You are not logged in.
Pages: 1
Hello to everybody,
I'm using GLPI v0.80.7 (it's fantastic!) with FusionInventory for GLPI v0.80+1.1 (it's great!) and others great plugins also. I have configurated GLPI with LDAP authentication against a Microsoft Windows 2003 Active Directory (I also use Kerberos to build a true Single Sing-On autheticantion system) but I'm having problems when in a AD user group exists others user groups (nested groups).
My GLPI authentication configuration is the following.
·
Home> Setup> Authentication> Setup
Authentication
Automatically add users from an external authentication source: Yes
Add a user without accreditation from a LDAP directory: Yes
Action when a user is deleted from the LDAP directory: Deactivate
GLPI server time zone: GMT +1 hour(s)Home> Setup> Authentication> LDAP Directory
LDAP directory - ID 1
Name: Sociedad Imaginaria
Last update: 2011-07-29 19:58
Default server: Yes
Active: Yes
Server: ad2k3.sociedad.imaginaria.es
Port: 389
Connection filter: (&(objectcategory=person)(objectclass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
Basedn: ou=headquarter,dc=sociedad,dc=imaginaria,dc=es
rootdn (for non anonymous binds): cn=theboss,cn=users,dc=sociedad,dc=imaginaria,dc=es
Pass (for non-anonymous binds): **********
Login Field: samaccountnameBinding to the LDAP directory
Surname: sn
First name: givenname
Comments: description
Email: mail
Phone: telephonenumber
Phone 2: ipphone
Mobile phone: mobile
Title: title
Category (class): department
Select Language: (Empty)
Administrative number: (Empty)Belonging to groups
Search type: In users
User attribute containing its groups: memberof
Filter to search in groups: (Empty)
Group attribute containing its users: (Empty)
Use DN in the search: NoAdvanced informations
Use TLS: No
LDAP directory time zone: GMT +1 hour(s)
How LDAP aliases should be handled: Never dereferenced (default)Add a LDAP directory replica
Name: (Empty)
Server: (Empty)
Port: (Empty)Home> Setup> Authentication> Others
CAS authentication
CAS Host: (Empty)
Port: 443
Root directory (optional):
Logout fallback URL:x509 certificate authentication
email attribute for x509 authentication:Other authentication sent in the HTTP request - Enabled
Field storage of the login in the HTTP request: REMOTE_USER
Remove the domain of logins like login@domain: YesAccess control and additional informations
LDAP directory choice: Sociedad Imaginaria
And this is a GLPI Group definition example.
·
Home> Administration> Groups
Group - ID 1 (A Sample Entity)
Name: Inventory Users
Manager: (Empty)
Comments: (Empty)Users (Users (D=Dynamic)
Alice (D)
Bob (D)
Mallory (D)LDAP directory link
In users
User attribute containing its groups: memberof
Attribute value: CN=GLPI Inventory Users,CN=Users,DC=sociedad,DC=imaginaria,DC=es
In groups
Group DN: (Empty)
This authentication and group definition works perfectly when the 'GLPI Inventory Users' AD group has users only. With a 'GLPI Inventory Users' AD group like this
·
GLPI Inventory Users (AD Group)
Alice (AD User)
Bob (AD User)
Mallory (AD User)
all works perfectly but if the 'GLPI Inventory Users' AD group is like this
·
Security Experts (AD Group)
Bruce (AD User)GLPI Inventory Users (AD Group)
Alice (AD User)
Bob (AD User)
Mallory (AD User)
Security Experts (AD Group)
only the users Alice, Bob and Mallory are able to authenticate with GLPI. The user Bruce isn't able to authenticate in GLPI, it doesn't know anything about him.
I don't know if it is a configuration problem or it's a bug. Could you help me?, please.
Thanks in advance.
Tomás Abad
Offline
Hello again,
Perhaps, I think, is needed more information for help to resolve this problem. Here I include the rule to link, in a dynamic way, a user with the profile 'Inventory User' and the entity 'A Sample Entity'.
·
Home> Administration> Rules> Automatic user assignment
General - ID 31
Name: A Sample Entity - Inventory Users
Description: A Sample Entity - Inventory Users
Logical operator: and
Active: YesCriteria
Criteria: LDAP directory / Condition: is / Reason: Sociedad Imaginaria
Criteria: Imported group from an LDAP directory / Condition: is / Reason: Inventory UsersActions
Field: Entity / Action type: Assign / Value: A Sample Entity
Field: Profiles / Action type: Assign / Value: Inventory User
Field: Recursive / Action type: Assign / Value: Yes
With all this configuration I have done the following test.
Test #1
The first time Bruce tries login into GLPI, a new user Bruce is created in GLPI. This new user has got all his principal information (Surname, First Name, Email, etc.) synchronized with his LDAP account, doesn't belong to any group, is linked with the 'Root' entity and hasn't got a profile linked to him. GLPI rejects his login try with this message:
Incorrect username or password
You don't have right to connectLog in again
Bruce tries to login again. This time GLPI rejects his login with this message:
You don't have right to connect
Log in again
Conclusion: The user is created and authenticated but is not authorized (hasn't got group and profile associated).
Doing the previous test, I wondered myself why was the user created?. I think I have found the answer in this authentication parameter.
·
Home> Setup> Authentication> Setup
Authentication
Add a user without accreditation from a LDAP directory: Yes
Now, with 'Add a user without accreditation from a LDAP directory' set to 'No', I have repeated the previous test (obviously, purging previously the Bruce user account in GLPI).
Test #2
The first time Bruce tries login into GLPI, it rejects his login try with this message:
Incorrect username or password
You don't have right to connectLog in again
But this time, no new user account is created. Bruce tries to login again. Every time Bruce tries to login, gives the same result.
Conclusion: GLPI can not link Bruce with a GLPI profile and a GLPI users group and, because the parameter 'Add a user without accreditation from a LDAP directory' is set to 'No', the Bruce user account is not created.
Final note: Alice, Bob and Mallory works perfectly in both tests.
Colophon: I think the root of this problem can be found in the procedure GPLI uses when it's searching for users belonging to a specific LDAP group. It seems GLPI doesn't look for in nested LDAP groups.
Tomás Abad
Offline
Hello again,
There is more information about this issue in: Forum GLPI-Project → Bugs GLPI → [v0.80.7] LDAP authorization with nested groups doesn't work.
Tomás Abad
Offline
Hi tabad, i´ve looked everywhere and i cant find a way to make the single sing on against my LDAP, can you help me please
Offline
Hi Skatalitico,
I don't know whether I will be able to do that but I can try it. What is your exact situation? Please, give me some more information about your real problem.
Tomás Abad
Offline
Hola Tomás lo que gustaria es que me confirmaras como hiciste para que cuando un usuario que inicie sesion en windows y luego vaya a acceder a GLPI no tenga que ingresar nuevameente su usuario y contraseña, he intentado con este manual, pero me estoy volviendo loco http://www.glpi-project.org/wiki/doku.p … ndowserver, muchas gracias
Offline
Hi Skatalitico,
It's pleasant read a post in Spanish and, although I would like to write here in Spanish -my loved mother tongue-, I think is better write in English in this foro; could be useful for more people.
Well, I need to search into my documentation. I don't remember now what I did
The solution in a days...
Tomás Abad
Offline
Hi Skatalitico,
Sorry, I forget ask you about your platform. All my documentation is based on GLPI under Ubuntu Server 10.04 LTS.
Last edited by tabad (2012-09-05 09:57:40)
Tomás Abad
Offline
Pages: 1