AD/LDAP authentication - groups in group

[gwaitsi]

I have LDAP authentication working for the Agents via MS AD.
I created a group OTRS_Agents and for users directly added to the group, it is no problem.

I couldn't figure out how to get a group in group member to authenticate though. i.e.
users -> IT (group) -> OTRS_Agents (group)
users -> HR (group) -> OTRS_Agents (group)

Any ideas or is this not possible?

Cheers

[gwaitsi]

Let me rephase the question.

Instead of using
# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

I want to check if a cn 'memberOf' attribute = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';

In other words, if an agent is a member of IT (group) and IT is a member of OTRS_Agents, the agent can't login as he is not found in the group.
If i can test the Agent to see if he is a memberOf OTRS_Agents, then he will be able to login.

[crythias]

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';

http://www.petri.co.il/ldap_search_samp ... change.htm

[gwaitsi]

thanks crythias, that has some interesting info in that article but doesn't quite deal with my issue.

My agents are members of certain department groups. these department groups are added to the OTRS_Agents group.
If using the default authentication based on group membership, it doesn't work because the agents are not direct members to the group i.e. if the individual is added to the OTRS group, it works.

So in this case, it is not enough to filter on the group, the agent needs to authenticate.

[crythias]

I'm trying to understand.
Let's see if I make sense of this.

Group A(OTRS_Agents) holds Group B(departments), and agents are members of Group B, but not Group A

OK, so what can work is to possibly go down to user level (everyone authenticates/GroupDN) but only if they're members of the Groups B(departments) (AlwaysFilter) that you want.
(|(department=Sales)(department=operations)(department=technology))

[gwaitsi]

i don't think that is the solution. i.e. the IT Group would be a member of the Agents group, but only selected members of other departments would be members of the Agents group.

It seems to me, that it would be better to test the "membersOf" attribute of the user. If the user is a member of IT which is a member of Agents, the agents group will show in the memberOf attribute.

[crythias]

Certainly. Change the word department for memberof and the value to the dn for each test.

[gwaitsi]

Sorry, i don't get your meaning. i tried to change as follows;

$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

to

$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberOf';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

But this doesn't work.

[crythias]

You should authenticate all users, but Filter on the DNs you want.


# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah'; #might change this to be "'all users' GroupDN"
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';


# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(|(department=Sales)(department=operations)(department=technology))';

or

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(|(memberOf=CN=OTRS_Agents,OU=Services,OU=Maintenance,DC=blah,DC=blah)(memberOf=CN=other_group,OU=[...stuff deleted...])(department=technology))';

the | at the beginning means "or"

I'm not an expert at LDAP, but it seems that if you're not achieving your inheritance (users of groups of groups), it is by design, or an LDAP feature not implemented. It appears (from cursory browsing the Internet) that direct group membership is a requirement for other applications, and in some cases, it's considered a security issue as random people may be included in the sub group that were NOT intended to be in the OTRS agent group.

[gwaitsi]

I am not sure i agree with that. "Nested groups" was the word i was looking for and i don't see how that would be less secure. i.e. the is less room for error by only dealing with sub groups of individuals.
From my browsing it seems to be an application decision whether or not to implement nested groups.

So in the example below only direct members of the OTRS_Agents group can authenticate to the backend, but not members of another group that is a member of OTRS_Agents.

$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=OTRS_Agents,ou=Services,ou=Maintenance,dc=blah,dc=blah'; #might change this to be "'all users' GroupDN"
$Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

[crythias]

Yes.

[root]

I released a module which supports nested groups for AD, based on the LDAP module. It can also be used with NTLM/Kerberos Single Sign On.
Details can be found on https://github.com/rkaldung/ConnectAD

[ontae]

Hi,

installed ConnectAD via repository and it works fine for LDAP (AD 2008 R2) agent and user NTLM (HTTPBasicAuth) authenitcation. Sync also works fine.

Thank ya root for that.

But i also recognized some security problems: AuthModule::ConnectAD::GroupDN do not seem to be honored. Authenticated to apache2 via basic auth, it was possible to login with any user which exist in the AD. Evenmore the password for that user do not have to be correct and the user was created as new agent in the DB.

Please check and verify.

ontae

[root]

I updated the module and the repository. There was a error in front of the keyboard when I combined the Login (LDAP based) and SSO (HTTPBasicAuth) modules.
Should be work as expected now and it would be great if you can check it out.

[ynagy]

In my case I need only OTRS-Agent members to login to OTRS as agent and I need everyone member of the AD domain can access as a customer portal.
I tried the nested group and I didn’t work. I tried ConnectAD but with no luck.

I even removed the following lines to force OTRS get all users to login to customer portal:
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Customer,ou=OTRS,ou....';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
Still with no luck.

I am wondering how did you get ConnectAD to work. Can you share with me your experience especially on the customer authentication.

Please advise in how to …

[ynagy]

I think I figured it out by changing it to the following

$Self->{'Customer::AuthModule::LDAP::GroupDN'} = '';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = '';

it's working

[root]

In my case I need only OTRS-Agent members to login to OTRS as agent and I need everyone member of the AD domain can access as a customer portal.
I tried the nested group and I didn’t work. I tried ConnectAD but with no luck.

I even removed the following lines to force OTRS get all users to login to customer portal:
$Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=OTRS-Customer,ou=OTRS,ou....';
$Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'DN';
Still with no luck.

I am wondering how did you get ConnectAD to work. Can you share with me your experience especially on the customer authentication.

Please advise in how to …

There was a bug with nested group handling on CustomerAuth. It should be solved in the current release 0.2.11. You can grab a copy from opmzone.org