Why are my customers able to authenticate as agents?

[gears]

I've setup OTRS for AD SSO via Kerberos. I created a group in AD called OTRS and I thought I had my Config.pm set correctly to restrict agent logons to only members of this group but something is wrong. All employees are able to authenticate on the customer site at /otrs/customer.pl but any employee who goes to http://otrshost/otrs/index.pl (the agent logon page) is also able to authenticate there, access the agent interface, and then their account is added to the agents listing in the admin panel. This obviously isn't what we want to happen. Any help is greatly appreciated. Thanks!

AD OTRS agent group DN: "CN=OTRS,DC=mydomain,DC=com"
We allow all other users within AD to auth as customers so no separate grouping is needed for this.

note that I also tried setting cn=OTRS on this line: $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=com';


Config.pm:

Code: Select all

package Kernel::Config;
sub Load {
    my $Self = shift;
    $Self->{'DatabaseHost'} = 'localhost';
    $Self->{'Database'} = 'otrs';
    $Self->{'DatabaseUser'} = 'otrs';
    $Self->{'DatabasePw'} = '**PASSWD**';
    $Self->{DatabaseDSN} = "DBI:mysql:database=$Self->{Database};host=$Self->{DatabaseHost};";
    $Self->{Home} = '/opt/otrs';
    $Self->{'DefaultCharset'} = 'utf-8';
    $Self->{'LogModule'} = 'Kernel::System::Log::File';
    $Self->{'LogModule::LogFile'} = '/opt/otrs/var/log/otrs.log';

    $Self->{FQDN} = 'otrshost.mydomain.com';
    $Self->{AdminEmail} = 'otrshost@mydomain.com';
    $Self->{ProductName} = 'My Company Name';
    $Self->{AuthModule} = 'Kernel::System::Auth::DB';
    $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = 'firstdc.mydomain.com';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=com';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=OTRS,dc=mydomain,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = '**THEPASSWORD**';

    $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'firstdc.mydomain.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=com';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = '**THEPASSWORD**';
  
    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
        'users',
    ];

    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'firstdc.mydomain.com';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '**THEPASSWORD**';


    $Self->{CustomerUser} = {
        Name => 'LDAP Backend',
        Module => 'Kernel::System::CustomerUser::LDAP',
        Params => {
            Host => 'firstdc.mydomain.com',
            BaseDN => 'dc=mydomain,dc=com',
            SSCOPE => 'sub',
            UserDN => 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com',
            UserPw => '**THEPASSWORD**',
            AlwaysFilter => 

'(&(objectcategory=person)(objectclass=user)(!(description=built-In))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
        },
        CustomerKey => 'sAMAccountName',
        CustomerID => 'mail',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        Map => [
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
        
],
    };

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@MYDOMAIN.COM';
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@MYDOMAIN.COM';
}

use strict;
use warnings;
use vars qw(@ISA $VERSION);
$VERSION = qw($Revision: 1.23 $)[1];
use Kernel::Config::Defaults;
push (@ISA, 'Kernel::Config::Defaults');

1;

/etc/krb5.conf:

Code: Select all

[logging]
default = FILE:/var/log/krb5-lib.log
kdc = FILE:/var/log/krb5-kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = MYDOMAIN.COM
#dns_lookup_realm = false
#dns_lookup_kdc = false

[appdefaults]
pam = {
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false
}

[realms]
 MYDOMAIN.COM = {
 kdc = firstdc.mydomain.com
 kdc = nextdc.mydomain.com
 admin_server = firstdc
 }

[domain_realm]
 .mydomain.com = MYDOMAIN.COM
 mydomain.com = MYDOMAIN.COM

[login]
 krb4_convert = true
 krb4_get_tickets = false

/etc/apache2/config.d/otrs.conf

Code: Select all

LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Directory "/opt/otrs/bin/cgi-bin/">
   AllowOverride None
   AuthType Kerberos
   AuthName "MYDOMAIN.COM"
   Krb5Keytab /etc/krb5.keytab
   KrbAuthRealms MYDOMAIN.COM
   KrbMethodNegotiate on
   KrbSaveCredentials  off
   Require valid-user
   Options +ExecCGI -Includes
   Order allow,deny
   Allow from all
</Directory>

[mrhaag]

I am also experiencing this issue.

