Agent Groups via LDAP don't resync

Moderator: crythias

Post Reply
Syntaxerror
Znuny newbie
Posts: 3
Joined: 14 Sep 2016, 10:44
Znuny Version: 5.0.22
Real Name: Andreas Hummelbrunner
Company: Max-Planck-Institut für Astronomie

Agent Groups via LDAP don't resync

Post by Syntaxerror »

Hey,

My agents authenticate against LDAP. Config will be at the end of my post.
At first, all Agents were in the group "OTRS_agent" with the permissions as laid out in the config.

Now, it has become necessary to give some agents Admin-priviliges. For this, I created the group "OTRS_admin" in my LDAP and added the mapping (as seen below) into Config.pm. Ran a Maint::Config::Rebuild and Maint::Cache::Delete just to be sure.

After l added the Agents to OTRS_admin I thought a simply re-login would be enough.
Apparently, this isn't the case. My own Agent-Login still doesn't have admin-rights and I'm not sure why.

How can I get OTRS to sync the Agent --> Group settings on each authentication or do something similar with the wanted effect?

# cat /opt/otrs/Kernel/Config.pm (anonymized)

Code: Select all

package Kernel::Config;

use strict;
use warnings;
use utf8;

sub Load {
    my $Self = shift;

    # The database host
    $Self->{'DatabaseHost'} = '127.0.0.1';
    $Self->{'Database'} = "otrs";
    $Self->{'DatabaseUser'} = "otrs";
    $Self->{'DatabasePw'} = 'secret';
    $Self->{'DatabaseDSN'} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost}";

    $Self->{Home} = '/opt/otrs';

    # $Self->{SessionUseCookie} = 0;
    # $Self->{CheckMXRecord} = 0;


    # ==================================================== #
    # BEGINNING LDAP CUSTOMER CONFIGURATION                #
    # ==================================================== #

# CustomerUser
# (customer ldap backend and settings)
$Self->{CustomerUser} = {
    Name => 'auth.organisation.de LDAP',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
        Host => 'auth.organisation.de',
        BaseDN => 'ou=people,o=organisation',
        SSCOPE => 'sub',
        UserDN => '',
        UserPw => '',
        AlwaysFilter => '',
        SourceCharset => 'utf-8',
        DestCharset   => 'utf-8',
        Params => {
            port => 389,
            timeout => 120,
            async => 0,
            version => 3,
        },
    },
    CustomerKey => 'uid',
    CustomerID => 'mail',
    CustomerUserListFields => ['cn', 'mail'],
    CustomerUserSearchFields => ['uid', 'cn', 'mail', 'givenName', 'sn'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    CustomerUserExcludePrimaryCustomerID => 0,
    AdminSetPreferences => 0,
    Map => [
        # note: Login, Email and CustomerID are mandatory!
        # var,               frontend,      storage,                shown (1=always,2=lite), required, storage-type, http-link, readonly
        [ 'UserTitle',       'Title',       'title',                0,                       0,        'var',        '',        0 ],
        [ 'UserFirstname',   'Firstname',   'givenname',            1,                       1,        'var',        '',        0 ],
        [ 'UserLastname',    'Lastname',    'sn',                   1,                       1,        'var',        '',        0 ],
        [ 'UserLogin',       'Username',    'uid',                  1,                       1,        'var',        '',        0 ],
        [ 'UserEmail',       'Email',       'mail',                 1,                       1,        'var',        '',        0 ],
        [ 'UserCustomerID',  'CustomerID',  'mail',                 0,                       1,        'var',        '',        0 ],
        [ 'UserPhone',       'Phone',       'telephonenumber',      1,                       0,        'var',        '',        0 ],
        [ 'UserAddress',     'Address',     'postaladdress',        1,                       0,        'var',        '',        0 ],
        [ 'UserComment',     'Comment',     'description',          1,                       0,        'var',        '',        0 ],
    ],
};


    # ==================================================== #
    # BEGINNING LDAP AGENT CONFIGURATION                   #
    # ==================================================== #

