LDAP question(0.7RC3)

kero · 2007-11-28 09:06:49

Hi, I am a beginner of GLPI.

Now I'm trying to use LDAP for creating a new user and let it log in.
After setting LDAP and trying to log in with a user-id of the LDAP server, but cannot log in the id.
Also, a new user is created in "Administraion->users" like "(20)", with all the field of this user is
blank, since I set the field of LDAP such as cn, uid...

How can I make the LDAP setting for auto-login with a LDAP account?

my setting is:

<LDAP>
Server : ldap://ldap.server
LDAP Port: 389
Basedn: ou=xxxx,o=yyyy,c=zz
rootdn （for non anonymous binds）:uid=aaaaaa,ou=xxxx, o=yyyy, c=zz
Pass （for non-anonymous binds）:XXXXX
Login Field : uid
Connection filter: (blank)
Use TLS: no

<Belonging to groups>
Search type: In users
User attribute containing its groups: (blank)
Filter to search in groups: (blank)
Group attribute containing its users:　(blank)
Use DN in the search: no

<GLPI/LDAP Links>
Surname: sn
First name: cn
Comments: ou
E-Mail: mail
Phone: telephonenumber
Mobile: mobile

When I click "Test of connection to LDAP directory" button, it says "Test successful"...

wawa · 2007-11-28 10:49:29

you must enter a connection filter ,something like : (objectclass=iNetOrgPerson)

kero · 2007-11-28 12:25:57

Thank you for your quick response.

wawa wrote:

you must enter a connection filter ,something like : (objectclass=iNetOrgPerson)

I put (objectclass=*), but login error, such as:

unknown user
You don't have right to connect

was up.

Also, I put (objectclass=iNetOrgPerson), error message was:

unknown user
User not found or several users found
Can't open mailbox {localhost:143/pop/novalidate-cert/notls}xxx@xxx.xxx.xxx: invalid remote specification
You don't have right to connect

How should I do...?

wawa · 2007-11-28 12:34:02

what is your ldap directory ? it's not an Active Directory ?

first you can test that the rootdn and rootpass are ok by using an ldap browser, then get the object class of the users in order to enter a correct connection filter

you've configured authentication via pop account too ?

kero · 2007-11-29 02:42:52

wawa wrote:

what is your ldap directory ? it's not an Active Directory ?

No, it's not an AD.

first you can test that the rootdn and rootpass are ok by using an ldap browser, then get the object class of the users in order to enter a correct connection filter

I tried to access via Apache Directory Studio to my LDAP server and confirmed the object class working correctly.

On Apache Directory Studio, I set rootdn as GLPI, also password, the connection filter(objectclass=inetOrgPerson).

And now I did use "(objectclass=inetOrgPerson)" again to login GLPI, I got a different error message as I mentioned:

unknown user
You don't have right to connect

you've configured authentication via pop account too ?

I configured POP setting to use email and the pop server is just the localhost of GLPI server(means the differnet server as LDAP).

What do I need to do....?

Or what document do I need to use LDAP on GLPI...?

wawa · 2007-11-29 09:01:02

kero wrote:

unknown user
You don't have right to connect

have you set the option "Setup->General->restrictions->Automatically add users of external authentication source" to yes ?

second, did you add rules to apply rights and entities to the user connected from ldap ?

kero · 2007-11-29 10:29:05

wawa wrote:

have you set the option "Setup->General->restrictions->Automatically add users of external authentication source" to yes ?

Sure, I set it "yes".

second, did you add rules to apply rights and entities to the user connected from ldap ?

Sorry I cannot follow you... What rules should I apply, at where?
I am looking around some manuals but I could not find a proper one...

wawa · 2007-11-29 12:41:30

during the authentication process, there's 2 steps :
1 the authentication : if the user is authenticated against ldap directory, then the user is created if he doesn't exists in glpi or his attributes are synchronized
2 a set of rules are processed to determine which profiles the user should get, and on which entity he's got rights

theses rules must be defined in Administration -> Rules -> Entity and rights assignment rules

there's actually no manual, because we lack of time and money to do it !

kero · 2007-11-29 13:51:12

wawa wrote:

during the authentication process, there's 2 steps :
1 the authentication : if the user is authenticated against ldap directory, then the user is created if he doesn't exists in glpi or his attributes are synchronized

this means <"Setup->General->restrictions->Automatically add users of external authentication source" to yes>, am I right?

okay, if so, I did it.

2 a set of rules are processed to determine which profiles the user should get, and on which entity he's got rights
theses rules must be defined in Administration -> Rules -> Entity and rights assignment rules

I completely do not understand Rules, Entity...

first, do I need to create an entity? and then, do I need to set "Automatic user assignment"? what is the "Matching Type"?
Also, in "Management of LDAP criteria", should I set <Criteria : LDAP> as my LDAP server setting?

And "Action" is now as follows;
Fields Action type Value
--------------------------------------------
Entity Assign Root entity
Profiles Assign normal
Recursive Assign No
Active Assign Yes

Am I okay?

there's actually no manual, because we lack of time and money to do it !

I am very sorry to ask many things at once. But only I want to do is just to sync LDAP server and
GLPI login...

with many thanks,

Forum GLPI-Project

Announcement

#1 2007-11-28 09:06:49

LDAP question(0.7RC3)

#2 2007-11-28 10:49:29

Re: LDAP question(0.7RC3)

#3 2007-11-28 12:25:57

Re: LDAP question(0.7RC3)

#4 2007-11-28 12:34:02

Re: LDAP question(0.7RC3)

#5 2007-11-29 02:42:52

Re: LDAP question(0.7RC3)

#6 2007-11-29 09:01:02

Re: LDAP question(0.7RC3)

#7 2007-11-29 10:29:05

Re: LDAP question(0.7RC3)

#8 2007-11-29 12:41:30

Re: LDAP question(0.7RC3)

#9 2007-11-29 13:51:12

Re: LDAP question(0.7RC3)

Board footer