AD/LDAP authentication - groups in group
Moderator: crythias
AD/LDAP authentication - groups in group
I have LDAP authentication working for the Agents via MS AD.
I created a group OTRS_Agents and for users directly added to the group, it is no problem.
I couldn't figure out how to get a group in group member to authenticate though. i.e.
users -> IT (group) -> OTRS_Agents (group)
users -> HR (group) -> OTRS_Agents (group)
Any ideas or is this not possible?
Cheers
I created a group OTRS_Agents and for users directly added to the group, it is no problem.
I couldn't figure out how to get a group in group member to authenticate though. i.e.
users -> IT (group) -> OTRS_Agents (group)
users -> HR (group) -> OTRS_Agents (group)
Any ideas or is this not possible?
Cheers
Re: AD/LDAP authentication - groups in group
Let me rephase the question.
Instead of using
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
I want to check if a cn 'memberOf' attribute = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
In other words, if an agent is a member of IT (group) and IT is a member of OTRS_Agents, the agent can't login as he is not found in the group.
If i can test the Agent to see if he is a memberOf OTRS_Agents, then he will be able to login.
Instead of using
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
I want to check if a cn 'memberOf' attribute = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
In other words, if an agent is a member of IT (group) and IT is a member of OTRS_Agents, the agent can't login as he is not found in the group.
If i can test the Agent to see if he is a memberOf OTRS_Agents, then he will be able to login.
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: AD/LDAP authentication - groups in group
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
http://www.petri.co.il/ldap_search_samp ... change.htm
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
http://www.petri.co.il/ldap_search_samp ... change.htm
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: AD/LDAP authentication - groups in group
thanks crythias, that has some interesting info in that article but doesn't quite deal with my issue.
My agents are members of certain department groups. these department groups are added to the OTRS_Agents group.
If using the default authentication based on group membership, it doesn't work because the agents are not direct members to the group i.e. if the individual is added to the OTRS group, it works.
So in this case, it is not enough to filter on the group, the agent needs to authenticate.
My agents are members of certain department groups. these department groups are added to the OTRS_Agents group.
If using the default authentication based on group membership, it doesn't work because the agents are not direct members to the group i.e. if the individual is added to the OTRS group, it works.
So in this case, it is not enough to filter on the group, the agent needs to authenticate.
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: AD/LDAP authentication - groups in group
I'm trying to understand.
Let's see if I make sense of this.
Group A(OTRS_Agents) holds Group B(departments), and agents are members of Group B, but not Group A
OK, so what can work is to possibly go down to user level (everyone authenticates/GroupDN) but only if they're members of the Groups B(departments) (AlwaysFilter) that you want.
(|(department=Sales)(department=operations)(department=technology))
Let's see if I make sense of this.
Group A(OTRS_Agents) holds Group B(departments), and agents are members of Group B, but not Group A
OK, so what can work is to possibly go down to user level (everyone authenticates/GroupDN) but only if they're members of the Groups B(departments) (AlwaysFilter) that you want.
(|(department=Sales)(department=operations)(department=technology))
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: AD/LDAP authentication - groups in group
i don't think that is the solution. i.e. the IT Group would be a member of the Agents group, but only selected members of other departments would be members of the Agents group.
It seems to me, that it would be better to test the "membersOf" attribute of the user. If the user is a member of IT which is a member of Agents, the agents group will show in the memberOf attribute.
It seems to me, that it would be better to test the "membersOf" attribute of the user. If the user is a member of IT which is a member of Agents, the agents group will show in the memberOf attribute.
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: AD/LDAP authentication - groups in group
Certainly. Change the word department for memberof and the value to the dn for each test.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: AD/LDAP authentication - groups in group
Sorry, i don't get your meaning. i tried to change as follows;
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
to
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberOf';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
But this doesn't work.
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
to
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberOf';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
But this doesn't work.
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: AD/LDAP authentication - groups in group
You should authenticate all users, but Filter on the DNs you want.
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah'; #might change this to be "'all users' GroupDN"
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(|(department=Sales)(department=operations)(department=technology))';
or
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(|(memberOf=CN=OTRS_Agents,OU=Services,OU=Maintenance,DC=blah,DC=blah)(memberOf=CN=other_group,OU=[...stuff deleted...])(department=technology))';
the | at the beginning means "or"
I'm not an expert at LDAP, but it seems that if you're not achieving your inheritance (users of groups of groups), it is by design, or an LDAP feature not implemented. It appears (from cursory browsing the Internet) that direct group membership is a requirement for other applications, and in some cases, it's considered a security issue as random people may be included in the sub group that were NOT intended to be in the OTRS agent group.
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah'; #might change this to be "'all users' GroupDN"
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(|(department=Sales)(department=operations)(department=technology))';
or
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(|(memberOf=CN=OTRS_Agents,OU=Services,OU=Maintenance,DC=blah,DC=blah)(memberOf=CN=other_group,OU=[...stuff deleted...])(department=technology))';
the | at the beginning means "or"
I'm not an expert at LDAP, but it seems that if you're not achieving your inheritance (users of groups of groups), it is by design, or an LDAP feature not implemented. It appears (from cursory browsing the Internet) that direct group membership is a requirement for other applications, and in some cases, it's considered a security issue as random people may be included in the sub group that were NOT intended to be in the OTRS agent group.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: AD/LDAP authentication - groups in group
I am not sure i agree with that. "Nested groups" was the word i was looking for and i don't see how that would be less secure. i.e. the is less room for error by only dealing with sub groups of individuals.
