We setup our config.pm file to allow only employees that are apart of a specific AD group to become an agent. We thought that it was working fine, but we found out that if customers attempt to login to the Agent portal, they automatically become agents. Could anyone share how they have their system setup?
Thanks in advance.
OTRS Active Directory - Customers coming in as Agents
Moderator: crythias
-
- Administrator
- Posts: 3968
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: OTRS Active Directory - Customers coming in as Agents
You have to restrict the users who can login (and sync automatically) into the agent interface via a group. See https://github.com/OTRS/otrs/blob/rel-5 ... ts.pm#L425
Please don't change this file, use the settings in your Config.pm
For nested groups within AD search for LDAP_MATCHING_RULE_IN_CHAIN
Please don't change this file, use the settings in your Config.pm
For nested groups within AD search for LDAP_MATCHING_RULE_IN_CHAIN
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
- Znuny newbie
- Posts: 24
- Joined: 24 Feb 2017, 18:37
- Znuny Version: 5.0.16
- Real Name: Tom Stiffler
- Company: Concurrent Technology Corp.
Re: OTRS Active Directory - Customers coming in as Agents
We are using nested groups, so we have this in place:
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=group_name,OU=Groups,OU=XX,DC=XX,DC=XX,DC=XX))';
People outside of "group_name" are still able to log in as an agent, though. Any other suggestions? Do either AccessAttr or UserAttr matter with regard to the filter?
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=group_name,OU=Groups,OU=XX,DC=XX,DC=XX,DC=XX))';
People outside of "group_name" are still able to log in as an agent, though. Any other suggestions? Do either AccessAttr or UserAttr matter with regard to the filter?
-
- Administrator
- Posts: 3968
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: OTRS Active Directory - Customers coming in as Agents
I use it this way agent sync (because I mostly have Kerberos SSO)
for restrict authentication try this:
Code: Select all
$Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member:1.2.840.113556.1.4.1941:';
$Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
'CN=OTRS-AGENTS-xx,OU=Roles,OU=OTRS,OU=x,OU=xx,OU=xx,DC=xx,DC=xx' => {
'Role_1' => 1,
},
'CN=OTRS-AGENTS-xx,OU=Roles,OU=OTRS,OU=x,OU=xx,OU=xx,DC=xx,DC=xx' => {
'Role_2' => 1,
},
'CN=OTRS-AGENTS-admin,OU=Roles,OU=OTRS,OU=x,OU=x,OU=x,DC=x,DC=x' => {
'Administrator' => 1,
},
}
Code: Select all
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectCategory=user)';
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=group_name,OU=Groups,OU=XX,DC=XX,DC=XX,DC=XX';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member:1.2.840.113556.1.4.1941:';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?