Only allow X group to login!?!?

smurray · Post by **smurray** » 23 May 2012, 23:36

Right now, I'm focusing on the 'agents' portion. As I figure anything I can figure out here, I can easily replicate to the 'customers' portion.

My issue, is that there is just one account in the cn=otrs_agent group. And anyone can still actually login to the agents site. (Granted they don't have permissions to do anything, I would like to get a flat out denied! if you try and login to that page; maybe even a redirect on a failed attempt to the customer page? Food for thought....)

What I envision as working....

Code: Select all

  $Self->{AuthModule1} = 'Kernel::System::Auth::LDAP';
  $Self->{'AuthModule::LDAP::Host1'} = 'qwest-dc2.payflex.com';
  $Self->{'AuthModule::LDAP::BaseDN1'} = 'dc=payflex, dc=com';
  $Self->{'AuthModule::LDAP::UID1'} = 'sAMAccountName';

#this is used to read the AD structure
  $Self->{'AuthModule::LDAP::SearchUserDN1'} = 'CN=otrs ldap,OU=System Accounts,DC=payflex,DC=com';
  $Self->{'AuthModule::LDAP::SearchUserPw1'} = 'qw12QW!@';

#
#AGENT SETUP
#
  $Self->{AuthSyncModule1} = 'Kernel::System::Auth::Sync::LDAP';
  $Self->{'AuthSyncModule::LDAP::Host1'} = 'qwest-dc2.payflex.com';
  $Self->{'AuthSyncModule::LDAP::BaseDN1'} = 'dc=payflex, dc=com';
  $Self->{'AuthSyncModule::LDAP::UID1'} = 'sAMAccountName';

#customer login authority group
  $Self->{'Customer::AuthModule::LDAP::GroupDN1'} = 'CN=otrs_agent,OU=Temp_Test,OU=Chicago,OU=PayFlex User Accounts,DC=payflex,DC=com';
  $Self->{'Customer::AuthModule::LDAP::AccessAttr1'} = 'memberUID';
  $Self->{'Customer::AuthModule::LDAP::UserAttr1'} = 'UID';

#this is used to read the AD structure
  $Self->{'AuthSyncModule::LDAP::SearchUserDN1'} = 'CN=otrs ldap,OU=System Accounts,DC=payflex,DC=com';
  $Self->{'AuthSyncModule::LDAP::SearchUserPw1'} = 'qw12QW!@';
 
#mapping agent to local DB
  $Self->{'AuthSyncModule::LDAP::UserSyncMap1'} = {
    # DB -> LDAP
    UserFirstname => 'givenName',
    UserLastname  => 'sn',
    UserEmail     => 'mail',
  };

#
#CUSTOMER SETUP
#
  $Self->{'Customer::AuthModule2'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host2'} = 'qwest-dc2.payflex.com';
  $Self->{'Customer::AuthModule::LDAP::BaseDN2'} = 'dc=payflex, dc=com';
  $Self->{'Customer::AuthModule::LDAP::UID2'} = 'sAMAccountName';

#customer login authority group
  $Self->{'Customer::AuthModule::LDAP::GroupDN2'} = 'CN=otrs_user,OU=Temp_Test,OU=Chicago,OU=PayFlex User Accounts,DC=payflex,DC=com';
  $Self->{'Customer::AuthModule::LDAP::AccessAttr2'} = 'memberUID';
  $Self->{'Customer::AuthModule::LDAP::UserAttr2'} = 'UID';

#this is used to read the AD structure
  $Self->{'Customer::AuthModule::LDAP::SearchUserDN2'} = 'CN=otrs ldap,OU=System Accounts,DC=payflex,DC=com';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw2'} = 'qw12QW!@';

#(customer user database backend and settings)
  $Self->{CustomerUser} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
    Host => 'qwest-dc2.payflex.com',
    BaseDN => 'dc=payflex, dc=com',
    SSCOPE => 'sub',
    UserDN =>'CN=otrs ldap,OU=System Accounts,DC=payflex,DC=com',
    UserPw => 'qw12QW!@',
  },

# customer unique id
  CustomerKey => 'sAMAccountName',
  # customer #
  CustomerID => 'mail',
  CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
  CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
  CustomerUserSearchPrefix => '',
  CustomerUserSearchSuffix => '*',
  CustomerUserSearchListLimit => 250,
  CustomerUserPostMasterSearchFields => ['mail'],
  CustomerUserNameFields => ['givenname', 'sn'],
  Map => [
    # note: Login, Email and CustomerID needed!
    # var, frontend, storage, shown, required, storage-type
    [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
    [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
    [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
    [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
    ],
  };