You are not logged in.
Hi all,
I'm new on GLPI (I've been using OTRS for the last 6 years) and I'm trying to configure the Active Directory on my GLPI install.
I was to configure the LDAP, and authenticate from a user of Active Directory with success.
I need to restrict the access to users on GLPI only when they are member of one of below Active Directory Groups:
When the users log in, they should be assigned to differnet profiles based on their Active Directory Groups
BRGPIAD - Super-Admin
BRGPITC - Technician
BRGPIUS - Report only
My configuration of LDAP Authentication is this:
I'm running the 9.1.5 version of GLPI.
Last edited by possebon (2017-07-31 19:28:44)
Offline
Hello,
that is basically my configuration (I also use SSO with NTLM - will move to kerberos shortly).
I'm not currently in office so will try to remember the config:
- Create the 3 profiles you need in GLPI (eg. Profile-BRGPIAD, Profile-BRGPITC, Profile-BRGPIUS) and set appropriate permission you want for each user category
- Create 3 groups in GLPI (eg. Group-BRGPIAD, Group-BRGPITC, Group-BRGPIUS). Link each GLPI Group to the AD Group (using the LDAP Directory Link Tab in group configuration). You need to specify memberof as attribute and then write down the full DN of the AD Group. Remember that AD link uses group DN so if you change the group DN (i.e. you move the group in another OU or rename the group), you need to update thìis setting manually. Also keep the default "glpi" user enabled to be used when AD integration fails.
Now associate users in each group with appropriate profile using RULES.
In RULES, go to Authorization assignement rules. Create 3 rules that will link each group to corresponding profile.
Using BRGPIAD as example:
- Criteria the "Imported group from LDAP Directrory is Group-BRGPIAD.
- Actions: Profile Assign Profile.-BRGPIAD
Don't forget to enable the rule (first tab in rule configuration).
HTH
Offline
LucaC,
Thanks for your reply.
I was able to configure almost everything you sent me.
The only thing that I can't figure out is, when I try to import users from AD, they are not filtered only by those groups.
Best regards,
Offline
Another thing that happened, the configuration I did yesterday about Groups (the groups I created yesterday) are gone today, they disappeared.
Offline