>
> could you post a diff(1) to the list? This would make it
> easier for other
> people to read your changes. Thanks.
My apologies. I have patched User.pm to create group rights and will
include the changes I have made. A brief explanation of how it works. I
authenticate against Active Directory via LDAP. All agents are members of a
basic group "otrs". This allows the LDAP Auth check to succeed for all
agents. In addition to the basic group, agents are members of additional
groups that define their privileges. Currently I have the groups "otrsAgent"
and "otrsAdmin" defined. User.pm now does additional checks to see which of
these extra groups an agent is a member of. When the agent signs in for the
first time and "syncldap2database" is run, group rights are assigned
accordingly. One question: can you look through the code and tell me if it
is vulnerable to manipulation via the web interface or have I programmed
this correctly from a security point of view?
Thanks,
Tyler Hepworth
Diff output follows for User.pm
15a16
> use Kernel::System::Group;
20a22
>
55a58,59
> $Self->{GroupObject} = Kernel::System::Group->new(%Param); #Custom
>
64c68
< # check if result is cached
---
> # check if result is cached
99c103
< # check valid
---
> # check valid
112c116
< $Self->{'GetUserData'.$User.$UserID} = {%Data, %Preferences};
---
> $Self->{'GetUserData'.$User.$UserID} = {%Data, %Preferences};
116a121,192
> ##
----------------------------------------------------------------------------
------------- ##
> ## Create routines for establishing group permissions. Call them during
user creation. ##
> ##
----------------------------------------------------------------------------
------------- ##
> sub users_grp {
> my $Self = shift;
> my ($UserID) = @_;
> $Self->{GroupObject}->GroupMemberAdd(
> UID => $UserID,
> GID => 1,
> UserID => 2,
> Permission => {
> ro => 0,
> move_into => 0,
> create => 0,
> owner => 0,
> priority => 0,
> rw => 1,
> }
> );
> }
> sub admin_grp {
> my $Self = shift;
> my ($UserID) = @_;
> $Self->{GroupObject}->GroupMemberAdd(
> UID => $UserID,
> GID => 2,
> UserID => 2,
> Permission => {
> ro => 0,
> move_into => 0,
> create => 0,
> owner => 0,
> priority => 0,
> rw => 1,
> }
> );
> }
> sub stats_grp {
> my $Self = shift;
> my ($UserID) = @_;
> $Self->{GroupObject}->GroupMemberAdd(
> UID => $UserID,
> GID => 3,
> UserID => 2,
> Permission => {
> ro => 0,
> move_into => 0,
> create => 0,
> owner => 0,
> priority => 0,
> rw => 1,
> }
> );
> }
> sub faq_grp {
> my $Self = shift;
> my ($UserID) = @_;
> $Self->{GroupObject}->GroupMemberAdd(
> UID => $UserID,
> GID => 4,
> UserID => 2,
> Permission => {
> ro => 0,
> move_into => 0,
> create => 0,
> owner => 0,
> priority => 0,
> rw => 1,
> }
> );
> }
> ## ------------------------------------- END
----------------------------------------------- ##
121c197
< foreach (qw(Firstname Lastname Login Pw ValidID UserID Email)) {
---
> foreach (qw(Firstname Lastname Login Pw ValidID UserID Email Group)) {
173a250,261
>
> # Create user group permissions here
> if ($Param{Group} eq "otrsAgent") {
> $Self->users_grp($UserID);
> $Self->faq_grp($UserID);
> } elsif ($Param{Group} eq "otrsAdmin") {
> $Self->users_grp($UserID);
> $Self->admin_grp($UserID);
> $Self->stats_grp($UserID);
> $Self->faq_grp($UserID);
> }
>
178c266
< return $UserID;
---
> return $UserID;
229c317
<
---
>
246c334
< return;
---
> return;
248c336
< }
---
> }
326c414
<
---
>
447a536
> $Self->{GroupRights} =
$Self->{ConfigObject}->Get('AuthModule::LDAP::GroupRights') || '';
470a560
> my $Group = '';
472c562
< my %SyncUser = ();
---
> my %SyncUser = ();;
474a565,585
> # --
> # Custom code to get user's actual group privilege
> # --
> my $Filter2 = '';
> $Filter2 = "($Self->{AccessAttr}=$UserDN)";
> my $GroupRights = '';
> foreach ( 'cn=otrsAdmin,cn=Users,dc=nspnet,dc=net',
>
'cn=otrsAgent,cn=Users,dc=nspnet,dc=net') {
> my $Result2 = $LDAP->search (
> base => $_,
> filter => $Filter2,
> );
> foreach my $Entry ($Result2->all_entries) {
> $GroupRights = $Entry->dn();
> }
> last if ($GroupRights);
> }
> my @split = split/,/,$GroupRights;
> $Group = $split[0];
> $Group =~ s/^cn=//i;
> # -- end custom
487a599
> Group => $Group,
_______________________________________________
OTRS mailing list: dev - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/dev
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev
