Forum GLPI-Project

tabad

Member

From: Manzanares, Ciudad Real, Spain

Registered: 2011-09-23

Posts: 89

LDAP Authentication with Nested Groups

Hello to everybody,

   I'm using GLPI v0.80.7 (it's fantastic!) with FusionInventory for GLPI v0.80+1.1 (it's great!) and others great plugins also. I have configurated GLPI with LDAP authentication against a Microsoft Windows 2003 Active Directory (I also use Kerberos to build a true Single Sing-On autheticantion system) but I'm having problems when in a AD user group exists others user groups (nested groups).

   My GLPI authentication configuration is the following.

·
   Home> Setup> Authentication> Setup
      Authentication
         Automatically add users from an external authentication source: Yes
         Add a user without accreditation from a LDAP directory: Yes
         Action when a user is deleted from the LDAP directory: Deactivate
         GLPI server time zone: GMT +1 hour(s)

   Home> Setup> Authentication> LDAP Directory
      LDAP directory - ID 1
         Name: Sociedad Imaginaria
         Last update: 2011-07-29 19:58
         Default server: Yes
         Active: Yes
         Server: ad2k3.sociedad.imaginaria.es
         Port: 389
         Connection filter: (&(objectcategory=person)(objectclass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
         Basedn: ou=headquarter,dc=sociedad,dc=imaginaria,dc=es
         rootdn (for non anonymous binds): cn=theboss,cn=users,dc=sociedad,dc=imaginaria,dc=es
         Pass (for non-anonymous binds): **********
         Login Field: samaccountname

         Binding to the LDAP directory
            Surname: sn
            First name: givenname
            Comments: description
            Email: mail
            Phone: telephonenumber
            Phone 2: ipphone
            Mobile phone: mobile
            Title: title
            Category (class): department
            Select Language: (Empty)
            Administrative number: (Empty)

         Belonging to groups
            Search type: In users
            User attribute containing its groups: memberof
            Filter to search in groups: (Empty)
            Group attribute containing its users: (Empty)
            Use DN in the search: No

         Advanced informations
            Use TLS: No
            LDAP directory time zone: GMT +1 hour(s)
            How LDAP aliases should be handled: Never dereferenced (default)

         Add a LDAP directory replica
            Name: (Empty)
            Server: (Empty)
            Port: (Empty)

   Home> Setup> Authentication> Others
      CAS authentication
         CAS Host: (Empty)
         Port: 443
         Root directory (optional):
         Logout fallback URL:

      x509 certificate authentication
         email attribute for x509 authentication:

      Other authentication sent in the HTTP request - Enabled
         Field storage of the login in the HTTP request: REMOTE_USER
         Remove the domain of logins like login@domain: Yes

      Access control and additional informations
         LDAP directory choice: Sociedad Imaginaria

   And this is a GLPI Group definition example.

·
   Home> Administration> Groups
      Group - ID 1 (A Sample Entity)
         Name: Inventory Users
         Manager: (Empty)
         Comments: (Empty)

         Users (Users (D=Dynamic)
            Alice (D)
            Bob (D)
            Mallory (D)

         LDAP directory link
            In users
               User attribute containing its groups: memberof
               Attribute value: CN=GLPI Inventory Users,CN=Users,DC=sociedad,DC=imaginaria,DC=es
            In groups
               Group DN: (Empty)

   This authentication and group definition works perfectly when the 'GLPI Inventory Users' AD group has users only. With a 'GLPI Inventory Users' AD group like this

·
   GLPI Inventory Users (AD Group)
      Alice (AD User)
      Bob (AD User)
      Mallory (AD User)

all works perfectly but if the 'GLPI Inventory Users' AD group is like this

·
   Security Experts (AD Group)
      Bruce (AD User)

   GLPI Inventory Users (AD Group)
      Alice (AD User)
      Bob (AD User)
      Mallory (AD User)
      Security Experts (AD Group)

only the users Alice, Bob and Mallory are able to authenticate with GLPI. The user Bruce isn't able to authenticate in GLPI, it doesn't know anything about him.

   I don't know if it is a configuration problem or it's a bug. Could you help me?, please.

   Thanks in advance.

---

Tomás Abad

tabad

Member

From: Manzanares, Ciudad Real, Spain

Registered: 2011-09-23

Posts: 89

Re: LDAP Authentication with Nested Groups

Hello again,

   Perhaps, I think, is needed more information for help to resolve this problem. Here I include the rule to link, in a dynamic way, a user with the profile 'Inventory User' and the entity 'A Sample Entity'.

