OTRS6 role sync from LDAP

Moderator: crythias

Post Reply
n1els
OTRS newbie
Posts: 3
Joined: 22 Nov 2017, 12:18
OTRS Version?: 6 stable

OTRS6 role sync from LDAP

Post by n1els » 23 Nov 2017, 13:48

We've been using OTRS5 for quite some time now in our office, but I want to make our new OTRS6 to make use of our LDAP (Zentyal pretending to be AD, but still running on samba) so that i don't have to use local otrs accounts anymore.

Previously I have created groups and roles, and assigned these to each other using the root@local account on a brand new server.

Following the documentation and as many topics as I could find here, I have successful ldap authenthication with all my users. The only thing I'm now struggling with is the role sync.

When a user successfully authenticates it can see the dashboard, it can set the user preferences (like timezone) and all seems to be fine, it just doesn't have any permissions (groups or roles) attached to it.

In mysql a new user is created in the "users" table, with information like last name pulled from ldap. There are however no added rows in table "role_user" (or even group_user for that matter although I wasn't expected that anyway).

I do not see any errors in the otrs log file, messages or https access/error logs.

My configuration looks as follows:

Code: Select all

$Self->{AuthModule} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = '192.168.32.8';
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=COMPANY,dc=lan';
$Self->{'AuthModule::LDAP::UID'} = 'SamAccountName';

$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=otrs,ou=System Accounts,dc=COMPANY,dc=lan';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'Password';

# AuthSyncModule::LDAP::UserSyncInitialGroups
# # (sync following group with rw permission after initial create of first agent
# # login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];


$Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';

$Self->{'AuthModule::UseSyncBackend'} = 'AuthSyncBackend';

$Self->{'AuthSyncModule::LDAP::Host'} = '192.168.32.8';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=COMPANY,dc=lan';
$Self->{'AuthSyncModule::LDAP::UID'} = 'SamAccountName';

$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=otrs,ou=System Accounts,dc=COMPANY,dc=lan';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'Password';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
 };


$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
    # ldap group
    'cn=SP,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
                # otrs role
        'SP' => 1,
        },
    'cn=NOC,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
                # otrs role
        'NOC' => 1,
        },
   'cn=SD,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
                # otrs role
        'SD' => 1,
        },
   'cn=SALES,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
                # otrs role
		Sales' => 1,
        },
    'cn=BD,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
                # otrs role
        'BD' => 1,
        },
    'cn=FINANCE,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
                # otrs role
        'Finance' => 1,
        },
    'cn=IT,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
                # otrs role
        'IT' => 1,
                'admin' => 1,
        },
    'cn=DEP HEADS,ou=GROUPS,OU=Employees,dc=COMPANY,dc=lan' => {
                # otrs role
        'Management' => 1,
        }
};


$Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
		#ldap group
		'cn=SP,ou=GROUPS,ou=Employees,dc=COMPANY,dc=lan' => {
			# otrs group
			'admin' => {
                # permission
                rw => 1,
                ro => 1,
            },
	}
};
Any help to make me see what I'm overlooking would be greatly appreciated. (pretty sure it's something small)

wurzel
OTRS guru
Posts: 2413
Joined: 08 Jul 2010, 22:25
OTRS Version?: 6.0.x

Re: OTRS6 role sync from LDAP

Post by wurzel » 23 Nov 2017, 14:10

Hi,

i think you are missing

Code: Select all

# Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
#    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
#    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    # for ldap posixGroups objectclass (just uid)
#    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    # for non ldap posixGroups objectclass (with full user dn)
#    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

enable debug in Core::Log to see more log output.

Florian
    ((OTRS)) Community Edition 6.0.x, LAMP LIVE auf Debian 9
    OTRS 6 Managed Silver

    -- Ich beantworte keine Forums-Fragen PN - No PN please

    I won't answer to unfriendly users any more. A greeting and regards are just polite.

    n1els
    OTRS newbie
    Posts: 3
    Joined: 22 Nov 2017, 12:18
    OTRS Version?: 6 stable

    Re: OTRS6 role sync from LDAP

    Post by n1els » 23 Nov 2017, 16:01

    Thanks Florian, enabling the debug helped a lot.

    Code: Select all

    [Thu Nov 23 21:32:57 2017][Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: niels not in GroupDN='cn=SP,ou=GROUPS,OU=Employees,dc=ixs,dc=lan', Filter='(memberUid=CN=Niels LastName,OU=SP,OU=Employees,DC=COMPANY,DC=lan)'! (REMOTE_ADDR: 192.168.32.30).
    (this repeats for all the LDAP groups that I want to parse into roles)

    The problem is now a bit more clear; OTRS6 is trying to validate the group membership of my account by looking at the memberUid field, but in my setup memberUid is not set. It should look at the "member" attribute instead.

    I took a look at the code snippet you provided, and that wasn't exactly what I was looking for (as that would -I think- require all my users to be a member of a single group before they can log in, but it wouldn't solve the error I was seeing in the debug log where otrs was unable to confirm my group membership.

    What did the trick was in your snippet however; I noticed the line

    Code: Select all

    #    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    And that put me on the right track. I just had to find the appropriate Attr(ibute) line for Roles Sync and change the value to 'member'. After some looking around I found the following part:

    Code: Select all

        # Attributes needed for group syncs
        # (attribute name for group value key)
        $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
    Note how the comment is mentioning group syncs only, but the module name doesn't. All other properties mention very specifically whether is for Groups or Roles or other things.

    So I changed the line to this:

    Code: Select all

        $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
    Restarted the httpd service and deleted the cache (just to be sure, don't think it's actually necessary)

    And voila:

    Code: Select all

    [Thu Nov 23 21:50:58 2017][Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'niels' sync ldap role Management!
    [Thu Nov 23 21:50:59 2017][Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'niels' sync ldap role SP!
    [Thu Nov 23 21:50:59 2017][Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'niels' sync ldap role IT!
    [Thu Nov 23 21:50:59 2017][Notice][Kernel::System::Auth::Sync::LDAP::Sync] User: 'niels' sync ldap role admin!
    
    So thanks a lot for pointing me in the right direction Florian! I've been struggling with this for quite a few hours at work, saw the ticket reply notification and it seems to fully work now.

    edit: fixed a typo

    Post Reply