Begineers guide to LDAP and GLPI

adrianmarsh · 2006-08-28 14:39:48

Hi,

I'm new to using Active driectory/LDAP and GLPI.

I've installed GLPI and OCS onto my SBS2003 system, all works well, I've enabled LDAP in PHP.ini, but I'm not sure what to put in the config for External Authentication.

My users are under the default OU of "SBSUsers".

Also, once I've updated the Ext. Auth screen, do I need to add a group or something?

Cheers,

Adrian

MoYo · 2006-08-28 20:47:48

read the doc first here :
http://glpi-project.org/wiki/doku.php?id=en:ldap

adrianmarsh · 2006-08-28 21:04:10

Hi MoYo,

Thanks for that... I did find the french version and babelfish'd it to English. I've managed to get basic authentication working now, so when new users login, they authenticate to the domain.
Two things though:

1) Adding users "from an external source" under the Add Users page doesn't seem to do anything. Should I just enter the logon name of the user?
2) I'm still not sure how groups are used, or how to automatically add users to a certain group.

Thanks,

tsmr · 2006-08-28 21:10:12

adrianmarsh wrote:

1) Adding users "from an external source" under the Add Users page doesn't seem to do anything. Should I just enter the logon name of the user?

For use it, you must have in your baseDN, an OU.

example : OU=members,DC=enterprise,DC=fr

And you add a user with his login and he is added in glpi with his fields email etc.. (if glpi find him)

adrianmarsh · 2006-08-28 21:36:02

Yeah.. I set the basedn to "OU=SBSUsers,OU=Users,OU=MyBusiness,DC=<companyname>,DC=local"
I can login as a domain user, but when I try to use "from an external source", and click Add (from glpi/front/user.form.php?new=1&ext_auth=1), I just get the "Add user" screen again, and no new-user is added to the user list (Question: After I click "Add user", should I see a confirmation screen or just the "Add user" screen again?)

Also - it doesn't seem to be setting the users Phone #, givenName, etc (I used adsiedit to discover these), when they login for the first time.

Is there any debug I can look at ? Logs etc ?

tsmr · 2006-08-28 21:47:04

adrianmarsh wrote:

Also - it doesn't seem to be setting the users Phone #, givenName, etc (I used adsiedit to discover these), when they login for the first time.
Is there any debug I can look at ? Logs etc ?

If you cannot import fields when users login, Adding users "from an external source" cannot do it.

write your configuration LDAP here

adrianmarsh · 2006-08-28 22:09:12

LDAP Host: ldap://localhost
Basedn: OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local
CN=admin,CN=Users,DC=company,DC=local
pass: <password>
Connection filter: (&(objectClass=user)(objectCategory=person))
login : uid
TLS: no

groups: (not sure what to put):

type: In users
blank for everything else

realname = cn
firstname=givenName
location=physicaldeliveryofficename
email=mail
phone=telephoneNumber
blank for others

Heres a dump of the LDIF for my account : using LDAP Browser on OU=SBSUsers,OU=Users,OU=MyBusiness,DC=company,DC=local