We are using LDAP and a MySQL database to authenticate, since some customers do not have accounts in LDAP. I first noticed the issue when I tried to enable "Customer Groups". I had the default groups include "users" in my /opt/otrs/Kernel/Config/Files/ZZZAAuto.pm file, which I realize is the name for agents in OTRS, so I removed that default group:

$Self->{'CustomerGroupAlwaysGroups'} = [
'users'
];

but we are still seeing the issue here.

[mrhaag]

Correction:

I just double-checked the line I thought I deleted in ZZZAAuto.pm:

$Self->{'CustomerGroupAlwaysGroups'} = [
'users'
];

I found that the line was NOT deleted. I do remember deleting the line, so I'm wondering if OTRS is somehow changing the line when I make changes in SysConfig (not in the section where you set and enable CustomerGroups, Frontend::Customer::CustomerGroupSupport / CustomerGroups, Frontend::Customer::CustomerGroupAlwaysGroups ).

Is it possible that saving other options in other sections of SysConfig might be writing in the CustomerGroupAlwaysGroups option to ZZZAAuto.pm?


I have commented out that line as follows:

#$Self->{'CustomerGroupAlwaysGroups'} = [
# 'users'
#];

I will check frequently to see if the line changes over the next few days.


Is there any other config file I should review to check for instances of either CustomerGroups or CustomerGroupAlwaysGroups? I have only found those settings within ZZZAuto.pm and ZZZAAuto.pm (and I have also checked Config.pm).

Thanks in advance for any advice you can offer.

[jojo]

Please check your Config.pm and Defaults.pm as ZZZAAuto.pm is auto generated.

You should never change the Defaults.pm, the ZZZAAuto.pm and ZZZAuto.pm and all XML Files manually!

[mrhaag]

I have just tested saving a value in SysConfig and re-checked my ZZZAAuto.pm

The value I changed in SysConfig was:

Frontend::Customer::CustomerHeadline

I addded an underscore to the end of the value, then clicked "Update"

After that saved, I re-checked /opt/otrs/Kernel/Config/Files/ZZZAAuto.pm

I found that the following lines were again UNCOMMENTED (all three '#' removed) after the save:

#$Self->{'CustomerGroupAlwaysGroups'} = [
# 'users'
#];


How can I prevent OTRS from re-enabling the CustomerGroupAlwaysGroup on each Update of SysConfig, and why would OTRS add customers to groups based on those lines, since the following value always stays the same:

$Self->{'CustomerGroupSupport'} = '0';

[mrhaag]

I followed your advice on checking Defaults.pm and Config.pm.

Config.pm has NO reference to customer groups whatsoever.

Defaults.pm is as follows:


# --------------------------------------------------- #
# #
# Start of config options!!! #
# CustomerPanel stuff #
# #
# --------------------------------------------------- #

# SessionName
# (Name of the session key. E. g. Session, SessionID, OTRS)
$Self->{CustomerPanelSessionName} = 'CSID';

# CustomerPanelUserID
# (The customer panel db-uid.) [default: 1]
$Self->{CustomerPanelUserID} = 1;

# CustomerGroupSupport (0 = compat. to OTRS 1.1 or lower)
# (if this is 1, the you need to set the group <-> customer user
# relations! http://host/otrs/index.pl?Action=AdminCustomerUserGroup
# otherway, each user is ro/rw in each group!)
$Self->{CustomerGroupSupport} = 0;

