LDAP Filter nested groups

[aph]

I currently authenticate agents and customers via Active Directory using an external module ConnectAD (http://www.opmzone.org), which supported nested AD groups, i.e. agents / customers don't have to be direct members of the AD group which is allowed to autenticate (the parameter $Self->{'AuthModule::LDAP::GroupDN'}), but can be members of subgroups of the AD groups allowed to authenticate.
This module it is not developed anymore and hence incompatible with OTRS 4.

However, as mentioned in this thread (viewtopic.php?f=34&t=14086#p110991) it is possible to achieve same results by using the filter LDAP_MATCHING_RULE_IN_CHAIN. I tried the following. I allowed everyone to authenticate (i.e. removed the GroupDN restriction) and used the group it in the AlwaysFilter parameter, i.e. I uncommented the following line in Config.pm, thus allowing every user to authenticate

Code: Select all

$Self->{'AuthModule::LDAP::GroupDN1'} = 'CN=XXXX,CN=XXXX,DC=XXXX,DC=local';

And filtered the members of the 'CN=XXXX,CN=XXXX,DC=XXXX,DC=local' group. i.e. added the following line to the code.

Code: Select all

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(memberof:1.2.840.113556.1.4.1941:=cn=XXXX,cn=XXXX,DC=XXXX,DC=local)'

As mentioned in http://msdn.microsoft.com/en-us/library ... 85%29.aspx

However, the filter doesn't seem to work and every user in AD is able to authenticate. How do I apply the filter correctly?

[aph]

Any ideas on this one?

[crythias]

not exactly, but why not Filter:

Code: Select all

(&(memberOf=CN=Group1,OU=OUGroup,DC=domain,DC=tld)(memberOf=CN=Group2,OU=OU of Group,DC=domain,DC=tld))

[aph]

The problem with the complex filter is the AD structure.

We have a central AD group, members of which are authorized to authenticate to agent portal. There is an AD group assigned to each queue, which is a subgroup of the central OTRS group. Each department has its own AD group, which has a subgroup for OTRS users. These subgroups are subgroups of respective AD groups assigned to access different queues.

In short the AD structure uses a lot of complex nested groups. So adding a filter would mean adding one for each AD group where a user is a member of that group, which apart from being cumbersome would mean that if the AD structure changes the filter will have to be changed all over again and would become an adminstrative monster.

With the nested group enabled, the AD structure can change as long as the users are members of a group that is directly or indirectly a subgroup of the central OTRS AD group

[aph]

It seems I'm having success with:

Code: Select all

$Self->{'AuthModule::LDAP::AlwaysFilter'} = '(&(objectCategory=user) (memberof:1.2.840.113556.1.4.1941:=CN=OTRS_USERS,CN=Users,DC=xxxx,DC=local))';

EDIT: Code corrected, missing paranthesis after user

[Linwood]

Is there any way to make this work with the UserSyncRolesDefinition, so that it can find membership based on nested group. Using the AlwaysFilter would seem to apply to finding the user, not the implicit search for membership in the list of groups/roles, at least I can't seem to make it work that way.

[aph]

Maybe using the following helps

Code: Select all

'(&(objectCategory=group) (member:1.2.840.113556.1.4.1941:=(cn=user1,cn=users,DC=x))';

According to MSDN TechNet:https://msdn.microsoft.com/en-us/librar ... 85%29.aspx

Similarly, to find all the groups that "user1" is a member of, set the base to the groups container DN; for example (OU=groupsOU, dc=x) and the scope to subtree, and use the following filter.

Code: Select all

(member:1.2.840.113556.1.4.1941:=(cn=user1,cn=users,DC=x))

[fraenki]

Is there any way to make this work with the UserSyncRolesDefinition, so that it can find membership based on nested group. Using the AlwaysFilter would seem to apply to finding the user, not the implicit search for membership in the list of groups/roles, at least I can't seem to make it work that way.

FWIW, I've submitted a proposal to the developers to add nested group support to the Sync module.


Regards
- Frank

[Charmacas]

Thanks for your work for integrating nested groups!

Keep it up!