$Self->{'AuthModule'}                         = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule1'}                        = 'Kernel::System::Auth::DB';
$Self->{'AuthModule::LDAP::Host'}             = 'auth.organisation.de';
$Self->{'AuthModule::LDAP::BaseDN'}           = 'ou=people,o=organisation';
$Self->{'AuthModule::LDAP::UID'}              = 'uid';
$Self->{'AuthModule::LDAP::GroupDN'}          = 'cn=OTRS_agent,ou=group,o=organisation';
$Self->{'AuthModule::LDAP::AccessAttr'}       = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'}         = 'UID';
$Self->{'AuthModule::LDAP::Params'}           = {
    port    => 389,
    timeout => 120,
    async   => 0,
    version => 3,
};

$Self->{'AuthModule::UseSyncBackend'}         = 'AuthSyncBackend';
$Self->{'AuthSyncModule'}                     = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'}         = 'auth.organisation.de';
$Self->{'AuthSyncModule::LDAP::BaseDN'}       = 'ou=people,o=organisation';
$Self->{'AuthSyncModule::LDAP::UID'}          = 'uid';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'}  = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail'
};
$Self->{'AuthSyncModule::LDAP::Params'}       = {
    port    => 389,
    timeout => 120,
    async   => 0,
    version => 3,
};

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = ['users'];
$Self->{'AuthSyncModule::LDAP::AccessAttr'}            = 'memberUid';
$Self->{'AuthSyncModule::LDAP::UserAttr'}              = 'uid';

$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
    'cn=OTRS_admin,ou=group,o=organisation' => {
        'admin'               => {rw => 1,ro => 1,},
        'faq'                 => {rw => 1,ro => 1,},
        'faq_admin'           => {rw => 1,ro => 1,},
        'faq_approval'        => {rw => 1,ro => 1,},
        'itsm-change'         => {rw => 1,ro => 1,},
        'itsm-change-builder' => {rw => 1,ro => 1,},
        'itsm-change-manager' => {rw => 1,ro => 1,},
        'itsm-configitem'     => {rw => 1,ro => 1,},
        'itsm-service'        => {rw => 1,ro => 1,},
        'stats'               => {rw => 1,ro => 1,},
        'users'               => {rw => 1,ro => 1,},
    },
    'cn=OTRS_agent,ou=group,o=organisation' => {
        'admin'               => {rw => 0,ro => 1,},
        'faq'                 => {rw => 1,ro => 1,},
        'faq_admin'           => {rw => 1,ro => 1,},
        'faq_approval'        => {rw => 1,ro => 1,},
        'itsm-change'         => {rw => 1,ro => 1,},
        'itsm-change-builder' => {rw => 1,ro => 1,},
        'itsm-change-manager' => {rw => 1,ro => 1,},
        'itsm-configitem'     => {rw => 1,ro => 1,},
        'itsm-service'        => {rw => 1,ro => 1,},
        'stats'               => {rw => 1,ro => 1,},
        'users'               => {rw => 1,ro => 1,},
    }
};
}
use base qw(Kernel::Config::Defaults);
1;
Thanks in advance,
Andreas
Using OTRS 5.0.22 on CentOS 7.3.1611 (Core) + MariaDB with:
  • OTRS:
    • FAQ
      ITSM
    Znuny:
    • QuickClose
      ShowPendingTimeIfNeeded
      SortByLastContact
      Repo
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent Groups via LDAP don't resync

Post by root »

Hi,

Did you use nested groups? This won't work without configuration changes.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
Syntaxerror
Znuny newbie
Posts: 3
Joined: 14 Sep 2016, 10:44
Znuny Version: 5.0.22
Real Name: Andreas Hummelbrunner
Company: Max-Planck-Institut für Astronomie

Re: Agent Groups via LDAP don't resync

Post by Syntaxerror »

Hey,

no, both groups are in ou=group,o=organization. All our Groups don't have any subordinates.
Using OTRS 5.0.22 on CentOS 7.3.1611 (Core) + MariaDB with:
  • OTRS:
    • FAQ
      ITSM
    Znuny:
    • QuickClose
      ShowPendingTimeIfNeeded
      SortByLastContact
      Repo
root
Administrator
Posts: 3934
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: Agent Groups via LDAP don't resync

Post by root »

Hi,

I recommend set the log level to debug (SysConfig => Framework => Core::Log) and try it again. You should find relevant log entries then.

- Roy
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
Post Reply