OTRS Active Directory - Customers coming in as Agents

[5of5]

We setup our config.pm file to allow only employees that are apart of a specific AD group to become an agent. We thought that it was working fine, but we found out that if customers attempt to login to the Agent portal, they automatically become agents. Could anyone share how they have their system setup?

Thanks in advance.

[root]

You have to restrict the users who can login (and sync automatically) into the agent interface via a group. See https://github.com/OTRS/otrs/blob/rel-5 ... ts.pm#L425

Please don't change this file, use the settings in your Config.pm

For nested groups within AD search for LDAP_MATCHING_RULE_IN_CHAIN

[5of5]

We are using nested groups, so we have this in place:
    $Self->{'AuthModule::LDAP::AlwaysFilter'} = '(&(objectCategory=user)(memberOf:1.2.840.113556.1.4.1941:=CN=group_name,OU=Groups,OU=XX,DC=XX,DC=XX,DC=XX))';

People outside of "group_name" are still able to log in as an agent, though.  Any other suggestions?  Do either AccessAttr or UserAttr matter with regard to the filter?

[root]

I use it this way agent sync (because I mostly have Kerberos SSO)

Code: Select all

  $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member:1.2.840.113556.1.4.1941:';
  $Self->{'AuthSyncModule::LDAP::UserAttr'}   = 'DN';

  $Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition'} = {
    'CN=OTRS-AGENTS-xx,OU=Roles,OU=OTRS,OU=x,OU=xx,OU=xx,DC=xx,DC=xx' => {
      'Role_1' => 1,
    },
    'CN=OTRS-AGENTS-xx,OU=Roles,OU=OTRS,OU=x,OU=xx,OU=xx,DC=xx,DC=xx' => {
       'Role_2' => 1,
    },
    'CN=OTRS-AGENTS-admin,OU=Roles,OU=OTRS,OU=x,OU=x,OU=x,DC=x,DC=x' => {
       'Administrator' => 1,
    },
  }

for restrict authentication try this:

Code: Select all

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(objectCategory=user)';
$Self->{'AuthModule::LDAP::GroupDN'} = 'CN=group_name,OU=Groups,OU=XX,DC=XX,DC=XX,DC=XX';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member:1.2.840.113556.1.4.1941:';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';