·
   Home> Administration> Rules> Automatic user assignment
      General - ID 31
         Name: A Sample Entity - Inventory Users
         Description: A Sample Entity - Inventory Users
         Logical operator: and
         Active: Yes

         Criteria
            Criteria: LDAP directory / Condition: is / Reason: Sociedad Imaginaria
            Criteria: Imported group from an LDAP directory  / Condition: is / Reason: Inventory Users

         Actions
            Field: Entity / Action type: Assign / Value: A Sample Entity
            Field: Profiles / Action type: Assign / Value: Inventory User
            Field: Recursive / Action type: Assign / Value: Yes

   With all this configuration I have done the following test.

 

• Test #1

   The first time Bruce tries login into GLPI, a new user Bruce is created in GLPI. This new user has got all his principal information (Surname, First Name, Email, etc.) synchronized with his LDAP account, doesn't belong to any group, is linked with the 'Root' entity and hasn't got a profile linked to him. GLPI rejects his login try with this message:

Incorrect username or password
You don't have right to connect

Log in again

Bruce tries to login again. This time GLPI rejects his login with this message:

You don't have right to connect

Log in again

   Conclusion: The user is created and authenticated but is not authorized (hasn't got group and profile associated).

   Doing the previous test, I wondered myself why was the user created?. I think I have found the answer in this authentication parameter.

·
   Home> Setup> Authentication> Setup
      Authentication
         Add a user without accreditation from a LDAP directory: Yes

   Now, with 'Add a user without accreditation from a LDAP directory' set to 'No', I have repeated the previous test (obviously, purging previously the Bruce user account in GLPI).

 

• Test #2

   The first time Bruce tries login into GLPI, it rejects his login try with this message:

Incorrect username or password
You don't have right to connect

Log in again

But this time, no new user account is created. Bruce tries to login again. Every time Bruce tries to login, gives the same result.

   Conclusion: GLPI can not link Bruce with a GLPI profile and a GLPI users group and, because the parameter 'Add a user without accreditation from a LDAP directory' is set to 'No', the Bruce user account is not created.

   Final note: Alice, Bob and Mallory works perfectly in both tests.

   Colophon: I think the root of this problem can be found in the procedure GPLI uses when it's searching for users belonging to a specific LDAP group. It seems GLPI doesn't look for in nested LDAP groups.

---

Tomás Abad

tabad

Member

From: Manzanares, Ciudad Real, Spain

Registered: 2011-09-23

Posts: 89

Re: LDAP Authentication with Nested Groups

Hello again,

There is more information about this issue in: Forum GLPI-Project → Bugs GLPI → [v0.80.7] LDAP authorization with nested groups doesn't work.

---

Tomás Abad

Skatalitico

Member

Registered: 2012-08-30

Posts: 2

Re: LDAP Authentication with Nested Groups

Hi tabad, i´ve looked everywhere and i cant find a way to make the single sing on against my LDAP, can you help me please

tabad

Member

From: Manzanares, Ciudad Real, Spain

Registered: 2011-09-23

Posts: 89

Re: LDAP Authentication with Nested Groups

Hi Skatalitico,

I don't know whether I will be able to do that but I can try it. What is your exact situation? Please, give me some more information about your real problem.

---

Tomás Abad

Skatalitico

Member

Registered: 2012-08-30

Posts: 2

Re: LDAP Authentication with Nested Groups

Hola Tomás lo que gustaria es que me confirmaras como hiciste para que cuando un usuario que inicie sesion en windows y luego vaya a acceder a GLPI no tenga que ingresar nuevameente su usuario y contraseña, he intentado con este manual, pero me estoy volviendo loco http://www.glpi-project.org/wiki/doku.p … ndowserver,  muchas gracias

tabad

Member

From: Manzanares, Ciudad Real, Spain

Registered: 2011-09-23

Posts: 89

Re: LDAP Authentication with Nested Groups

Hi Skatalitico,

It's pleasant read a post in Spanish and, although I would like to write here in Spanish -my loved mother tongue-, I think is better write in English in this foro; could be useful for more people.

Well, I need to search into my documentation. I don't remember now what I did

The solution in a days...

---

Tomás Abad

tabad

Member

From: Manzanares, Ciudad Real, Spain

Registered: 2011-09-23

Posts: 89

Re: LDAP Authentication with Nested Groups

Hi Skatalitico,

Sorry, I forget ask you about your platform. All my documentation is based on GLPI under Ubuntu Server 10.04 LTS.

Last edited by tabad (2012-09-05 09:57:40)

---

Tomás Abad