# CustomerGroupAlwaysGroups
# (if CustomerGroupSupport is true and you don't want to manage
# each customer user for this groups, then put the groups
# for all customer user in there)
#$Self->{CustomerGroupAlwaysGroups} = [ 'users', 'info' ];
$Self->{CustomerGroupAlwaysGroups} = [ 'info' ];
# show online agents
# $Self->{'CustomerFrontend::NotifyModule'}->{'1-ShowAgentOnline'} = {
# Module => 'Kernel::Output::HTML::NotificationAgentOnline',
# ShowEmail => 1,
# IdleMinutes => 60,
# };

[mrhaag]

Regarding edits to ZZZAuto.pm and ZZZAAuto.pm, I am sorry I ever edited them directly. I have read tutorials elsewhere that indicated I should edit those files and now I realize the error of my ways.

After reading http://doc.otrs.org/3.0/en/html/configuration.html, I will certainly no longer edit those files directly. All edits I make to any config files will be edited in Config.pm, nowhere else, per instruction from the official documentation.

I do have one final question though:

If I add a line disallowing CustomerGroupSupport, such as:

$Self->{'CustomerGroupSupport'} = '0';

to the /opt/otrs/Kernel/Config.pm file, will that added line fix the issue I have been experiencing where although that option is set to '0' in SysConfig, customers are still added to the 'users' group and able to authenticate as agents?

[crythias]

If you enable CustomerGroup, you will get "customer always groups" users by default..
Check the
Customers <->Groups page on Admin (at the bottom of the interface).

Then click the [Edit Default Customer Groups] button which will take you to
Edit Config Settings in Framework -> Frontend::Customer
Under CustomerGroupAlwaysGroups, you'll find "users"

If you don't want that, you'll want to change it to a "real" group or remove the entry.

[mrhaag]

Crythias, thank you for your previous assistance.

This same problem is happening to us again following our application of the 3.0.9 patch.

I have checked all the config files (Config.pm, ZZZAuto.pm, ZZZAAuto.pm, Defaults.pm) and I am still seeing:

$Self->{CustomerGroupAlwaysGroups} = [ 'users', 'info' ]; added to ZZZAAuto.pm any time I press "Update" on SysConfig

This setting seems to be in effect even though I have set $Self->{CustomerGroupSupport} = 0; in Config.pm

I tried reverting to 3.0.8, but now the setting seems to be in effect on that as well.

I am not able to stop customers from gaining access to the Agent interface. Is there a specific line or config file I should adjust to force the following to override all other settings:
$Self->{CustomerGroupSupport} = 0; ?


In SysConfig, CustomerGroups are still listed as disabled, but they can log in to agent interface regardless.

(Once again, I have not changed ZZZAuto or ZZZAAuto myself. I am only changing Config.pm and using SysConfig)

[crythias]

The only way they'll be able to authenticate as agents is if they are agents in the agents database.

[crythias]

Code: Select all

    $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host1'} = 'firstdc.mydomain.com';
    $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=com';
    $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=OTRS,dc=mydomain,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
    $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com';
    $Self->{'AuthModule::LDAP::SearchUserPw1'} = '**THEPASSWORD**';

    $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host1'} = 'firstdc.mydomain.com';
    $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=mydomain,dc=com';
    $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = '**THEPASSWORD**';
  
    $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };

    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
        'users',
    ];

    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'firstdc.mydomain.com';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=mydomain,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=OTRS SEARCH,CN=Users,DC=mydomain,DC=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '**THEPASSWORD**';

Well, look at that...

[mrhaag]

Thanks for spotting that. I have had that commented out for a while now. Removing it doesn't seem to have fixed the issue:

#$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
# 'users',
# 'stats',
# 'time_accounting',
# ];

[crythias]

no, you're using the exact same database for agents and customers.

