SSO Works, everyone becomes admin.

Moderator: crythias

Locked
atetz
Znuny newbie
Posts: 11
Joined: 22 Aug 2011, 14:33
Znuny Version: otrs-3.0.10
Real Name: Adam Tetz
Company: Gemeente Maasgouw

SSO Works, everyone becomes admin.

Post by atetz »

Hi there!

I got Single Sign On to work through kerberos. Now everyone that enters the index.pl automatically get's synched as an admin.
Is there a way to add an AD group as verification?

Code: Select all

# This is an example configuration for using an MS AD backend
$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@domain.LOCAL';

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group OTRS_Agents to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=Appl_OTRS_Admin,ou=Applicatiegroepen,ou=domain,dc=domain,dc=local';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';
$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';

# Bind credentials to log into AD
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=Helpdesk,ou=Beheeraccounts,ou=domain,dc=domain,dc=local';
$Self->{'AuthModule::LDAP::SearchUserPw'} = 'xxxx';

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
#$Self->{'AuthModule::LDAP::AlwaysFilter'} = 

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '';

# Net::LDAP new params (if needed - for more info see perldoc Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};

# Now sync data with OTRS DB
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'mgadc01.domain.local';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=domain,dc=local';
$Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=Helpdesk,ou=Beheeraccounts,ou=domain,dc=domain,dc=local';
$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'xxxx';

$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
};

# AuthSyncModule::LDAP::UserSyncInitialGroups
# (sync following group with rw permission after initial create of first agent
# login)
$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users','stats','admin' 
];
Thanks in advance!
Top
jojo
Znuny guru
Posts: 15020
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:
Contact jojo

Re: SSO Works, everyone becomes admin.

Post by jojo »

Don't use :

$Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
'users','stats','admin'
];
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
Top
atetz
Znuny newbie
Posts: 11
Joined: 22 Aug 2011, 14:33
Znuny Version: otrs-3.0.10
Real Name: Adam Tetz
Company: Gemeente Maasgouw

Re: SSO Works, everyone becomes admin.

Post by atetz »

Is there a way with SSO to sync agents on ADgroup base?
There are multiple agents-groups with differen rigths etc.
Top
jojo
Znuny guru
Posts: 15020
Joined: 26 Jan 2007, 14:50
Znuny Version: Git Master
Contact:
Contact jojo

Re: SSO Works, everyone becomes admin.

Post by jojo »

have a close look at the sync part in the Defaults.pm and copy the needed parts to Config.pm
"Production": OTRS™ 8, OTRS™ 7, STORM powered by OTRS
"Testing": ((OTRS Community Edition)) and git Master

Never change Defaults.pm! :: Blog
Professional Services:: http://www.otrs.com :: enjoy@otrs.com
Top
Locked

Return to “Help”