Agent's access with SSO

Moderator: crythias

Post Reply
pgandalipov
Znuny newbie
Posts: 7
Joined: 01 Jul 2010, 04:56
Znuny Version: 2.4.7

Agent's access with SSO

Post by pgandalipov »

Hello,

I made SSO(by Apache2::AuthenNTLM) login for agents and customers(credentials stored in AD). Now i need to close access for all customers, except one access group, to agent's interface . Could someone tell me how it should be done?

These are my conf files:

/etc/apache2/conf.d/otrs.conf contains

Code: Select all

<Location /otrs>
  PerlAuthenHandler Apache2::AuthenNTLM
  AuthType ntlm,basic
  AuthName Basic
  require valid-user
  PerlAddVar ntdomain "DOMAIN dc bdc"
  PerlSetVar defaultdomain DOMAIN
  PerlSetVar splitdomainprefix 1
</Location>
and Config.pm contains

Code: Select all

 $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
 $Self->{AgentPanelLoginURL} = 'http://otrs-server/otrs/no_sso_login_possible.html';
 $Self->{AgentPanelLogoutURL} = 'http://otrs-server/otrs/logout.html';

$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{CustomerPanelLoginURL} = 'http://otrs-server/otrs/no_sso_login_possible.html';
$Self->{CustomerPanelLogoutURL} = 'http://otrs-server/otrs/logout.html';
When i used only LDAP for login my task was solved by these strings in Config.pm

Code: Select all

    # Check if the user is allowed to auth in a posixGroup
    # (e. g. user needs to be in a group OTRS_Agents to use otrs)
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=grAdmins,ou="AccessGroups",dc=domain';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

I'm using OTRS 2.4.7 on ubuntu server 10.04.
meilon
Znuny newbie
Posts: 52
Joined: 28 Apr 2010, 15:16
Znuny Version: 5.0.18
Location: Leinfelden-Echterdingen

Re: Agent's access with SSO

Post by meilon »

I don't know where your problem is, your question seems to be answered by the last code block.
OTRS 5.0.18 :: ITSM auf Apache 2.4.18 (Ubuntu), Perl 5.22.1 mit Ubuntu Server 16.04.2
Agent Auth über ActiveDirectory, Customer Auth mit Kerberos SingleSignOn über ActiveDirectory
pgandalipov
Znuny newbie
Posts: 7
Joined: 01 Jul 2010, 04:56
Znuny Version: 2.4.7

Re: Agent's access with SSO

Post by pgandalipov »

It's pity, but when i insert last code block in Config.pm and restart services it doesn't give any result. I suppose AuthModule::LDAP::GroupDN' doesn't affect when i'm using SSO. I have agents and customer in one OU and could differ it only by access group.

In my experiments i try to comment

Code: Select all

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [ 'users' ];
to prevent user access to otrs/index.pl

but this construction:

Code: Select all

# AuthSyncModule::LDAP::UserSyncGroupsDefinition
    # (If "LDAP" was selected for AuthModule and you want to sync LDAP
    # groups to otrs groups, define the following.)
    $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
        # ldap group
        'CN=Domain Admins,CN=Users,DC=domain,DC=ru' => {
            # otrs group
            'admin' => {
                # permission
                rw => 1,
                ro => 1,
            },
            'faq' => {
                rw => 0,
                ro => 1,
            },
        },
    };
just don't work for me. In my tests user, that belongs to group "Domain Admins" just loose all his rights in group_user table.
Post Reply