OTRS 6 - AD integration - Domain Admin users mapped as Agents, not as OTRS Admins
In fact this is a three-part problem:
- When I used the LDAP backend, I lost my users from the DB Backend (including the root@localhost superuser)
- Agent users from the LDAP backend didn't have Admin permissions
- OTRS Documentation is a little outdated here and there
Problem 1: lost my DB Backend
In Config.pm, I had inserted the following line to select the Agent backend:
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
Well, what this line does, it overrides the original backend selector elsewhere in the system. So, in order to have the DB Backend Admin users and also the LDAP agent users, you should use OTRS' own (and documented!) way to have multiple backends, which is appending a numeral suffix to the module instance (please note de 1 right after AuthModule):
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
Of course, you have to put the numeral in all of the modules' properties:
$Self->{'AuthModule::LDAP::Host1'} = '192.168.xx.xx';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=test,DC=local';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN1'} = CN=GS_OTRS_Agents,CN=Users,DC=test,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'OTRS'; #OTRS LDAP User
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'somepass'; #Password for the LDAP User
$Self->{'AuthModule::LDAP::AlwaysFilter1'} = '';
$Self->{'AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub'
};
(Compare this to the code posted above, on the original question.)
To be fair, ther is a section on the OTRS Admin Manual explaining how to change de backend, and how to have more than one backend. But the information that if you use $Self->{'AuthModule'} instead of $Self->{'AuthModule1'} would override the native DB Backend, instead of running both side by side, is missing. Took a lot dead brain matter to figure this out.
This solved the problem of having lost my Admin users, who were all in the original DB Backend. All the LDAP Agents were not full admins, so they could answer tickets but not manage the OTRS system as admins. With this I had both kinds of users.
That leads us to the second problem.
Problem 2: Agent users from the LDAP backend didn't have Admin permissions
I mean, I must be able to create an Agent user on my AD and he/she should be able to be admins too. And they are!
`$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users',
];`
If instead of just 'users', I had put also 'basic_admin' on that list, all my initial Agents would be also Admins. I could revoke their Admin priviledges later, but as I was locked outside OTRS with no Admin users due to problem 1, I couldn't grant or revoke any adminright to anyone.
I chose, after all, to leave it at it is, and create my Agents as just users, because I already have my original root@localhost user as admin (as I have solved Problem 1), and will grant admin rights manuyally for all my future admins. But this is another not very well documented detail on the OTRS Admin Manual.
Problem 3: OTRS Admin Manual not completely up to date
I understand that, with all OpenSource projects, this would happen from time to time. But there are, here there and everywhere, some pitfalls due to misleading information, inherited from previous versions of OTRS that were not updated. There are some properties, for example, that are mentioned in the manual but are not valid for version 6.
I stumbled upon one that was for version 5 and was not purged from version 6. I mean, the link to the properties' QuickRef page was removed, because the page - and the property - does not exist anymore, but it is still mentioned elsewhere in the manual, on important configuration sections.