[gears]

I think mrhaag sort of diverted this in another direction and I've been busy with other things but I'm revisiting it now. I'm sure I'm missing something owing to my experience level. Agents & customer accounts are both coming from the same LDAP backend but I thought that it might be possible to restrict who authenticates on the agent portal based upon membership in the AD security group 'OTRS' via this:

Code: Select all

    $Self->{'AuthModule::LDAP::GroupDN1'} = 'cn=OTRS,dc=mydomain,dc=com';
    $Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';

this is what I saw in Defaults.pm for guidelines which was a bit confusing given which attributes i was actually seeing populated in AD:

Code: Select all

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group xyz to use otrs)
#    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
#    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    # for ldap posixGroups objectclass (just uid)
#    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    # for non ldap posixGroups objectclass (with full user dn)
#    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

AD:

Code: Select all

dsquery group -name otrs
"CN=OTRS,DC=mydomain,DC=com"

what I'm seeing is all users with valid AD accounts are treated equally by the auth mechanism probably owing to my (mis)configuration. Since we are successfully using SSO, the names of these users then populate in the admin >> agents listing as soon as a machine with their AD account logged in browses to /otrs/index.pl

Customers are not stumbling onto or guessing the agent url, but I've had a couple who ended up there by mistake when an email that was being sent between agents was forwarded to an employee who then clicked on a link with an agent ticket url. They have no permissions to view any of the tickets etc but the result is that I then have to go in and set their account to invalid in the admin >> agents panel so their name/account isn't showing up where it shouldn't be.

Thanks for any further pointers

[gears]

I shuffled things around a bit and moved the OTRS group into the Users CN, so the group dn that i'm trying to use to restrict who can log into the agent page is now CN=OTRS,CN=Users,DC=mydomain,DC=com

per the documentation @ http://doc.otrs.org/3.0/en/html/auth-backends.html

Code: Select all

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsallow,ou=posixGroups,dc=example,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
# for ldap posixGroups objectclass (just uid)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
# for non ldap posixGroups objectclass (with full user dn)
#  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

I've tried different variations of what's being used in the GroupDN, AccessAttr, and UserAttr without much luck. both as memberUid/UID and member/DN . I know this must work for some people but in my case no go so I started pulling LDIF to see what's in the Microsoft AD here:


LDIF output for example user who should not be able to authenticate on the agent side. note he is not listed as member of any groups and is not in the OTRS group:

dn: CN=OTRS TEST03,CN=Users,DC=mydomain,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: OTRS TEST03
sn: TEST03
givenName: OTRS
distinguishedName: CN=OTRS TEST03,CN=Users,DC=mydomain,DC=com
instanceType: 4
whenCreated: 20120124174237.0Z
whenChanged: 20120124181257.0Z
displayName: OTRS TEST03
uSNCreated: 11721171
uSNChanged: 11721567
name: OTRS TEST03
objectGUID:: dsfgdsfdsfsdgsdfdsf
userAccountControl: 512
codePage: 0
countryCode: 0
pwdLastSet: 129719005576640638
primaryGroupID: 513
objectSid:: dsfsdfdsffdsasdsadsadasda
accountExpires: 9223372036854775807
sAMAccountName: otrs.test03
sAMAccountType: 805306368
userPrincipalName: otrs.test03@mydomain.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=com
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129719009146575776
mail: otrs.test03@mydomain.com



LDIF for the OTRS group whose purpose is to restrict who can access the agent pages:

