search

znuny / Znuny

Znuny/Znuny LTS is a fork of the ((OTRS)) Community Edition, one of the most flexible web-based ticketing systems used for Customer Service, Help Desk, IT Service Management.
https://www.znuny.org
GNU General Public License v3.0
343 stars 83 forks source link

Fixed permission removal from LDAP and added option to delegate specified groups permission management to LDAP #402

Closed pboguslawski closed 1 year ago

pboguslawski commented 1 year ago

Proposed change

When group/role permissions are sychronized from LDAP and all permissions are removed from user in LDAP (using LDAP groups and/or attributes) Znuny does not remove their permissions from OTRS on next user sync from LDAP. This mod fixes it (if no permission groups/attributes are found in LDAP for user, user won't have any group permissions nor roles in Znuny).

This mod inroduces also new SysConfig parameter UserSyncGroupsWithPermissionsManagedInLDAP that may be defined in Config.pm like

$Self->{'UserSyncGroupsWithPermissionsManagedInLDAP'} = [
    'admin',
    'users',
];

and specifies list of Znuny group names; if not empty, only specified groups are synchronized from LDAP and cannot be managed in application UI (specified groups are not inherited from roles any more even if already defined there). Existing group permissions for specified groups will be changed on first sync with LDAP (i.e. on user login) if different than in LDAP. This parameter is common for all AuthSyncModule::LDAP::*N sync backends. When undefined or empty and group permissions from LDAP sync is enabled, all groups are synchronized from LDAP and all groups may be managed from application UI also.

Type of change

Additional information

Author-Change-Id: IB#1110309

Checklist

rkaldung commented 1 year ago

@pboguslawski This is already implemented, based on a reported issue by a support customer, for Znuny LTS 6.5 (4e3bdbf98249232436b0a03fe139328f26e0e6f3) and Znuny 7.0 (26174846adc25b96259d3d3428aaa95661b12bf9 and cd5110a64e2d70a55a8497e3ff068bd4a65150b5)

pboguslawski commented 11 months ago

Fix 4e3bdbf98249232436b0a03fe139328f26e0e6f3 is not optimal because PERMISSIONTYPE loop should be executed only when LDAP group sync is configured (when $UserSyncGroupsDefinition || $UserSyncAttributeGroupsDefinition is true). Consider moving this condition checking before loop like in this PR here and here.

Please note that sync fix is just small part of this PR which introduces also option to delegate specified groups permission management to LDAP only (UserSyncGroupsWithPermissionsManagedInLDAP parameter). Please consider adding this feature to upstream code.