue.

Has anyone experienced this before, and if so any ideas what it might be?

Thanks!

[Charmacas]

As far as I know OTRS is not able to handle nested groups.

But there is already a open commit which caught the attention of the developers.

https://github.com/OTRS/otrs/pull/1344

[jojo]

it is possible with a special ldap search query (search Microsofts Knoledge Base to find out the strin)

[cbruigom]

Thanks jojo,

I found this on KB which shows the filter, thought I would add it here. I am awaiting feedback from the ldap admins on the article and will give feedback here if this solved it.

https://social.technet.microsoft.com/Fo ... inserverDS

[root]

Seet https://msdn.microsoft.com/en-us/librar ... s.85).aspx and look for LDAP_MATCHING_RULE_IN_CHAIN That's all you need