LDAP/AD group automatic sync

Moderator: crythias

Post Reply
OTRS newbie
Posts: 4
Joined: 20 Sep 2017, 13:36
OTRS Version?: 5.0.11

LDAP/AD group automatic sync

Post by caldrl » 06 Sep 2018, 09:11

Hi all,

Currently I'm trying to solve quite complicated case. We have OTRS 5 implemented
with LDAP sync (to your Active Directory). We have specified few automatically assigned roles and groups via AD groups in Config.pm and everything works fine.

We are now solving case, when someone leave one of AD group, or leave company. Then we have still "active" user assigned in groups/roles, which he should not be assigned in. After successfull login of user OTRS checks AD groups and remove user from unwanted groups. But till the login other users can set "unwanted user" as responsible, etc.

Is there any possibility to run automaticaly some "AD sync" script? Then there is thing, that user can be disabled, so he cannot login - so there would be best to have some procedure, which runs with some "AD admin credentials" and checks all OTRS users and their AD groups.

Do you know about some done workaround? Or should I dive into OTRS pearl sources and try to write this script by myself?

Thank you very much!

User avatar
OTRS expert
Posts: 75
Joined: 27 Aug 2018, 13:50
OTRS Version?: Community
Real Name: Christian Clavet
Company: Tact Group

Re: LDAP/AD group automatic sync

Post by christianclavet » 14 Sep 2018, 20:55

Hi, The user would probably be still there, but OTRS will check with the LDAP server each time at login. If it's not in the LDAP it will not permit a login to occur (still some data will stay in the OTRS side)

Have you tested login to OTRS from an inactive|removed user in the LDAP server?
OTRS Community 6.0.11
Debian 9.0


Post Reply