You are not logged in.
- Topics: Active | Unanswered
Announcement
Download last stable version of GLPI - What can you do for GLPI ? : Contribute
#1 2010-04-08 13:47:23
- _KaszpiR_
- Member
- From: Warsaw, Poland
- Registered: 2010-04-08
- Posts: 3
- Website
Problem importing users to groups from AD
debian etch (stables) with apache2 prefork + php5 as module
glpi 0.72.4
succesfully bound to AD (domain+ forest functional level 2003)
we got domain forest with many OU units - worldwide corporation
example domain structure:
emea.corp.ignetwork.com
-WAW
--19CYBR
----MEW
------USERS
of course there are more ou in 19CYBR, but just to make it simple showed only one with Users
here are real settings:
=== LDAP ===
Server: 10.69.80.10 // local gdc
BaseDN: OU=19CYBR,OU=WAW,DC=emea,DC=corp,DC=ipgnetwork,DC=com // i have added our OU in order to limit search base, we got over 60 thousand users in the domain, not to mention forest.
LDAP Port: 389 // default for AD
rootdn (for non anonymous binds): ipgemea\service.glpi // server does not accept form CN=service.glpi,OU=Users,....., it just gets testing /ldap connection failed.
Password: set, secret
Connection filter: (&(objectClass=user)(objectCategory=person)) // wanted to also include disabled accounts
Login Field: samaccountname
Use TLS: No
How LDAP aliases should be handled: Never deferenced (default)
Timezone: GMT+1
=== Belonging to groups ===
Search type: Users & Groups
User attribute containing its groups: memberof
Filters to search in gropus: (objectClass=group) // if changed group to person or user it was also treating users as groups
Group attribute containing its users:
Use DN in the search: Yes
=== GLPI/LDAP Links ===
Surname: sn
Comments: info
Phone: telephonenumber
Mobile: mobile
Category:
First Name: givenname
E-mail: mail
Phone 2: homephone
Title: title
Users can succefully login to GLPI.
I am able to succesfully mass import users from LDAP to GLPI and so on.
The only issue is with groups - I can import groups from AD properly but no user is assigned to groups,
I've checked details in Apache Directory Studio:
user - attribute 'memberOf' with given groups for user like 'CN=WAW 19CYBR MEW Default All Users,OU=System Groups,OU=MEW Security Objects,OU=MEW,OU=19CYBR,OU=WAW,DC=emea,DC=corp,DC=ipgnetwork,DC=com'
group - attribute 'member' with user names in from of 'CN=surname\, name,OU=Users,OU=MEW,OU=19CYBR,OU=WAW,DC=emea,DC=corp,DC=ipgnetwork,DC=com'
So to sum up:
- users cann login to glpi, they are imporetd from AD properly
- groups are imported from AD
- users are not automatically assigned to groups by glpi, although they are assiged in AD
And yet GLPI got issues with assigining users to groups, any suggestions?
hlds.pl :: Have you ever retired human by mistake?
Offline
#2 2010-04-08 14:22:55
- faasa
- Member
- From: Cordoba, SPAIN
- Registered: 2009-11-05
- Posts: 28
- Website
Re: Problem importing users to groups from AD
ok, first thing i can see wrong is the rootdn for the bind user. You should use same format as basedn but for the user.
i´ll compare to my setings and see if there is anything else, but for the moment i´ve only seen this.
regards.
Prod : W2003 R2 - IIS 6.0 - php 5.1.2 - MySQL 5.0.45 - GLPI 0.72.1
MCSE
Offline
#3 2010-04-08 15:39:39
- _KaszpiR_
- Member
- From: Warsaw, Poland
- Registered: 2010-04-08
- Posts: 3
- Website
Re: Problem importing users to groups from AD
fixed the rootdn with proper description, no change in behaviour.
rootdn: CN=Service\, GLPI,OU=Users,OU=MEW,OU=19CYBR,OU=WAW,DC=emea,DC=corp,DC=ipgnetwork,DC=com
i have created test group manually, and defined:
User attribute containing its groups: extendedAttribute8
LDAP Value: : MEW
and after some time i noticed there are people listed, so it works but very slowly.
some progress, but yet noone was added to groups imported from AD
Last edited by _KaszpiR_ (2010-04-08 16:16:13)
hlds.pl :: Have you ever retired human by mistake?
Offline