dn: CN=OTRS,CN=Users,DC=mydomain,DC=com
changetype: add
objectClass: top
objectClass: group
cn: OTRS
member: CN=Someone Else,OU=Somewhere,DC=mydomain,DC=com
member: CN=Jane Doe,OU=Somewhere,DC=mydomain,DC=com
member: CN=John Doe,OU=There,OU=Remote,DC=mydomain,DC=com
distinguishedName: CN=OTRS,CN=Users,DC=mydomain,DC=com
instanceType: 4
whenCreated: 20110223172104.0Z
whenChanged: 20120124183643.0Z
uSNCreated: 6135203
uSNChanged: 11722180
name: OTRS
objectGUID:: h+BQwRkiOkO0IdFdiOi7MA==
objectSid:: AQUAAAAAAAUVAAAALcantB7sah9Xjz5Er0oAAA==
sAMAccountName: OTRS
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=com
dSCorePropagationData: 20120124183643.0Z
dSCorePropagationData: 20110818063545.0Z
dSCorePropagationData: 20110818063540.0Z
dSCorePropagationData: 20110805194123.0Z
dSCorePropagationData: 16010101181216.0Z



otrs.test03 is not a member of CN=OTRS,CN=Users,DC=mydomain,DC=com yet this account is able to access the agent page and gets sync'd to the agent database. Same issue for all users.


LDIF (edited) for user who is a member of CN=OTRS,CN=Users,DC=mydomain,DC=com:

dn: CN=OTRS Agent,OU=Somewhere,DC=mydomain,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: OTRS Agent
sn: Agent
distinguishedName: CN=OTRS Agent,OU=Somewhere,DC=mydomain,DC=com
instanceType: 4
whenCreated: 20100614153905.0Z
whenChanged: 20120116224220.0Z
displayName: OTRS Agent
uSNCreated: 2993717
memberOf: CN=OTRS,CN=Users,DC=mydomain,DC=com
sAMAccountName: otrs.agent
sAMAccountType: 805306368



log after otrs.test03 browses to the /otrs/index.pl and is authenticated thereby viewing the agent page:

==> /opt/otrs/var/log/otrs.log <==
[Tue Jan 24 12:54:25 2012][Notice][Kernel::System::Auth::HTTPBasicAuth::Auth] User: otrs.test03 authentication ok (REMOTE_ADDR: 000.00.4.55).
[Tue Jan 24 12:54:25 2012][Notice][Kernel::System::User::UserUpdate] User: 'otrs.test03' updated successfully (1)!
[Tue Jan 24 12:54:25 2012][Notice][Kernel::System::User::SetPassword] User: 'otrs.test03' changed password successfully!


tried clearing browser cookies after making config changes just to be sure but user is still able to get to the agent page.
Based on the LDIF's what would be the expected config to achieve the agent login restriction behavior described in the documentation?

[gears]

I decided to approach this from another angle rather than bang my head over the Config.pm GroupDN AccessAttr UserAttr further. What I ended up doing is probably not the right way to go about this but here's what I came up with by leveraging mod_auth_kerb + apache directly:

in /etc/apache2/conf.d/otrs.conf

Code: Select all

LogLevel debug
<Directory "/opt/otrs/bin/cgi-bin/">
   AllowOverride None
   AuthType Kerberos
   AuthName "IT Portal 2012"
   Krb5Keytab /etc/krb5.keytab
   KrbAuthRealms MYDOMAIN.COM
   KrbMethodNegotiate on
   KrbSaveCredentials  off
   Require valid-user
   Options +ExecCGI -Includes
   Order allow,deny
   Allow from all
<Files "index.pl">
   Require user user.name1@MYDOMAIN.COM user.name2@MYDOMAIN.COM user.name3@MYDOMAIN.COM
</FileS>

</Directory>

if a user not in this list tries to browse an agent page, here's what we get as expected:

==> /var/log/apache2/error.log <==
[Wed Jan 25 10:18:23 2012] [error] [client 172.20.4.89] access to /otrs/index.pl failed, reason: user 'otrs.test02@MYDOMAIN.COM' does not meet 'require'ments for user/valid-user to be allowed access

And they are still able to access the customer side so the result is only domain users listed in this file are able to access the agent page
this could be extended further by using mod_authnz_ldap to restrict by groups etc if needed. I may revisit the OTRS Config.pm restriction method again down the road if I'm feeling brave, but this seems to work for our purposes until I discover otherwise.