Hi Jørn-Stian,

 

In my setup, we currently do something similar.

 

First of all, our Agents have to be member of the OTRS_Agents group to be able to login to OTRS.

We take care of that part in the LDAP Authentication part, with these lines:

 

    # Check if member of AD group before agent login.

    $Self->{'AuthModule::LDAP::GroupDN'} = 'CN=OTRS_Agents,OU=OTRS,DC=domain,DC=local';

    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';

    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

 

Second, we sync to OTRS roles (not groups), and then map the roles to groups in OTRS itself.

We do the sync with these lines:

 

    # AuthSyncModule::LDAP::UserSyncRolesDefinition

    # (If "LDAP" was selected for AuthModule and you want to sync LDAP

    # groups to otrs roles, define the following.)

    $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {

        # AD/LDAP group

        'CN=OTRS_Admins,OU=OTRS,DC=domain,DC=local' => {

            # OTRS role

            'Admins' => 1,

        },

        'CN=OTRS_Queue1,OU=OTRS,DC=domain,DC=local' => {

            'OTRS_Queue1' => 1,

        },

        'CN=OTRS_Queue2,OU=OTRS,DC=domain,DC=local' => {

            'OTRS_Queue2' => 1,

        },

    };

 

Inside OTRS, we have groups and roles like:

 

    Queue1

    Queue2

    Admins

 

The groups have been granted access to the specific queues and admin area.

The groups and roles are then mapped as appropriate.

 

Hope that helps

 

--

/Sune T.

 

From: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] On Behalf Of Jørn-Stian Lønsetteig
Sent: 9. januar 2012 17:35
To: otrs@otrs.org
Subject: [otrs] Assigning queue and roles from AD groups

 

I’ve installed and configured OTRS to work with AD, and have gotten it to grant access to members of two specific groups (basically by duplicating the existing directives). I’d like to assign OTRS-roles and/or queue affinity based on this. Ideally, I’d create a group structure similar to this:

 

OTRS_Admin, OTRS_Agent, OTRS_Queue1 and OTRS_Queue2.

 

Users that’s a member of the OTRS_Admin group would be assigned to the Admin group, the users that are member of OTRS_Queue1 group would be assigned queue access and so on.

In the default/suggested settings, there’s a directive that’s called AuthSyncModule::LDAP::UserSyncInitialGroups that adds the user to the “users” group. How can I make that happen for only one of the groups, and then do the same for another?

 

Best regards

 

Jørn-Stian Lønsetteig