You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2017-06-12 21:11:45

snowman386
Member
Registered: 2006-07-28
Posts: 88

Automatically re-enable user via ldap sync

Hi,

We use the mass ldap sync script with glpi to sync our AD users to glpi. We have GLPI set to automatically disable a user when they are deleted from the LDAP directory so the drop downs automatically get cleaned up. The problem arises when a previously terminated employee gets rehired and once again falls within the GLPI LDAP scope. GLPI does not automatically re-enable the GLPI account for the users. Is there any way to set this up? We are currently using 0.90.5

Thanks

Offline

#2 2017-06-12 23:08:10

LucaC
Member
Registered: 2012-04-10
Posts: 44

Re: Automatically re-enable user via ldap sync

Hello,
I faced similar issues when working with LDAP.
If I remeber correctly, GLPI drops a user if it miss just a single LDAP sync. This could happen, as in your case, when a user leave and come back to the company but also  if the user is temporary locked out or disabled.
Basically, after a user is marked as "gone" from LDAP by GLPI, he/she will never get synced again.

I've implemented a couple of SQL scripts to overcome this limit.

The first script is launched BEFORE ldap_mass_sync and simply marks as present in LDAP users synced in last 60 days. So, if the user has been marked as deleted from LDAP (field is_deleted_ldap in glpi_users set to 1) BUT was synced (field date_sync)  in last 60 days, it gets marked as "present" in ldap (i.e. is_deleted_ldap is reset to 0). This will force the ldap_mass_sync to try syncing the user again.

Then ldap_mass_sync is executed . It works as expected, marking again as "deleted from ldap" users which it cannot sync anymore. Please note that the date_sync field (=date_last_sync) is updated ONLY if sync took place: it means that deleted users won't get the date_sync updated.

Finally, the last script simply "put in dustbin" GLPI users not synced  for more than 60 days.

In such a way, a user is really deleted from GLPI after 60 days of "no sync".
In my environment this is an acceptable value also because users in LDAP are first disabled and then dropped some time later.

HTH

Offline

#3 2017-06-23 17:45:37

snowman386
Member
Registered: 2006-07-28
Posts: 88

Re: Automatically re-enable user via ldap sync

Thanks for the suggestion. I will try the sql route. I should be able to run a simple update of is_active after ldap sync if date_sync is in the last day, user is an ldap user, and they are inactive.

Offline

Board footer

Powered by FluxBB