could you post a diff(1) to the list? This would make it easier for other people to read your changes. Thanks.

My apologies. I have patched User.pm to create group rights and will include the changes I have made. A brief explanation of how it works. I authenticate against Active Directory via LDAP. All agents are members of a basic group "otrs". This allows the LDAP Auth check to succeed for all agents. In addition to the basic group, agents are members of additional groups that define their privileges. Currently I have the groups "otrsAgent" and "otrsAdmin" defined. User.pm now does additional checks to see which of these extra groups an agent is a member of. When the agent signs in for the first time and "syncldap2database" is run, group rights are assigned accordingly. One question: can you look through the code and tell me if it is vulnerable to manipulation via the web interface or have I programmed this correctly from a security point of view? Thanks, Tyler Hepworth Diff output follows for User.pm 15a16

use Kernel::System::Group; 20a22

55a58,59

$Self->{GroupObject} = Kernel::System::Group->new(%Param); #Custom

64c68 < # check if result is cached ---

# check if result is cached

99c103 < # check valid ---

# check valid

112c116 < $Self->{'GetUserData'.$User.$UserID} = {%Data, %Preferences}; ---

$Self->{'GetUserData'.$User.$UserID} = {%Data, %Preferences};

116a121,192

##

------------- ##

## Create routines for establishing group permissions. Call them during user creation. ## ##

------------- ##

sub users_grp { my $Self = shift; my ($UserID) = @_; $Self->{GroupObject}->GroupMemberAdd( UID => $UserID, GID => 1, UserID => 2, Permission => { ro => 0, move_into => 0, create => 0, owner => 0, priority => 0, rw => 1, } ); } sub admin_grp { my $Self = shift; my ($UserID) = @_; $Self->{GroupObject}->GroupMemberAdd( UID => $UserID, GID => 2, UserID => 2, Permission => { ro => 0, move_into => 0, create => 0, owner => 0, priority => 0, rw => 1, } ); } sub stats_grp { my $Self = shift; my ($UserID) = @_; $Self->{GroupObject}->GroupMemberAdd( UID => $UserID, GID => 3, UserID => 2, Permission => { ro => 0, move_into => 0, create => 0, owner => 0, priority => 0, rw => 1, } ); } sub faq_grp { my $Self = shift; my ($UserID) = @_; $Self->{GroupObject}->GroupMemberAdd( UID => $UserID, GID => 4, UserID => 2, Permission => { ro => 0, move_into => 0, create => 0, owner => 0, priority => 0, rw => 1, } ); } ## ------------------------------------- END ----------------------------------------------- ## 121c197 < foreach (qw(Firstname Lastname Login Pw ValidID UserID Email)) {

foreach (qw(Firstname Lastname Login Pw ValidID UserID Email Group)) {

173a250,261

# Create user group permissions here if ($Param{Group} eq "otrsAgent") { $Self->users_grp($UserID); $Self->faq_grp($UserID); } elsif ($Param{Group} eq "otrsAdmin") { $Self->users_grp($UserID); $Self->admin_grp($UserID); $Self->stats_grp($UserID); $Self->faq_grp($UserID); }

178c266 < return $UserID; ---

return $UserID;

229c317 < ---

246c334 < return; ---

return;

248c336 < } ---

} 326c414 <

447a536

$Self->{GroupRights} =

$Self->{ConfigObject}->Get('AuthModule::LDAP::GroupRights') || ''; 470a560

my $Group = '';

472c562 < my %SyncUser = (); ---

my %SyncUser = ();;

474a565,585

# -- # Custom code to get user's actual group privilege # -- my $Filter2 = ''; $Filter2 = "($Self->{AccessAttr}=$UserDN)"; my $GroupRights = ''; foreach ( 'cn=otrsAdmin,cn=Users,dc=nspnet,dc=net',

'cn=otrsAgent,cn=Users,dc=nspnet,dc=net') {

my $Result2 = $LDAP->search ( base => $_, filter => $Filter2, ); foreach my $Entry ($Result2->all_entries) { $GroupRights = $Entry->dn(); } last if ($GroupRights); } my @split = split/,/,$GroupRights; $Group = $split[0]; $Group =~ s/^cn=//i; # -- end custom

487a599

Group => $Group,