osticket-multildap-auth icon indicating copy to clipboard operation
osticket-multildap-auth copied to clipboard

Published 20 hours ago verified publisher icon philbertphotos

Searching for users in a group

Open jasonmacer opened this issue 1 year ago • 16 comments

Good afternoon all,

@philbertphotos, I have osTicket 1.17.2 running and I am hoping to use your plugin to add users and staff, and maybe even admins if possible.

I have a powershell script that has turned (3) groups into dynamic groups so that when someone is added, disabled, moved, et cetera it automatically adjusts the membership in these groups.

So, is it possible to use your plugin to lookup based on a users membership in a group?

Thank you!

jasonmacer avatar May 05 '23 20:05 jasonmacer

So here is the thing it automatically adds users based on the group they are in and adds them as a admin and topic on first login but never thought have having those rights removed based on the group. Its not hard thing to add. It does disable accounts based on AD for all users.

philbertphotos avatar May 05 '23 23:05 philbertphotos

Wait you want to look up users based solely on the groups they in only?

philbertphotos avatar May 05 '23 23:05 philbertphotos

@philbertphotos, so we have about 60 employees across two states that we need added to "Users", and about 5 employees that need to be agents, with 2 of them being admins. The biggest problem I ran into is outside of Azure, we are on premise, and Exchange, there are no Dynamic AD Groups, So I had to improvise.

What I did was setup three groups, osTicketUser, osTicketAgent, osTicketAdmin, and built a powershell script that runs every five minutes, looks at the security log, and if there are any new specific events then it fires and manages the group. Adds users, removes users, moves users.

I am hoping that there is a way to easily look at the "member of" section of users, or just look at all the "members" of those groups for access.

I'd be willing to share my powershell script for others to use.

jasonmacer avatar May 05 '23 23:05 jasonmacer

  1. I would LOVE to see the powershell script it could be something I can use in my environment.
  2. Yes the plugin does something like this at a primitive level and only when a user logs in. image

This is only for Agents it makes them an Agent if the in the group and automatically adds the user.

On the user side it does not care what group you are in it creates you as a user regardless what group you are in.

What you are suggesting is a New feature where the plugin wont allow a user to login (user side) if they not in a group or groups of your choosing and on the Admin side differentiate between who will be just an agent and who will be an admin... is that right?

philbertphotos avatar May 06 '23 13:05 philbertphotos

@jasonmacer you talking about this section image For an Agent you want the plugin to update if they an Admin or not based on the group and if the user is no longer in that group to block their login access correct?

philbertphotos avatar May 06 '23 13:05 philbertphotos

@philbertphotos I just emailed you the powershell script. It's not super glamorous, but it does get the initial job done, for now. Let me know if you have any questions.

To better explain my groups here are their DNs

CN=osTicketUser,OU=osTicket,OU=Groups,OU=CompanyName,DC=domain,DC=local CN=osTicketAgent,OU=osTicket,OU=Groups,OU=CompanyName,DC=domain,DC=local CN=osTicketAdmin,OU=osTicket,OU=Groups,OU=CompanyName,DC=domain,DC=local

All of the "employees" are in various OU's contained in the following

OU=Employees,OU=CompanyName,DC=domain,DC=local

(I believe all the nomenclatures are correct there)

What I was hoping today, and maybe you're right this might be a great feature, is use the groups listed to enable/disable access for the users, agents, and admins automatically.

What you are suggesting is a New feature where the plugin wont allow a user to login (user side) if they not in a group or groups of your choosing and on the Admin side differentiate between who will be just an agent and who will be an admin... is that right?

You are correct here. Not everyone needs access and it would allow the PowerShell script to automatically add/remove users from my groups which would propagate over into osTicket automatically. It wouldn't delete the users, i'm assuming, just deactivate them probably.

For an Agent you want the plugin to update if they an Admin or not based on the group and if the user is no longer in that group to block their login access correct?

You are also correct. I am assuming that an Administrator would also need to be in the "agent" group so they were "created" and then they would get the admin tick if they were also in the osTicketAdmin group.

Now here is a question: Can this be done by looking up the "members of" on an AD user versus looking at the "members" of the group? which would be easier? Technically all users are already within OUS inside the OU=CompanyName,DC=domain,DC=local?

jasonmacer avatar May 06 '23 16:05 jasonmacer

@philbertphotos I wanted to make sure you received that email, and also see if you might be able to give me a brief hand getting the plug-in to work.

Thank you!

jasonmacer avatar May 08 '23 17:05 jasonmacer

@jasonmacer its been a long weekend for me ... I would have to make changes to the plugin to implement the feature but it can be done.

philbertphotos avatar May 08 '23 20:05 philbertphotos

No worries @philbertphotos I was wondering if i can help or not.

Hope the week gets better

jasonmacer avatar May 08 '23 23:05 jasonmacer

@philbertphotos I don't know if you had a chance to look into this or not. Let me know if there is anything I can do to help.

Also, I've been re-writing my script in node and adding to it with a logging integration so we know who does what in our Mattermost environment when it comes to modifications to AD.

Thanks again!

jasonmacer avatar May 18 '23 18:05 jasonmacer

@jasonmacer will have a version out that will have these features by Saturday. I realized how important it is in even my environment and others to have it removed access to users based on the group their are in

philbertphotos avatar May 21 '23 23:05 philbertphotos

@philbertphotos hope your well. I was just seeing if you need anyone to test the update?

Thanks!

-Jason

jasonmacer avatar Jun 01 '23 21:06 jasonmacer

@jasonmacer making the changes right now actually. I had to fix some bugs and install the newest version on my live build and found a few in it upgrading the staff table. Other than that its working.

philbertphotos avatar Jun 15 '23 08:06 philbertphotos

Awesome ness @philbertphotos

jasonmacer avatar Jun 15 '23 23:06 jasonmacer

@jasonmacer

Is this what you are looking for right? image

philbertphotos avatar Jun 20 '23 13:06 philbertphotos

I do ybelieve this is correct!

On Tue, Jun 20, 2023 at 8:48 AM Joseph Philbert @.***> wrote:

@jasonmacer https://github.com/jasonmacer

Is this what you are looking for right? [image: image] https://user-images.githubusercontent.com/2892474/247135068-8e99b48d-6061-42a8-8d3d-eeb6b7f1e47d.png

— Reply to this email directly, view it on GitHub https://github.com/philbertphotos/osticket-multildap-auth-plugin/issues/70#issuecomment-1598828715, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF2INEKZRMZGMKV7LIVHVY3XMGS3ZANCNFSM6AAAAAAXXRPH6Q . You are receiving this because you were mentioned.Message ID: @.*** .com>

jasonmacer avatar Jun 20 '23 18:06 jasonmacer