[dev] Single sign-on environment

25 Aug 2005

      Hi there,

Martin Edenhofer provided us with an authentication perl module stored
under

/otrs/Kernel/System/CustomerAuth/XYZAuth.pm

which we customized to our infrastructure:

# --
# Kernel/System/CustomerAuth/XYZAuth.pm - provides the connect to a
single sign-on
# Copyright (C) 2001-2004 Martin Edenhofer 
# --
# $Id: HTTPBasicAuth.pm,v 1.2 2004/08/10 10:31:56 martin Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (GPL). If you
# did not receive this file, see http://www.gnu.org/licenses/gpl.txt.
# --

package Kernel::System::CustomerAuth::XYZAuth;

use strict;
use DBI;

use vars qw($VERSION);
$VERSION = '$Revision: 1.2 $';
$VERSION =~ s/^\$.*:\W(.*)\W.+?$/$1/;

# --
sub new {
    my $Type = shift;
    my %Param = @_;

    # allocate new hash for object
    my $Self = {};
    bless ($Self, $Type);

    # check needed objects
    foreach (qw(LogObject ConfigObject DBObject)) {
        $Self->{$_} = $Param{$_} || die "No $_!";
    }

    # Debug 0=off 1=on
    $Self->{Debug} = 0;
    $Self->{Type} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::Type');

    # Actually only mysql is supported
    if ($Self->{Type} ne 'mysql')
    {
        $Self->{Type} = 'mysql';
    }

    $Self->{Host} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::Host');
    $Self->{Port} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::Port');

    if ($Self->{Port} eq '')
    {
        $Self->{Port} = 3306;
    }

    $Self->{Database} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::Database');
    $Self->{User} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::User');
    $Self->{Password} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::Password');

    $Self->{DSN} =
"DBI:".$Self->{Type}.":database=".$Self->{Database}.":host=".$Self->{Hos
t}.":port=".$Self->{Port};

    return $Self;
}
# --
sub GetOption {
    my $Self = shift;
    my %Param = @_;
    # check needed stuff
    if (!$Param{What}) {
        $Self->{LogObject}->Log(Priority => 'error', Message => "Need
What!");
        return;
    }
    # module options
    my %Option = (
        PreAuth => 1,
    );
    # return option
    return $Option{$Param{What}};
}
# --
sub Auth {
    my $Self = shift;
    my %Param = @_;
    my $sth;
    my $dbh;
    my $sql;
    my @row;
    my $ValidUser;
    my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
    # check needed stuff
    if (!$Param{User}) {
        $Self->{LogObject}->Log(Priority => 'error', Message => "Need
Session ID!");
        return;
    }

    # do some lookups in other sources

    # analyze session key and get the user from db

    if ($dbh = DBI->connect($Self->{DSN}, $Self->{User},
$Self->{Password}))
    {
        $sql    =       "SELECT user FROM session_data WHERE
sid='".$Param{User}."'";
        $sth    =       $dbh->prepare($sql);

        if ($sth->execute())
        {
            if (@row = $sth->fetchrow_array())
            {
                $ValidUser = $row[0];
            }
            else
            {
                $ValidUser = '';
            }
        }
        else
        {
            $ValidUser = 'ERROR';
        }
    }
    else
    {
        $ValidUser = 'ERROR';
    }

    # return valid user
    if ($ValidUser eq 'ERROR')
    {
        $Self->{LogObject}->Log(
            Priority => 'notice',
            Message => "User: Database error while
authenticating!(REMOTE_ADDR: $RemoteAddr).",
        );
        return;
    }
    elsif ($ValidUser)
    {
        my $User = $ValidUser;
        $Self->{LogObject}->Log(
            Priority => 'notice',
            Message => "User: $ValidUser authentification ok
(REMOTE_ADDR: $RemoteAddr).",
        );
        return $ValidUser;
    }
    else
    {
        $Self->{LogObject}->Log(
            Priority => 'notice',
            Message => "User: No valid user found!(REMOTE_ADDR:
$RemoteAddr).",
        );
        return;
    }

    if ($dbh)
    {
        $dbh->disconnect();
    }
}
# --

1;

The following lines have been added as the authentication method in
Config.pm:

# external customer-authentication for intranet systems
$Self->{'Customer::AuthModule'} =
'Kernel::System::CustomerAuth::XYZAuth';
$Self->{'Customer::AuthModule::XYZAuth::Type'} = 'mysql';
$Self->{'Customer::AuthModule::XYZAuth::Host'} = 'localhost';
$Self->{'Customer::AuthModule::XYZAuth::Port'} = '3306';
$Self->{'Customer::AuthModule::XYZAuth::Database'} = 'dbname';
$Self->{'Customer::AuthModule::XYZAuth::User'} = 'username';
$Self->{'Customer::AuthModule::XYZAuth::Password'} = 'pw';

Now the customer.pl is called liked that:

https://localhost/otrs/customer.pl?Action=Login&User=sid with sid being
the php session id registered during intranet login. The sid is looked
up in the mysql db and the user is fetched and passed to OTRS. This
behaviour works well but now we have a small question. After a
succesfull login, the original url
https://localhost/otrs/customer.pl?User=sid is changed to
https://localhost/otrs/customer.pl?CSID=id and OTRS defines the CSID. Is
there a way to jump directly to the ticket report form
(https://localhost/otrs/customer.pl?Action=CustomerMessage) including
our sid and not the CSID? Or can I set OTRS to rely on external CSID?

When I call the ticket report form with
https://localhost/otrs/customer.pl?Action=CustomerMessage&User=sid I get
an authentication error from OTRS.

Best regards

Stéphane Martin

[dev] Single sign-on environment

Stephane Martin