HTTP otrs helper+agents+AD group filtering

[therb1]

Hello, tell me how I can, configure in such a way to have a through authorized agents and at the same time that it was only permission to people tightly into a certain active directory group.
Sorry for my bad English level.
Now i have default config.pm.

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{LoginURL} = 'http://otrs-sso.company.ru/otrs/index.pl'';
$Self->{LogoutURL} = 'http://otrs-sso.company.ru/otrs/index.pl'';

At this point, all users can log in as agents.
I would like to limit them in the group, if there is such a possibility?

Thanks in advance for your reply.

[artjoms15]

Hello, Maxim!

Take a look at AD Groups setting:

Code: Select all

 $Self->{'AuthModule::LDAP::GroupDN'} =''CN=otrs_ldap_allow_A,OU=Groups,OU=BaseOU,DC=example,DC=com';
  $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

These lines will limit the users to be members of group OTRS in AD

Smile
A.

[therb1]

if i add this code to config.pm like this

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{LoginURL} = 'http://otrs-sso.company.ru/otrs/index.pl'';
$Self->{LogoutURL} = 'http://otrs-sso.company.ru/otrs/index.pl'';
 $Self->{'AuthModule::LDAP::GroupDN'} =''CN=my group,OU=Groups,OU=myOU,DC=company,DC=com';
  $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

apache doesn't start

on log i have this error

Code: Select all

[Mon Aug 31 11:13:10.358864 2015] [mpm_prefork:notice] [pid 1237] AH00169: caught SIGTERM, shutting down
[Mon Aug 31 11:13:11 2015] Config.pm: String found where operator expected at /opt/otrs/Kernel/Config.pm line 91, near "$Self->{LogoutURL} = '"
[Mon Aug 31 11:13:11 2015] Config.pm:   (Might be a runaway multi-line '' string starting on line 90)
[Mon Aug 31 11:13:11 2015] Config.pm:   (Missing semicolon on previous line?)
[Mon Aug 31 11:13:11 2015] Config.pm: Bareword found where operator expected at /opt/otrs/Kernel/Config.pm line 91, near "$Self->{LogoutURL} = 'http"
[Mon Aug 31 11:13:11 2015] Config.pm:   (Missing operator before http?)
[Mon Aug 31 11:13:11.513200 2015] [perl:error] [pid 8583] Bad name after pl' at /opt/otrs/Kernel/Config.pm line 91.\nCompilation failed in require at /opt/otrs/scripts/apache2-perl-startup.pl line 69.\nBEGIN failed--compilation aborted at /opt/otrs/scripts/apache2-perl-startup.pl line 69.\nCompilation failed in require at (eval 2) line 1.\n
[Mon Aug 31 11:13:11.513249 2015] [perl:error] [pid 8583] Can't load Perl file: /opt/otrs/scripts/apache2-perl-startup.pl for server 127.0.1.1:0, exiting...

[artjoms15]

I believe this is the full config. You should set up the Auth module to LDAp as well:

Code: Select all

#Enable LDAP authentication for Customers / Users
  $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
  $Self->{'AuthModule::LDAP::Host'} = 'otrs.xxx.lv';
  $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=xxxOU,dc=xxx,dc=lv';
  $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
  
#The following is valid but would only be necessary if the
#anonymous user do NOT have permission to read from the LDAP tree
  $Self->{'AuthModule::LDAP::SearchUserDN'} = 'xxx';
  $Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxx';

# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login)
    $Self->{UserSyncLDAPMap} = {
        # DB -> LDAP
        UserFirstname => 'givenName',
        UserLastname => 'sn',
        UserEmail => 'mail',
    };

# UserSyncLDAPGroups
# (If "LDAP" was selected for AuthModule, you can specify
# initial user groups for first login.)
    $Self->{UserSyncLDAPGroups} = [
        'users',
    ];

# UserTable
    $Self->{DatabaseUserTable} = 'users';
    $Self->{DatabaseUserTableUserID} = 'id';
    $Self->{DatabaseUserTableUserPW} = 'pw';
    $Self->{DatabaseUserTableUser} = 'login';

#Add the following lines when only users are allowed to login if they reside in the spicified security group
#Remove these lines if you want to provide login to all users specified in the User Base DN
  $Self->{'AuthModule::LDAP::GroupDN'} =''CN=otrs_ldap_allow_A,OU=Groups,OU=BaseOU,DC=xxx,DC=lv';
  $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
  $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

[therb1]

an LDAP is already working, I want to SSO authentication for agents to limit group. My customers already have SSO. But I can not use it for my agent, because I want to limit the users that can include both agents.
otrs.conf

Code: Select all

#KERB AUTH

<Location /otrs>
ErrorDocument 403 /otrs/index.pl
SetHandler  perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
PerlOptions +ParseHeaders
PerlOptions +SetupEnv
AuthType Kerberos
AuthName "Kerberos Authntication"
KrbAuthRealms COMPANY.COM
Krb5Keytab /etc/httpd.keytab
KrbMethodNegotiate On
KrbSaveCredentials Off
KrbVerifyKDC Off
Require valid-user
</Location>

    # mod_perl2 options for GenericInterface
    <Location /otrs/nph-genericinterface.pl>
        PerlOptions -ParseHeaders
    </Location>

</IfModule>

#KERB AUTH 2
<Directory "/opt/otrs/bin/cgi-bin/">
AllowOverride All
Options +ExecCGI -Includes
AuthType Kerberos
AuthName "Kerberos Authntication"
KrbAuthRealms COMPANY.COM
Krb5Keytab /etc/httpd.keytab
KrbMethodNegotiate On
KrbSaveCredentials Off
KrbVerifyKDC Off
Require valid-user
</Directory>

[root]

if i add this code to config.pm like this

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
 $Self->{'AuthModule::LDAP::GroupDN'} =''CN=my group,OU=Groups,OU=myOU,DC=company,DC=com';

apache doesn't start

Check the quote after GroupDN'} = and you'll find your problem

[therb1]

The problem is clearly not the case because I do not change the line in the SSO. This line works fine when there is a LDAP auth

Code: Select all

$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrs_ldap_a,cn=Users,dc=companyname,dc=com';

[therb1]

this is my work config for LDAP auth. i change private names in this config.

Code: Select all

$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';

# IP адрес LDAP каталога #
$Self->{'AuthModule::LDAP::Host'} = 'servername.company.com';

# Тоже думаю понятно, указываем корень LDAP #
$Self->{'AuthModule::LDAP::BaseDN'} = 'dc=company,dc=com';

# Указываем какое поле будем использовать в качестве UID #
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

# Указываем где искать.#
# Тут можно указать свой путь для Агентов, если они у вас в другом месте #
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=groupname,cn=Users,dc=company,dc=com';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';


$Self->{'AuthModule::LDAP::SearchUserDN'} = 'name@company.com';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';


$Self->{'AuthModule::LDAP::AlwaysFilter'} = '';
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
sscope => 'sub'
};

[artjoms15]

I suppose there is no way to limit the customer to SSO in user interface. It won't have any rights to see anything by default ( default users group )

What you can do is to map Roles automatically according to the group the user resides: viewtopic.php?t=24979

Or you can use the drastic way and limit access to index.pl file at Apache level ( take a look at the last post ): viewtopic.php?t=9016

Smile
A.

[crythias]

Agent limit to AD group or group membership or OU. That's been discussed multiple times.

Don't forget AlwaysFilter and ldap search criteria.

Also don't forget that AuthSync is strongly suggested.

viewtopic.php?f=60&t=16543
viewtopic.php?t=22148