2009/8/5 Mauricio Tavares
So, otrs is only using ldap to check the passwords? Is the access/ownership info (i.e. who belongs to which group and can do what kind of harm) stored in the local DB then? I guess it has to since the documentation states otrs only does read only access to ldap.
Effectively yes, its just checking the passwords. I'm not too sure about groups, I havn't gone so far as to mess with that yet but I have seen some config entries that relate to groups. I think you can pull a users group info from ldap but you cannot make changes to the ldap groups from otrs. I don't think otrs is as strict when it comes to using the DB or ldap for groups tho.
After reading it, I began to wonder if it meant that once it gathers the data it will use the local DB entirely instead of ldap. If that is the case, wouldn't it mean that it should be able to lookup user info on both local db and ldap at the same time?
This line from the doc makes me believe its still checking the ldap directory to authenticate even tho it has all the details in the DB; "Allthough the data can be synched into the local OTRS database the LDAP directory is the last instance for the authentification, so a inactive user in the LDAP tree can't authenticate to OTRS even when the account data are allready stored in the OTRS database." So as I understand it, the sync will pull user details from ldap if a user tries to login who is not in the local db but is in the ldap directory. Once it has sync'd to the local db it will then verify only the users password against the ldap directory and not the entire user data, so less ldap queries. My ideas on this are all open to questioning tho as I don't know this for fact. Rory