You are not logged in.
We use an Ldap sync cron job that syncs all users once a day. Permissions and profiles are removed and only reassigned when people log in.
We use the following rules to assign identities and profiles to the synchronized users.
RULE OPERATOR = and
NAME CRITERIA ACTIONS
admin (LDAP) MemberOf > starting with > CN=admin Entity>Assign>Root Entity > IT Management > IT
Profiles>Assign>IT Admin
developer (LDAP) MemberOf > starting with > CN=developer Entity>Assign>Root Entity > IT Management > IT
Profiles>Assign>IT Developer
tech (LDAP) MemberOf > starting with > CN=tech Entity>Assign>Root Entity > IT Management > IT
Profiles>Assign>IT Tech
no rights (LDAP)DistinguishedName>does not contain>IT Entity>Assign>Root Entity
Profiles>Assign>no rights
Recursive>Assign>Yes
The first three rules are used for the IT department employees, while the last rule is for all other users who should not log in but still need to be present in GLPI for assignments.
The only rule executed during LDAP sync is the last one, which has "no rights". The other three rules are applied only when the user logs in, which means that IT department employees have no rights and no assignments until they log in.
The individual rules are executed correctly. However, when I perform a complete test of the rule set, only the last one with "no rights" is executed. What could be the reason for this?
Just to clarify, I want all rules to work directly during LDAP synchronization and not just when users log in. Similar to the "No Rights" rule. Because if the users have no entity and no permissions, they are also not available for selection, for example, for assets or tickets. Even if the group assignment is missing, the users won't receive notifications until they log in again, and that could be too late in many cases.
And I have one more question or problem. When the LDAP sync is performed, all users are logged out. Is there a way to prevent that from happening?
Last edited by Maschik1234 (2023-07-04 13:42:37)
Offline