From my browsing it seems to be an application decision whether or not to implement nested groups.
So in the example below only direct members of the OTRS_Agents group can authenticate to the backend, but not members of another group that is a member of OTRS_Agents.
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah'; #might change this to be "'all users' GroupDN"
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
From my browsing it seems to be an application decision whether or not to implement nested groups.
So in the example below only direct members of the OTRS_Agents group can authenticate to the backend, but not members of another group that is a member of OTRS_Agents.
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah'; #might change this to be "'all users' GroupDN"
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: AD/LDAP authentication - groups in group
Yes.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
- Administrator
- Posts: 3966
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: AD/LDAP authentication - groups in group
I released a module which supports nested groups for AD, based on the LDAP module. It can also be used with NTLM/Kerberos Single Sign On.
Details can be found on https://github.com/rkaldung/ConnectAD
Details can be found on https://github.com/rkaldung/ConnectAD
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Re: AD/LDAP authentication - groups in group
Hi,
installed ConnectAD via repository and it works fine for LDAP (AD 2008 R2) agent and user NTLM (HTTPBasicAuth) authenitcation. Sync also works fine.
Thank ya root for that.
But i also recognized some security problems: AuthModule::ConnectAD::GroupDN do not seem to be honored. Authenticated to apache2 via basic auth, it was possible to login with any user which exist in the AD. Evenmore the password for that user do not have to be correct and the user was created as new agent in the DB.
Please check and verify.
ontae
installed ConnectAD via repository and it works fine for LDAP (AD 2008 R2) agent and user NTLM (HTTPBasicAuth) authenitcation. Sync also works fine.
Thank ya root for that.
But i also recognized some security problems: AuthModule::ConnectAD::GroupDN do not seem to be honored. Authenticated to apache2 via basic auth, it was possible to login with any user which exist in the AD. Evenmore the password for that user do not have to be correct and the user was created as new agent in the DB.
Please check and verify.
ontae
-
- Administrator
- Posts: 3966
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: AD/LDAP authentication - groups in group
I updated the module and the repository. There was a error in front of the keyboard when I combined the Login (LDAP based) and SSO (HTTPBasicAuth) modules.
Should be work as expected now and it would be great if you can check it out.
Should be work as expected now and it would be great if you can check it out.
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
-
- Znuny newbie
- Posts: 5
- Joined: 13 Jul 2011, 01:05
- Znuny Version: 3.0.5
- Real Name: Yasser Nagy
- Company: Psion
Re: AD/LDAP authentication - groups in group
In my case I need only OTRS-Agent members to login to OTRS as agent and I need everyone member of the AD domain can access as a customer portal.
I tried the nested group and I didn’t work. I tried ConnectAD but with no luck.
I even removed the following lines to force OTRS get all users to login to customer portal:
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Customer,ou=OTRS,ou....';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
Still with no luck.
I am wondering how did you get ConnectAD to work. Can you share with me your experience especially on the customer authentication.
Please advise in how to …
I tried the nested group and I didn’t work. I tried ConnectAD but with no luck.
I even removed the following lines to force OTRS get all users to login to customer portal:
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Customer,ou=OTRS,ou....';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
Still with no luck.
I am wondering how did you get ConnectAD to work. Can you share with me your experience especially on the customer authentication.
Please advise in how to …
3.1.4 on Ubunto 12.04 with MySQL database connected to an Active Directory for Agents and Customers.
-
- Znuny newbie
- Posts: 5
- Joined: 13 Jul 2011, 01:05
- Znuny Version: 3.0.5
- Real Name: Yasser Nagy
- Company: Psion
Re: AD/LDAP authentication - groups in group
I think I figured it out by changing it to the following
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = '';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = '';
it's working
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = '';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = '';
it's working
3.1.4 on Ubunto 12.04 with MySQL database connected to an Active Directory for Agents and Customers.
-
- Administrator
- Posts: 3966
- Joined: 18 Dec 2007, 12:23
- Znuny Version: Znuny and Znuny LTS
- Real Name: Roy Kaldung
- Company: Znuny
- Contact:
Re: AD/LDAP authentication - groups in group
There was a bug with nested group handling on CustomerAuth. It should be solved in the current release 0.2.11. You can grab a copy from opmzone.orgynagy wrote:In my case I need only OTRS-Agent members to login to OTRS as agent and I need everyone member of the AD domain can access as a customer portal.
I tried the nested group and I didn’t work. I tried ConnectAD but with no luck.
I even removed the following lines to force OTRS get all users to login to customer portal:
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Customer,ou=OTRS,ou....';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
Still with no luck.
I am wondering how did you get ConnectAD to work. Can you share with me your experience especially on the customer authentication.
Please advise in how to …
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?
Use a test system - always.
Do you need professional services? Check out https://www.znuny.com/
Do you want to contribute or want to know where it goes ?