You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2019-07-02 18:38:25

aharrison
Member
From: Rochester, NH, US
Registered: 2019-06-21
Posts: 5

Mapping new LDAP users to groups and profiles

I'm trying to get it set up so that when I new user, who has never logged in before, logs in, they get mapped to the right group and profile.  I'm getting awfully close, just can't quite seal the deal.

So, my installation details, I'm running GLPI 9.4.3.  I upgraded it from 9.1.7.x (iirc).  Running on a CentOS 7.6 server with php 5.6.35 installed. I've pointed glpi to my production openldap server.

Using LDAP authentication for just user login works fine.

Here's what I have to do currently to make group and profile assignments work, using glpi-admin as an example.

Setup/Authentication/LDAP Directories.
In my ldap directory, under Groups, I have it set to:
Search Type: In users and groups
User attribute containing its groups: MyCustomAttribute
Filter to search in groups: (objectClass=groupOfNames)
Group attribute containing its users: member
Use DN in the search: Yes

Then in Administration/Rules/Authorizations assignment rules, one of my rules is "Add to Super-Admin"
In that rule, my criteria is: "Imported group from an LDAP directory" is "glpi-admin"
(In ldap, the user entry I'm testing with has my custom attribute loaded with this value.)
The actions of the rule assign the root entity, Super-Admin profile, and Recursive to Yes.

Under Administration/Groups, I have the "glpi-admin" group.  In that group, the "LDAP directory link" is currently configured with:
Attribute of the user containing its groups: MyCustomAttribute
Attribute value: glpi-admin
Group DN: cn=glpi-admin,ou=GLPI,ou=Group,dc=mycompany

(In LDAP, that group contains member values which are the DNs of the users I want to be in the group.)

This works, but isn't quite what I want.  What I want to do is have that group membership *just* based on the LDAP group and *not* the user attributes.  However, I can't get this to work at all. 

When I try to use groups only, and not user attributes, the rule criteria "Imported group from an LDAP directory" does not work. 

Also, group assignment itself does not work.  Meaning, when the new user logs in, they do not get assigned to a group if I rely on just group attributes and not user attributes.

So, I feel like it might be something wrong with the configuration of my LDAP source regarding groups, perhaps?

Any help appreciated.  Thanks!


--
Andy

Offline

Board footer

Powered by FluxBB