On Friday, March 26, 2004 8:54 AM
Thomas Nilsen
If I could only find the code which allows this agent registration, I could comment it out and the problem would be solved...
SyncLDAP2Database{} is from Kernel/System/User.pm, but you needn't change s.th. there. The sub takes $Self->{UserSyncLDAPMap} from Config.pm and synchs the user from LDAP to DB if the user isn't found in the latter, but LDAP AUTH is activated. For sure the user must exist in the LDAP database. In fact, LDAP AUTH is nothing more than Synching an LDAP entry to the DB and authenticating against this entry. So, to conclude - switching of the Sync will take away the ability to log on as a new user, yes. But every user that you want to log on has to exist in the DB prior to switching of the capability. The trigger can be found in index.pl, line 197 (v 1.66): if ($CommonObject{UserObject}->SyncLDAP2Database(User => $User)) { You may easily switch off Synching by setting $Self->{UserSyncLDAPMap} = {}; Now only the LDAP users already existing in the DB _and_ LDAP can log in, no new entries will be created. This is not the recommended approach, though! There must be a way that you distinguish the administrator of your groups by a common property. Aren't their account types different? Isn't it even possible to create a new posix-conform group in AD? hth, Robert Kehl -- ((otrs.de)) :: OTRS GmbH :: Norsk-Data-Str. 1 :: 61352 Bad Homburg http://www.otrs.de/ :: Tel. +49 (0)6172 4832388