Restricting Agent login to a found AuthModule::LDAP::GroupDN
Hi, all - I think I'm wandering down the right path here, but I thought I'd ask, in an attempt to not get lost too much. I've managed to integrate OTRS with Active Directory, and that works (sort-of) alright. It needs some polishing, but the functionality is there. I've created Roles in OTRS that correspond with groups in AD. The idea is, make an Agent a member of its respective groups in AD, to which there's a matching role in OTRS for that AD group - and subsequently, queue - that the user will be able to interact with. Thus, I believe I can control access to each queue based on AD group membership. My question is, however, can I use AuthModule::LDAP::GroupDN more than once? If you're still following me, I'd like to use AuthModule::LDAP::GroupDN once for each AD group present, so I don't need to maintain a separate list of groups in AD, to signify which users can have access to what, outside of the one-AD-group-per-OTRS-queue system that I'm shooting for. Am I going about this the right way? In theory, this all looks great :) Thanks! -dant
Hi Dant, On 12.01.2010, at 23:35, Dan Trainor wrote:
My question is, however, can I use AuthModule::LDAP::GroupDN more than once? If you're still following me, I'd like to use AuthModule::LDAP::GroupDN once for each AD group present, so I don't need to maintain a separate list of groups in AD, to signify which users can have access to what, outside of the one-AD-group-per-OTRS-queue system that I'm shooting for.
Am I going about this the right way? In theory, this all looks great :)
AuthModule::LDAP::GroupDN is for limiting the login to certain people based on the AD configuration. If you want to control the permissioning within OTRS based on AD Groups please have a look at Defaults.pm starting at line 421 (if you use OTRS 2.4.5) or search for "AuthSyncModule". There you can copy the example configuration, copy that to Config.pm and configure the the connection to your needs. A few lines below that there is a configuration starting with "AuthSyncModule::LDAP::UserSyncRolesDefinition", this is used to define which Role shall be assigned to an authenticated Agent based on the AD Group DN and based on the Agents memberships. I hope that helps ..... ((enjoy)) Nils Leideck -- Nils Leideck Senior Consultant nils.leideck@leidex.net nils.leideck@otrs.com http://webint.cryptonode.de / a Fractal project CU @ CeBIT 2010 in Hannover, Germany and get to know more about OTRS at booth no. C37 in hall 2 from March 2-6, 2010!
On 01/12/2010 04:44 PM, Nils Leideck - ITSM wrote:
Hi Dant,
On 12.01.2010, at 23:35, Dan Trainor wrote:
My question is, however, can I use AuthModule::LDAP::GroupDN more than once? If you're still following me, I'd like to use AuthModule::LDAP::GroupDN once for each AD group present, so I don't need to maintain a separate list of groups in AD, to signify which users can have access to what, outside of the one-AD-group-per-OTRS-queue system that I'm shooting for.
Am I going about this the right way? In theory, this all looks great :)
AuthModule::LDAP::GroupDN is for limiting the login to certain people based on the AD configuration.
If you want to control the permissioning within OTRS based on AD Groups please have a look at Defaults.pm starting at line 421 (if you use OTRS 2.4.5) or search for "AuthSyncModule". There you can copy the example configuration, copy that to Config.pm and configure the the connection to your needs. A few lines below that there is a configuration starting with "AuthSyncModule::LDAP::UserSyncRolesDefinition", this is used to define which Role shall be assigned to an authenticated Agent based on the AD Group DN and based on the Agents memberships.
I hope that helps .....
((enjoy))
Nils Leideck
Good afternoon, Nils - I sincerely appreciate your reply, and it did help, thanks. I think I was confused on the subsequent AuthModule::LDAP::AccessAttr, which did not seem to work as I had expected it to. I eventually got it working, but I think that it led me in the wrong direction when dealing with AuthModule::LDAP::GroupDN Thanks -dant
participants (2)
-
Dan Trainor -
Nils Leideck - ITSM