I've setup OTRS to authenticate users (agents and customers) using SSO (Apache2 + Kerberos + Active Directory). The authentication is working as expected. However, customers can login on the agents page..
I want that only users belong to "OTRS Atendentes" group can login in agents page. But all users in my directory get that permission.
Config.pm
Code: Select all
# ---------------------------------------------------- #
# ATENDENTES #
# ---------------------------------------------------- #
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host1'} = 'AD_IPADDR';
$Self->{'AuthModule::LDAP::BaseDN1'} = 'DC=secel,DC=local';
$Self->{'AuthModule::LDAP::SearchUserDN1'} = 'secel\username';
$Self->{'AuthModule::LDAP::SearchUserPw1'} = 'XXXXX';
$Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=OTRS Atendentes,OU=OTRS,OU=Grupos e Usuarios Gerais,DC=secel,DC=local';
$Self->{'AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthModule::LDAP::Die1'} = 1;
$Self->{'AuthSyncModule1'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host1'} = 'AD_IPADDR;
$Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=secel,dc=local';
$Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::UserAttr1'} = 'DN';
$Self->{'AuthSyncModule::LDAP::AccessAttr1'} = 'member';
$Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'secel\username';
$Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'XXXXX';
$Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups1'} = [
'users',
];
$Self->{'AuthSyncModule::LDAP::UserSyncRolesDefinition1'} = {
# ATENDENTES DA TI
'CN=Gp C.Tecnologia da Informacao - Coordenador,OU=C.Tecnologia da Informacao,OU=S.Administrativa,OU=Administracao Sistemica,OU=SECEL,DC=secel,DC=local' => {
'Tecnologia da Informação' => 1,
'Administrador' => 1,
},
'CN=Gp C.Tecnologia da Informacao,OU=C.Tecnologia da Informacao,OU=S.Administrativa,OU=Administracao Sistemica,OU=SECEL,DC=secel,DC=local' => {
'Tecnologia da Informação' => 1,
},
# ATENDENTES DO PROTOCOLO
'CN=Gp G.Protocolo,OU=G.Protocolo,OU=C.Apoio Logistico,OU=S.Administrativa,OU=Administracao Sistemica,OU=SECEL,DC=secel,DC=local' => {
'Protocolo' => 1,
},
'CN=Gp G.Protocolo - Gerente,OU=G.Protocolo,OU=C.Apoio Logistico,OU=S.Administrativa,OU=Administracao Sistemica,OU=SECEL,DC=secel,DC=local' => {
'Protocolo' => 1,
},
};
# ---------------------------------------------------- #
# USUÁRIOS
# ---------------------------------------------------- #
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule1'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host1'} = 'AD_IPADDR';
$Self->{'Customer::AuthModule::LDAP::BaseDN1'} = 'ou=secel,dc=secel,dc=local';
$Self->{'Customer::AuthModule::LDAP::UID1'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'DN';
$Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'member';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN1'} = 'secel\username';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw1'} = 'XXXXX';
$Self->{'Customer::AuthModule::LDAP::Params1'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
$Self->{CustomerUser} = {
Name => 'LDAP Backend',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => 'AD_IPADDR',
BaseDN => 'OU=secel,DC=secel,DC=local',
SSCOPE => 'sub',
UserDN => 'secel\username',
UserPw => 'XXXXX',
AlwaysFilter => '(&(objectclass=user)(!(objectclass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'givenname', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
CustomerUserExcludePrimaryCustomerID => 0,
AdminSetPreferences => 0,
CacheTTL => 0,
Map => [
[ 'UserTitle', 'Title', 'title', 1, 0, 'var', '', 0 ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ],
[ 'UserLogin', 'Username', 'sAMAccountName', 1, 1, 'var', '', 0 ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ],
[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ],
[ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ],
],
};
Code: Select all
<Location /otrs>
# ErrorDocument 403 /otrs/customer.pl
ErrorDocument 403 /otrs/index.pl
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
PerlOptions +ParseHeaders
PerlOptions +SetupEnv
AuthType Kerberos
AuthName "Autenticação SECEL-MT: Central de Serviços"
Krb5Keytab /etc/central.keytab
KrbAuthRealm SECEL.LOCAL
KrbMethodNegotiate On
KrbSaveCredentials Off
KrbMethodK5Passwd On
KrbServiceName HTTP/central.secel.local@SECEL.LOCAL
Require valid-user
KrbLocalUserMapping on
# <IfModule mod_version.c>
# <IfVersion < 2.4>
# Order allow,deny
# Allow from all
# </IfVersion>
# <IfVersion >= 2.4>
# Require all granted
# </IfVersion>
# </IfModule>
# <IfModule !mod_version.c>
# Order allow,deny
# Allow from all
# </IfModule>
</Location>
May you help me?
I'm using OTRS 6.0.17.
Thank you in advance...