My agents authenticate against LDAP. Config will be at the end of my post.
At first, all Agents were in the group "OTRS_agent" with the permissions as laid out in the config.
Now, it has become necessary to give some agents Admin-priviliges. For this, I created the group "OTRS_admin" in my LDAP and added the mapping (as seen below) into Config.pm. Ran a Maint::Config::Rebuild and Maint::Cache::Delete just to be sure.
After l added the Agents to OTRS_admin I thought a simply re-login would be enough.
Apparently, this isn't the case. My own Agent-Login still doesn't have admin-rights and I'm not sure why.
How can I get OTRS to sync the Agent --> Group settings on each authentication or do something similar with the wanted effect?
# cat /opt/otrs/Kernel/Config.pm (anonymized)
Code: Select all
package Kernel::Config;
use strict;
use warnings;
use utf8;
sub Load {
my $Self = shift;
# The database host
$Self->{'DatabaseHost'} = '127.0.0.1';
$Self->{'Database'} = "otrs";
$Self->{'DatabaseUser'} = "otrs";
$Self->{'DatabasePw'} = 'secret';
$Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";
$Self->{Home} = '/opt/otrs';
# $Self->{SessionUseCookie} = 0;
# $Self->{CheckMXRecord} = 0;
# ==================================================== #
# BEGINNING LDAP CUSTOMER CONFIGURATION #
# ==================================================== #
# CustomerUser
# (customer ldap backend and settings)
$Self->{CustomerUser} = {
Name => 'auth.organisation.de LDAP',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'auth.organisation.de',
BaseDN => 'ou=people,o=organisation',
SSCOPE => 'sub',
UserDN => '',
UserPw => '',
AlwaysFilter => '',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
Params => {
port => 389,
timeout => 120,
async => 0,
version => 3,
},
},
CustomerKey => 'uid',
CustomerID => 'mail',
CustomerUserListFields => ['cn', 'mail'],
CustomerUserSearchFields => ['uid', 'cn', 'mail', 'givenName', 'sn'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
Map => [
# note: Login, Email and CustomerID are mandatory!
# var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly
[ 'UserTitle', 'Title', 'title', 0, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
# ==================================================== #
# BEGINNING LDAP AGENT CONFIGURATION #
# ==================================================== #
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule1'} = 'Kernel::System::Auth::DB';
$Self->{'AuthModule::LDAP::Host'} = 'auth.organisation.de';
$Self->{'AuthModule::LDAP::BaseDN'} = 'ou=people,o=organisation';
$Self->{'AuthModule::LDAP::UID'} = 'uid';
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_agent,ou=group,o=organisation';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'auth.organisation.de';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'ou=people,o=organisation';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail'
};
$Self->{'AuthSyncModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = ['users'];
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'uid';
$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
'cn=OTRS_admin,ou=group,o=organisation' => {
'admin' => {rw => 1,ro => 1,},
'faq' => {rw => 1,ro => 1,},
'faq_admin' => {rw => 1,ro => 1,},
'faq_approval' => {rw => 1,ro => 1,},
'itsm-change' => {rw => 1,ro => 1,},
'itsm-change-builder' => {rw => 1,ro => 1,},
'itsm-change-manager' => {rw => 1,ro => 1,},
'itsm-configitem' => {rw => 1,ro => 1,},
'itsm-service' => {rw => 1,ro => 1,},
'stats' => {rw => 1,ro => 1,},
'users' => {rw => 1,ro => 1,},
},
'cn=OTRS_agent,ou=group,o=organisation' => {
'admin' => {rw => 0,ro => 1,},
'faq' => {rw => 1,ro => 1,},
'faq_admin' => {rw => 1,ro => 1,},
'faq_approval' => {rw => 1,ro => 1,},
'itsm-change' => {rw => 1,ro => 1,},
'itsm-change-builder' => {rw => 1,ro => 1,},
'itsm-change-manager' => {rw => 1,ro => 1,},
'itsm-configitem' => {rw => 1,ro => 1,},
'itsm-service' => {rw => 1,ro => 1,},
'stats' => {rw => 1,ro => 1,},
'users' => {rw => 1,ro => 1,},
}
};
}
use base qw(Kernel::Config::Defaults);
1;
Andreas