Ansicht von 1 Antwort-Thema
  • Autor
    Beiträge
    • 8. März 2024 um 11:55 Uhr - Views: 343 #29711
      Martin Krämer
      Teilnehmer

        Hallo,

        wir haben in unserem System ein SSO auf Basis einer Kerberos Authentifizierung umgesetzt.

        $Self->{‚AuthModule‘} = ‚Kernel::System::Auth::HTTPBasicAuth‘;

        Jetzt möchten wir das noch mit einer Gruppe im AD verknüpfen.

        Das Ziel soll also ein Zugang zum System nur zu erhalten wenn man Mitglied einer definierten Gruppe ist.

        Versuche mit dem LDAP Modul zeigten einen Teilerfolg. Die AD Gruppe wird genutzt. Jedoch ist hier scheinbar kein SSO umsetzbar.
        $Self->{‚AuthModule‘} = ‚Kernel::System::Auth::LDAP‘;
        HTTPBasicAuth scheint keine Möglichkeit zu kennen AD gruppen zu berücksichtigen.

        Kennt jemand einen gangbaren Weg?

        Gruß
        Martin

      • 29. Juli 2025 um 12:18 Uhr #35726
        Dmytro Gierman
        Teilnehmer

          Hi Martin,
          doch kann Otobo einen Agent von AD durch SSO anmelden lassen und derren AD Gruppen mit Otobo Gruppen synchronisieren Kernel/Config.pm:


          # ---------------------------------------------------- #
          # insert your own config settings "here" #
          # config settings taken from Kernel/Config/Defaults.pm #
          # ---------------------------------------------------- #

          # --------- Agent Auth Backend -----------------
          $Self->{AuthModule} = 'Kernel::System::Auth::HTTPBasicAuth';

          # After successful Auth, the Agent should be syncronized to local DB, otherwise Agent fail to login (Error: user is not in the DB)
          # https://doc.otobo.de/manual/admin/11.0/en/content/administration-area/users-groups-roles/agents.html#agent-synchronization-back-end
          $Self->{AuthSyncModule} = 'Kernel::System::Auth::Sync::LDAP';
          $Self->{'AuthSyncModule::LDAP::Host'} = '<domain controller>';

          # Where to search AD users. Set up due to your AD structure:
          $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'OU=User,OU=otobo,DC=company,DC=com';
          $Self->{'AuthSyncModule::LDAP::UID'} = 'sAMAccountName'; # standard for Microsoft AD

          # $Self->{'AuthSyncModule::LDAP::GroupDN'} = 'cn=otoboallow,ou=posixGroups,dc=example,dc=com';

          # if anonymous user do NOT have permission to read from the LDAP tree
          $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'otobo-user@company.com';
          $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'password';

          # in case you want to add always one filter to each ldap query, use
          # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)'
          # or if you want to filter with a logical OR-Expression, like AlwaysFilter => '(|(mail=*abc.com)(mail=*xyz.com))'
          $Self->{'AuthSyncModule::LDAP::AlwaysFilter'} = '(objectclass=user)';

          # AuthSyncModule::LDAP::UserSyncMap - maps agent from LDAP to otobo DB after successful login)
          # you may specify LDAP-Fields as either
          # * list, which will check each field. first existing will be picked ( ["givenName","cn","_empty"] )
          # * name of an LDAP-Field (may return empty strings) ("givenName")
          # * fixed strings, prefixed with an underscore: "_test", which will always return this fixed string
          $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
          # DB -> LDAP
          UserFirstname => 'givenName',
          UserLastname => 'sn',
          UserEmail => 'mail',
          UserPhone => 'telephoneNumber',
          };

          # ----------- sync AD groups into Otobo -----------
          # Otobo groups has to be added manually in advance

          # Attributes needed for the group syncs
          # (attribute name for group value key - the group keeps its members in this attribute)
          $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'member';
          # (attribute for type of group content UID/DN for full ldap name)
          $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'DN';

          # AuthSyncModule::LDAP::UserSyncGroupsDefinition
          # Sync LDAP groups to otobo groups
          $Self->{'AuthSyncModule::LDAP::UserSyncGroupsDefinition'} = {
          # ldap group DN (Distinguished Name) - CHANGE THE DN AS IN YOUR AD STRUCTURE!
          'CN=GR_otobo_admins,OU=otobo,OU=Groups,DC=company,DC=com' => {
          # otobo group
          'admin' => {
          # permission
          rw => 1,
          ro => 1,
          },
          # add member of this AD group to another otobo group
          # 'otobo group 2' => {rw => 0,ro => 1},
          # etc..
          },
          'CN=GR_hardware,OU=otobo,OU=Groups,DC=company,DC=com' => {
          'hardware' => {rw => 1, ro => 1},
          },
          'CN=GR_software,OU=otobo,OU=Groups,DC=company,DC=com' => {
          'software' => {rw => 1, ro => 1},
          },
          # other LDAP groups...
          # 'cn=agent2,o=otobo' => {
          # 'users' => {rw => 1,ro => 1},
          # },
          };

      • Autor
        Beiträge
      Ansicht von 1 Antwort-Thema
      • Du musst angemeldet sein, um auf dieses Thema antworten zu können.