dn: CN=Adrian Marsh, OU=SBSUsers, OU=Users, OU=MyBusiness, DC=company,DC=lo
cal
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=company,DC=local
userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAg
ICAgUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy
44C5EggBQ3R4U2hhZG9344Sw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw
whenCreated: 20060712183151.0Z
badPwdCount: 0
mDBUseDefaults: TRUE
codePage: 0
scriptPath: SBS_LOGIN_SCRIPT.bat
mail: adrian.marsh@company.com
objectGUID:: 77+9SGTvv73vv71w77+9RO+/ve+/vVU177+977+9We+/vQ==
adminCount: 1
msExchUserAccountControl: 0
msExchMailboxSecurityDescriptor:: AQAE77+9eAAAAO+/vQAAAAAAAAAUAAAABABkAAEAAAA
AAhQAAwACAAEBAAAAAAAFCgAAAG8AbgBmAGkAZwB1AHIAYQB0AGkAbwBuACwARABDAD0AdQBiAGk
AcQB1AGkAcwB5AHMALABEAEMAPQBsAG8AYwBhAGwAAAALAAEFAAAAAAAFFQAAAO+/vTM7LwRy77+
977+9Eu+/ve+/vX5xBAAAAQUAAAAAAAUVAAAA77+9MzsvBHLvv73vv70S77+977+9fnEEAAA=
msExchALObjectVersion: 80
managedObjects: DC=company,DC=local
memberOf: CN=Remote Web Workplace Users,OU=Security Groups,OU=MyBusiness,DC=u
biquisys,DC=local
memberOf: CN=Mobile Users,OU=Security Groups,OU=MyBusiness,DC=company,DC=lo
cal
memberOf: CN=DnsAdmins,CN=Users,DC=company,DC=local
memberOf: CN=Server Operators,CN=Builtin,DC=company,DC=local
memberOf: CN=Domain Admins,CN=Users,DC=company,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=company,DC=local
memberOf: CN=Schema Admins,CN=Users,DC=company,DC=local
msExchMailboxGuid:: 77+977+977+9LyEW77+9Te+/vVc8LO+/vQ==
instanceType: 4
msExchPoliciesIncluded: {ED071E47-00E0-4A04-89C5-1D9758969AC2},{26491CFC-9E50
-4857-861B-0CB8DF22B5D7}
objectSid:: AQUAAAAAAAUVAAAA77+9MzsvBHLvv73vv70S77+977+9fnwFAAA=
badPasswordTime: 128011779921278871
proxyAddresses: SMTP:adrian.marsh@company.com
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=Marsh;g=Adrian;
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
name: Adrian Marsh
description: Administrator
sn: Marsh
telephoneNumber: 01793
userAccountControl: 512
primaryGroupID: 513
accountExpires: 9223372036854775807
lastLogon: 128012664703163458
lastLogoff: 0
uSNChanged: 246423
cn: Adrian Marsh
textEncodedORAddress: c=US;a= ;p=First Organizati;o=Exchange;s=Marsh;g=Adrian
;
logonCount: 201
msExchHomeServerName: /o=First Organization/ou=first administrative group/cn=
Configuration/cn=Servers/cn=UBIQ-SERV1
extensionName: 5717D53E-DD6D-4d1e-8A1F-C7BE620F65AA
homeMTA: CN=Microsoft MTA,CN=UBIQ-SERV1,CN=Servers,CN=first administrative gr
oup,CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=
Services,CN=Configuration,DC=company,DC=local
sAMAccountType: 805306368
legacyExchangeDN: /o=First Organization/ou=first administrative group/cn=Reci
pients/cn=marsh
givenName: Adrian
uSNCreated: 222427
displayName: Adrian Marsh
userPrincipalName: marsh@company.local
pwdLastSet: 128004827929329221
whenChanged: 20060828192939.0Z
lastLogonTimestamp: 128003956263610539
countryCode: 0
mailNickname: marsh
distinguishedName: CN=Adrian Marsh,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=ubiq
uisys,DC=local
homeMDB: CN=Mailbox Store (UBIQ-SERV1),CN=First Storage Group,CN=InformationS
tore,CN=UBIQ-SERV1,CN=Servers,CN=first administrative group,CN=Administrativ
e Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configur
ation,DC=company,DC=local
showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists
,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=S
ervices,CN=Configuration,DC=company,DC=local
showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists Contain
er,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,
DC=company,DC=local
sAMAccountName: marsh

tsmr · 2006-08-28 22:21:17

BaseDN : OU=MyBusiness,DC=company,DC=local

login : samaccountname

realname : sn

test this for import fields plz

adrianmarsh · 2006-08-29 21:24:24

Thats better.. Adding Users manually worked with that... but I changed sn back to cn to get the real name.
Whats the diff between MyBusiness and SBSUsers then ? Or would it of been samaccountname vs uid ?
I now get login, realname and email, but oddly not phone number.

How does this tie into the Groups usage though?

tsmr · 2006-08-29 22:38:48

adrianmarsh wrote:

Whats the diff between MyBusiness and SBSUsers then ?

None but you must have at last one OU in your Basedn

adrianmarsh wrote:

Or would it of been samaccountname vs uid ?

samaccountname : AD
uid : ldap

adrianmarsh wrote:

How does this tie into the Groups usage though?

On setup, External authentifications you choose :
Search type : In users
User attribute containing its groups : memberof

You create a group in glpi and you indicate his rootdn (CN=Group1,OU=Groups,DC=enterprise,DC=com)

And when a user connect to glpi, he is imported in this group

tsmr · 2006-08-29 22:41:31

you can participate with http://www.glpi-project.org/wiki/doku.php?id=en:welcome

adrianmarsh · 2006-09-05 00:36:01

Hmm.. To try it out I put "OU=MyBusiness,DC=company,DC=local" into LDAP Value, and logged in a new user, but didn't get them added to the group... I also tried Group DN too, but it still didn't work.

adrianmarsh · 2006-09-05 11:29:00

I'm still working on the groups, but I found that AD/GLPI is case-sensitive. Even though ADSIedit shows "telephoneNumber" as the field name, I have to enter it as "telephonenumber" into GLPI for it to work...

Forum GLPI-Project

Announcement

#1 2006-08-28 14:39:48

Begineers guide to LDAP and GLPI

#2 2006-08-28 20:47:48

Re: Begineers guide to LDAP and GLPI

#3 2006-08-28 21:04:10

Re: Begineers guide to LDAP and GLPI

#4 2006-08-28 21:10:12

Re: Begineers guide to LDAP and GLPI

#5 2006-08-28 21:36:02

Re: Begineers guide to LDAP and GLPI

#6 2006-08-28 21:47:04

Re: Begineers guide to LDAP and GLPI

#7 2006-08-28 22:09:12

Re: Begineers guide to LDAP and GLPI

#8 2006-08-28 22:21:17

Re: Begineers guide to LDAP and GLPI

#9 2006-08-29 21:24:24

Re: Begineers guide to LDAP and GLPI

#10 2006-08-29 22:38:48

Re: Begineers guide to LDAP and GLPI

#11 2006-08-29 22:41:31

Re: Begineers guide to LDAP and GLPI

#12 2006-09-05 00:36:01

Re: Begineers guide to LDAP and GLPI

#13 2006-09-05 11:29:00

Re: Begineers guide to LDAP and GLPI

Board footer