Re: [otrs] LDAP tls authentication Fun

Rory wrote:

2009/8/5 Mauricio Tavares :

...

So, otrs is only using ldap to check the passwords? Is the access/ownership info (i.e. who belongs to which group and can do what kind of harm) stored in the local DB then? I guess it has to since the documentation states otrs only does read only access to ldap.

Effectively yes, its just checking the passwords. I'm not too sure about groups, I havn't gone so far as to mess with that yet but I have seen some config entries that relate to groups. I think you can pull a users group info from ldap but you cannot make changes to the ldap groups from otrs.

I have no problems if otrs cannot edit ldap. What I would like is to be able to define which group someone belongs to in ldap and then otrs will see the groups memberships and then grant the said user rights according to the memberships.

I don't think otrs is as strict when it comes to using the DB or ldap for groups tho.

Hope so.

...

After reading it, I began to wonder if it meant that once it gathers the data it will use the local DB entirely instead of ldap. If that is the case, wouldn't it mean that it should be able to lookup user info on both local db and ldap at the same time?

This line from the doc makes me believe its still checking the ldap directory to authenticate even tho it has all the details in the DB;

"Allthough the data can be synched into the local OTRS database the LDAP directory is the last instance for the authentification, so a inactive user in the LDAP tree can't authenticate to OTRS even when the account data are allready stored in the OTRS database."

So as I understand it, the sync will pull user details from ldap if a user tries to login who is not in the local db but is in the ldap directory. Once it has sync'd to the local db it will then verify only the users password against the ldap directory and not the entire user data, so less ldap queries.

Well, what I have found so far (I might be wrong) is that the user has to be in the local db; the password can be kept in ldap but you have to create an user in otrs. What I did was after setting ldap up, I tried to login as one of the users from the ldap group (cn=users) I gave otrs as the GroupDN. It cheerfully ignored that user. THen I created an user with the same username inside otrs but did not give a password. I was able to login as the said user.

My ideas on this are all open to questioning tho as I don't know this for fact.

Do you think I do? =) I am still figuring this program out.

Rory --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/