New subject: Kundendaten per LDAP, Autorisierung per single sign-on

23 Aug 2005

      So, da bin ich nochmal. In der Zwischenzeit habe ich einen Wink in die
richtige Richtung bekommen. Wir haben das uns überlassene Script ein
wenig modifiziert. Es gibt nun im Verzeichnis
/Kernel/System/CustomerAuth ein neues Perl Modul, welches folgenden
Aufbau hat:

# --
# Kernel/System/CustomerAuth/XYZAuth.pm - provides the single sign on
# Copyright (C) 2001-2004 Martin Edenhofer 
# --
# $Id: HTTPBasicAuth.pm,v 1.2 2004/08/10 10:31:56 martin Exp $
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (GPL). If you
# did not receive this file, see http://www.gnu.org/licenses/gpl.txt.
# --

package Kernel::System::CustomerAuth::XYZAuth;

use strict;
use DBI;

use vars qw($VERSION);
$VERSION = '$Revision: 1.2 $';
$VERSION =~ s/^\$.*:\W(.*)\W.+?$/$1/;

# --
sub new {
    my $Type = shift;
    my %Param = @_;

    # allocate new hash for object
    my $Self = {};
    bless ($Self, $Type);

    # check needed objects
    foreach (qw(LogObject ConfigObject DBObject)) {
        $Self->{$_} = $Param{$_} || die "No $_!";
    }

    # Debug 0=off 1=on
    $Self->{Debug} = 0;
    $Self->{Type} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::Type');

    # Im Moment wird nur MySQL unterstützt
    if ($Self->{Type} ne 'mysql')
    {
        $Self->{Type} = 'mysql';
    }

    $Self->{Host} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::Host');
    $Self->{Port} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::Port');

    if ($Self->{Port} eq '')
    {
        $Self->{Port} = 3306;
    }

    $Self->{Database} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::Database');
    $Self->{User} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::User');
    $Self->{Password} =
$Self->{ConfigObject}->Get('Customer::AuthModule::XYZAuth::Password');

    $Self->{DSN} =
"DBI:".$Self->{Type}.":database=".$Self->{Database}.":host=".$Self->{Hos
t}.":port=".$Self->{Port};

    return $Self;
}
# --
sub GetOption {
    my $Self = shift;
    my %Param = @_;
    # check needed stuff
    if (!$Param{What}) {
        $Self->{LogObject}->Log(Priority => 'error', Message => "Need
What!");
        return;
    }
    # module options
    my %Option = (
        PreAuth => 1,
    );
    # return option
    return $Option{$Param{What}};
}
# --
sub Auth {
    my $Self = shift;
    my %Param = @_;
    my $sth;
    my $dbh;
    my $sql;
    my @row;
    my $ValidUser;
    my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
    # check needed stuff
    if (!$Param{sid}) {
        $Self->{LogObject}->Log(Priority => 'error', Message => "Need
Session ID!");
        return;
    }
    # do some lookups in other sources

    # Sitzungsschlüssel analysieren und in DB den eingeloggten LDAP-User
holen

    if ($dbh = DBI->connect($Self->{DSN}, $Self->{User},
$Self->{Password}))
    {
        $sql    =       "SELECT user FROM session_data WHERE
sid='".$Param{sid}."'";
        $sth    =       $dbh->prepare($sql);

        if ($sth->execute())
        {
            if (@row = $sth->fetchrow_array())
            {
                $ValidUser = $row[0];
            }
            else
            {
                $ValidUser = '';
            }
        }
        else
        {
            $ValidUser = 'ERROR';
        }
    }
    else
    {
        $ValidUser = 'ERROR';
    }

    # return valid user
    if ($ValidUser eq 'ERROR')
    {
        $Self->{LogObject}->Log(
            Priority => 'notice',
            Message => "User: Database error while
authenticating!(REMOTE_ADDR: $RemoteAddr).",
        );
        return;
    }
    elsif ($ValidUser)
    {
        my $User = $ValidUser;
        $Self->{LogObject}->Log(
            Priority => 'notice',
            Message => "User: $ValidUser authentification ok
(REMOTE_ADDR: $RemoteAddr).",
        );
        return $ValidUser;
    }
    else
    {
        $Self->{LogObject}->Log(
            Priority => 'notice',
            Message => "User: No valid user found!(REMOTE_ADDR:
$RemoteAddr).",
        );
        return;
    }

    if ($dbh)
    {
        $dbh->disconnect();
    }
}
# --

1;

In der Config.pm haben wir dazu folgende Erweiterungen gemacht:

# Customer-Autorisierung über Intranet
$Self->{'Customer::AuthModule'} =
'Kernel::System::CustomerAuth::XYZAuth';
$Self->{'Customer::AuthModule::XYZAuth::Type'} = 'mysql';
$Self->{'Customer::AuthModule::XYZAuth::Host'} = 'localhost';
$Self->{'Customer::AuthModule::XYZAuth::Port'} = '3306';
$Self->{'Customer::AuthModule::XYZAuth::Database'} = 'db';
$Self->{'Customer::AuthModule::XYZAuth::User'} = 'user';
$Self->{'Customer::AuthModule::XYZAuth::Password'} = 'pw';

Die Übergabe des Session-Keys aus dem Intranet erfolgt so:

https://localhost/otrs/customer.pl?sid=2fdfc3ba498b78aa45f627e0e604932b

Allerdings passiert nach der Übergabe der sid folgendes:

if (!$Param{sid}) {
        $Self->{LogObject}->Log(Priority => 'error', Message => "Need
Session ID!");
        return;
    }

sid ist trotz des URL-Parameters leer. Es kann als auch kein User in
unserer MySQL-DB gesucht werden. Hat jemand eine Idee, warum OTRS nichts
von der sid weiß?

Viele Grüße

Stéphane Martin
WebTrio GmbH

RE: [otrs-de] Kundendaten per LDAP, Autorisierung per single sign-on

Stephane Martin

Martin Edenhofer

tags

participants (2)