You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2012-07-26 01:14:37

bhuntsman
Member
Registered: 2012-07-20
Posts: 8

LDAP syn with filter erases profiles

Hi there!
   So, here's an odd one.  I've got Active Directory integration working... sort of...
   Our AD is set to return 2000 results, but we've actually got closer to 5000 users.  Unfortunately, I can't just ask the domain admins to change the value to 5000 so that we can run a huge GLPI query against it...  So I came up with a sort-of viable workaround:
   Instead of running the ldap_mass_sync.php script via cron, I thought, let's put together a script that can sync each letter of the alphabet separately, so that we're only returning a few hundred results at a time, and run that via cron.  Here's the script:

for i in a b c d e f g h i j k l m n o p q r s t u v w x y z
   do eval php5 -q -f /var/www/glpi/scripts/ldap_mass_sync.php action=2 ldapservers_id=1 ldap_filter=\"\(\&\(objectCategory=Person\)\(sAMAccountName=$i*\)\)\"
done

It does work, in that it'll import all the users into GLPI.  However, for example, as it's doing the A* run, it'll assign the default profile to all the users whose samaccountname begins with A.  When it gets to the B* run, it'll then assign the default profile to all the users whose samaccountname begins with B, but remove the default profile from all the other users who were imported from AD.

The problem then is, how we can run this sync, but still keep the default profile assigned so that the users can be set on tickets. 

Anyone have any idea why the ldap_mass_sync.php script would unassign profiles from users who do not match the ldap_filter?

Many thanks!

Offline

#2 2012-07-30 17:14:25

bhuntsman
Member
Registered: 2012-07-20
Posts: 8

Re: LDAP syn with filter erases profiles

Hi there!
   No one's encountered anything like this?  I'd have thought that if an LDAP filter was specified, the ldap_mass_sync.php script wouldn't touch any of the user accounts that didn't match the filter, even if the "action" was set to '2' (force sync).

Thanks again!!

Offline

#3 2012-07-31 08:02:54

tomolimo
Member
From: Grenoble, France
Registered: 2009-05-12
Posts: 515

Re: LDAP syn with filter erases profiles

hello,
see this: http://www.glpi-project.org/forum/viewt … p?id=26181
regards,
Tomolimo

GLPI 9.2.4 - PHP 7.2.13 x64 / ProcessMaker 3.3.0-community-RE-1.7 - PHP 7.1.24 x64 / Windows 2012 x64 / IIS 8.5 / MySQL 5.7.17 x64
Worldwide: >12316 PC, >9400 users (16 languages, >11 timezones), >360k tickets, >3600 entities, >4200 groups
Raynet is ARaymond (http://www.araymond.com) IT service management

Offline

#4 2012-07-31 23:36:51

bhuntsman
Member
Registered: 2012-07-20
Posts: 8

Re: LDAP syn with filter erases profiles

Ah, very interesting article!  Unfortunately, the fix in that case would require our GLPI server to run on Windows.  We're currently running it on Ubuntu.

   Still not sure why my solution above would remove the profiles from all synced users not matching the LDAP filter, but, that may not be the proper way to approach this...

   Some further digging reveals that recent versions of PHP (5.4 or higher... I'm running 5.3.6 but will upgrade shortly) have support for Microsoft's LDAP Paged Result set.  Looks like a few modifications to authldap.class.php could probably take care of it.  Anyone know of anyone working on this?

Thanks!

Offline

Pages: 1

Board footer

Powered by FluxBB