GLPI 9.4.3 - users sync via LDAP does not disable accounts

mklimasz · 2019-08-29 13:19:46

Hi

An interesting case - when user gets deleted in AD this is not being synced into GLPI account status:
- "Force synchronization" on general population of users does not work (display users, select, chose Actions->Force synchronization) and action returns "Operation successful" but Active remains "Yes")
- the same option from whiting the user record (enter onto user record, switch to Synchronization tab, press "Force synchronization") returns exactly the same - "Operation successful" but no results

I'm running 9.4.3, LDAP configured and action for "Action when a user is deleted from the LDAP directory" is set to "Disable" (neither "Disable" nor "Disable + disassociate..." works). Accounts have LDAP set as their authentication method of course, so nobody should be able to actually log into them, but I want the clean case and synchronised disables across the systems... They are also marked with "User missing in LDAP directory" status - maybe that is the reason?

Could You, please, help me? I'm afraid I might be missing something there...

Important remark: I observed that a following workaround works and disables the accounts:
- running either from the list level or from within account record perform TWO steps:
- associate the record with the LDAP again (even if they seem to be associated already)
- immediately after the association run "Force synchronization" - this will execute the action (with the same info: "Operation successful"), and set Active to "No"

What might be the reason for such behavior?

ginojji · 2019-09-05 00:07:49

check your ports, please

WebGreg · 2020-06-03 20:53:51

If you still have problem with it...

1. Setup > Authentication> LDAP directories > Connection filter in your LDAP configuration: (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

2. Setup > Authentication > Setup > Action when a user is deleted from the LDAP directory > set Disable

3. Administration > Rules > Authorizations assignment rules > Add rule with action "Active Assign Yes" (criteria ex. (AD)User ID is * or

(LDAP)User ID is *).

With this settings when you disable account in AD - after sync in GLPI will be set as no active too. And when you will enable it again - will mark as active in GLPI too.

mklimasz · 2020-06-05 12:48:18

Hi @WebGreg

Thanks for the suggestion! I got the following:
- connection filter set properly (always was like that)
- action pointing to Disable (no change)
- added the Rule, as suggested
...but to no effect. Interestingly - the Rule always renders positive (we're syncing existing accounts after all), thus sets Active=Yes for all accounts delivered from LDAP (during the sync process). Tried single ended criteria (LDAP)User ID is *) or multiple (set "OR" as main criteria, then placed two filters, as suggested: (AD)User ID is * OR (LDAP)User ID is *), but noticed no change.

The same goes for automatic action, when invoked from console:
./console ldap:sync --only-update-existing --ldap-server-id=2
It searches LDAP correctly, finds accounts that should get disabled, counts them, "updates" (progress bar, counts goes up) and then... nothing. They all remain in Active="Yes" state.

Maybe the rule should work the other way around, setting Active to No instead? Or, perhaps, I'm doing something completely wrong or incorrectly understood the way our new Rule should work?

Last edited by mklimasz (2020-06-05 12:49:19)

WebGreg · 2020-06-05 20:26:06

Tak mi się będzie łatwiej dogadać. Może mnie za to nie zbanują (i tak angielskojęzyczna społeczność milczy)

Dziwne, że Ci nie działa po wymuszeniu synchronizacji. U mnie jest tak ustawione i śmiga. Brakowało mi tylko automatyzacji i to zrobiłem dzisiaj (akurat też pisałem na forum). Spróbuj z:

sudo /var/www/html/glpi/bin/console ldap:sync -u --ldap-filter=objectClass=user

Dlaczego masz --ldap-server-id=2 ? Faktycznie dodałeś dwie konfiguracje LDAP? Skoro jak piszesz działa to widocznie tak. Zasadniczo argumenty dla ldap:sync wyglądają OK. Próbowałeś z wszystkimi domyślnymi argumentami?

sudo /var/www/html/glpi/bin/console ldap:sync

Minus taki, że importuje wszystkie konta - ja tego akurat nie chciałem, więc na to uważaj. W tej chwili pracuję na testowej wersji. Mam dodaną tylko jedną grupę z uprawnieniami, resztę odciąłem. Po wydaniu tego polecenia zaimportował tylko użytkowników z tej dodanej grupy, a nie wszystkie konta z AD. Ale prawidłowo też oznaczał konta jako aktywne i nieaktywne. Problem pojawił się właśnie po tym, gdy chciałem zawęzić akcję do -u. Tutaj też wskazywał mi na liczniku konta synchronizowane, a wyłączone "znikały". Czyli powiedzmy 10 kont, w tym 1 nieaktywne i wynik polecenia z -u zwracał mi 9 zsynchronizowanych kont i 0 usuniętych. Może ze dwa razy wykrył wyłączone konto i je oznaczył. Nie wiem z czego to wynikało. Ale gdy do -u dodałem filtr jak wyżej - zawsze uwzględnia mi wszystkie konta i prawidłowo je oznacza.

Last edited by WebGreg (2020-06-05 20:35:58)

mklimasz · 2020-06-08 09:53:09

Hej

Ja jednak spróbuję dalej w "language"... - może ktoś z Naszej konwersacji weźmie coś do swojej konfiguracji?

In my configuration I got plenty of Rules already (running a multi-tenant environment where guarding the sync against throwing users between Entities is a priority), therefore this additional one may not get used at all (don't really know if they're ran one after another or processing stops after first match). Simply put - no idea, how this additional rule may help in syncing, as it would render "true" at all times, and assigning Active="Yes" to all such accounts (ie.: all accounts, to that matter).

Indeed, --ldap-server-id=2 results from an earlier LDAP instance that I deactivated already. Adding --only-update-existing (an option discovered within console file) narrows the automatic sync to only match the IDs already existing in GLPI - no new accounts would get imported.

Option -u with filter is worth a shot - will try and let You know how it went.

Thanks!
M.

WebGreg · 2020-06-08 19:59:31

mklimasz wrote:

Option -u with filter is worth a shot - will try and let You know how it went.

But remember - whan I tried only with -u, it worked unpredictably for me (maybe because of problem with sync between DCs) - the number of accounts was variable although it shouldn't have in my opinion. Only the combination of -u and "--ldap-filter=objectClass=user" gave me the effect I wanted. Good luck

Last edited by WebGreg (2020-06-08 19:59:55)

Forum GLPI-Project

Announcement

#1 2019-08-29 13:19:46

GLPI 9.4.3 - users sync via LDAP does not disable accounts

#2 2019-09-05 00:07:49

Re: GLPI 9.4.3 - users sync via LDAP does not disable accounts

#3 2020-06-03 20:53:51

Re: GLPI 9.4.3 - users sync via LDAP does not disable accounts

#4 2020-06-05 12:48:18

Re: GLPI 9.4.3 - users sync via LDAP does not disable accounts

#5 2020-06-05 20:26:06

Re: GLPI 9.4.3 - users sync via LDAP does not disable accounts

#6 2020-06-08 09:53:09

Re: GLPI 9.4.3 - users sync via LDAP does not disable accounts

#7 2020-06-08 19:59:31

Re: GLPI 9.4.3 - users sync via LDAP does not disable accounts

Board footer