You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2022-09-01 15:47:19

Ekatonchir
Member
Registered: 2020-04-21
Posts: 20

Active Directory - Users/Groups association

Hello,
I've set up LDAP sync for users and groups, it works perfectly but users are not automatically associated with groups. I know many people had this issue but I can't fix it like they did.

AD server : Windows Server 2019 up to date
GLPI server 10.0.2 (new installation)

LDAP connection settings, i've deleted "userAccountControl" part in connection filter for testing purposes but I see no differences so I did not put it back yet.
ldap settings

Group section settings, deleted "userAccountControl" in filter,
I noticed that ldap users does not have memberof attribute, even if they are part of groups other than bult-in Domain Users.
group

I did import group first then users, used "Force sync" but I just can't make the association. I'm lost.

Offline

#2 2022-09-02 16:52:53

Ekatonchir
Member
Registered: 2020-04-21
Posts: 20

Re: Active Directory - Users/Groups association

I tried using cli tools : php /var/www/glpi/bin/console glpi:ldap:synchronize_users gives me warnings
warnings

I've put back the connection filter :
filter
filtergroup

When I run the command again, it's the same.

Offline

#3 2022-09-02 16:56:45

Ekatonchir
Member
Registered: 2020-04-21
Posts: 20

Re: Active Directory - Users/Groups association

I tried with -f option, same behavior.

f

Last edited by Ekatonchir (2022-09-02 16:58:05)

Offline

#4 2022-09-02 17:54:36

Ekatonchir
Member
Registered: 2020-04-21
Posts: 20

Re: Active Directory - Users/Groups association

Ok I found the problem.

By using the CLI tool I did some testing and found out that my filter in "Group" tab was wrong, I don't have to put "UserAccountControl" which doesn't make sense for Groups objects as long as they don't have this attribute.

So my filter is just : (objectClass=group)
User filter is the default one, except that I add a exclusion for "description" field : (&(objectClass=user)(objectCategory=person)(!(description=machine))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

I imported my groups first then my users, now my users are associated correctly.
Adding or deleting group membership to a existing user also works perfectly.

GLPI's documentation is not really well documented about LDAP connection.

Offline

Pages: 1

Board footer

Powered by FluxBB