Import users from LDAP

r0se · 2020-08-31 10:51:11

Hello,
I have the problem with import users from LDAP.

My ldap configuration:

GLPI

Connection test to LDAP server is successful

I've tried many search filter configuration, but GLPI don't find any users to import.

• (&(objectClass=person)(objectClass=user))
• (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
• (&(objectClass=user)(objectClass=top)(objectClass=person))

Interestingly, GLPI can import groups from LDAP

---------------------------------------------------------------
GLPI:
GLPI 9.5.1
SQL Server version: 8.0.20
PHP Version : 7.4.3
Description: Ubuntu 20.04 LTS

Last edited by r0se (2020-08-31 10:53:28)

Kaya84 · 2020-08-31 11:07:58

Try the same query with an ldap tool (like ldapxplorer) and check if it returns some values.
My connection filter is
(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
and it work.

r0se · 2020-08-31 12:08:38

I used the query
(& (objectClass = user) (objectCategory = person) (! (userAccountControl: 1.2.840.113556.1.4.803: = 2)))
in Softerra LDAP and the program correctly displays the users list

LaDenrée · 2020-08-31 13:32:48

I read that "Connection test to LDAP server is successful" but I'm not sure connection is enough to import user.

instead "DN=GLPI, CN=use dc.... " I Would just type "GLPI" in RootDN (for non anonymous binds)

WebGreg · 2020-08-31 18:31:38

r0se wrote:

Hello,
I have the problem with import users from LDAP.

Did you try login as domain user?

r0se · 2020-08-31 19:24:38

@WebGreg,

Yes, what is more some of users also could login as domain but others still can't.
They received a message: "You don't have right to connect".

The User which could login, after some time received a message:"Incorrect username or password".
After time when I changed Connection Filter query, Users received a message: "You do not have access to this application because your account was deactivated or removed"

cirtaz · 2020-09-03 12:11:49

In rootDN instead "DN=GLPI, CN=use dc.... " write "domain\username". In baseDN write value of attribute "distinguishedName" for example "OU=!Users,OU=Company,DC=domain,DC=local" without spaces

Last edited by cirtaz (2020-09-03 12:11:58)

r0se · 2020-09-20 21:05:14

I changed settings according to Your proposition

LDAP
BaseDN: OU=Users,DC=w*****,DC=k*****,DC=pl
also DC=w*****,DC=k*****,DC=pl
also OU=F****,DC=w*****,DC=k*****,DC=pl

RootDN: w*****\user
Connection filter: (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
also (&(objectClass=user)(objectCategory=person))
also (&(objectClass=top)(objectClass=person)(objectClass=organizationalPerson)(objectCategory=User))
Login field: distinguishedname also samaccountname

In every case during searching Users in:
Administration > Users > LDAP directories > Import new users > Expert mode
I receive a message: No user to be imported

What is more interesting when I searching the Grups:
Administration > Groups > LDAP directories > Import of new groups
Filter to search in groups
(&(objectClass=user)(objectCategory=person))
Search filter for users
(&(objectClass=user)(objectCategory=person))
or empty

the result is Users and Grups objects.

Zakharov69 · 2020-09-21 06:53:55

rootDN = CN=sa_glpi,CN=Users,DC=somename,DC=local

r0se · 2020-09-22 10:13:29

@Zakharov69
yes, that was my first setting

gianandrea · 2021-09-03 15:06:05

I have the very same behaviour. Can anyone send me in the right direction or a tutorial?

Thanks a lot!

gianandrea · 2021-09-07 09:38:51

I am stuck with the same problem (can't get the user list via LDAP). Is there a way to activate specific logging for this feature in order to debug?
The only message I get is "no user to import".
Authenticating on the Domain (ldap) works fine, thus I suppose the connection parameters are ok.

Thanks in advance,
G

WebGreg · 2021-09-07 12:01:04

1. Import group from AD (via LDAP)
2. Add profile.
3. Set rule when you bind group with profile.

gianandrea · 2021-09-07 15:41:31

Thanks for the kind reply.
My issue seems to be a step before. I just can't get any user list:

the groups list fine though:

I think that your suggestion is for the following step (assigning the users to groups)...

WebGreg · 2021-09-07 18:34:46

Go to expert mode and check base DN and filter.

I have something like this:

Base: DC=domain,DC=com
Filter: (& (samaccountname=*) (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))

Or what did you set your rootDN on front/authldap.form.php?id=1 ? But if you geting group list it seems like filter problem.

Last edited by WebGreg (2021-09-07 18:40:46)

gianandrea · 2021-09-08 08:42:17

Apparently you are right, but the same filter used elsewhere (like in LDAP administrator by softerra) works fine.
It's really strange. I'll triple check again the filter.

WebGreg · 2021-09-08 14:36:25

Not always filter set in one program will work in other too. Did you try with one of above?

I'll go back to the rootDN. I have: CN=userName,OU=part1,DC=domain,DC=com. R0se wrote that he have: RootDN: w*****\user

Last edited by WebGreg (2021-09-08 14:40:28)

gianandrea · 2021-09-09 11:55:30

The root DN, as far as I understand, works fine, since I get the groups and people are able to authenticate on LDAP.
The only thing that doesn't work is getting the user list to preemptively load all the users.

Frankly, I am about to give up. It looks like some kind of bug to me.

kumarabhinavv9 · 2021-09-13 16:16:27

I have the same issue. Any tips for solution?

WebGreg · 2021-09-15 13:57:42

@gianandrea and @kumarabhinavv9 - are you using 9.5.5?

Kaya84 · 2021-09-16 09:28:41

gianandrea wrote:

The root DN, as far as I understand, works fine, since I get the groups and people are able to authenticate on LDAP.
The only thing that doesn't work is getting the user list to preemptively load all the users.

Frankly, I am about to give up. It looks like some kind of bug to me.

Try using Ldapexplorer to check if the sytanx is correct.

Ps: se vuoi possiamo sentirci direttamente via MP

Paulo Rodrigues · 2024-08-05 11:04:03

I'm using GLPI 10.0.16 on Ubunto 24.04 LTS and syncked my AD users with an Active Directory Windows Server 2022,

My GLPI LDAP configuration is like this:

Server: myserver.mydomain.local
Port: 389

Base DN: OU=myusers,OU=mycompany,DC=mydomain,DC=local
Root DN: mydomain\glpi

Connection filter: (objectclass=user)
login filed: samaccountname
Synchronization filed: objectguid

You can check if there are any ladp connection errors in the file /var/www/glpi/files/_/log/php-errors.log (or whatever your glpi/apache instalation is on)

Connection filters syntax can be found in: _https://wiki.mozilla.org/Mozilla_LDAP_SDK_Programmer%27s_Guide/Searching_the_Directory_With_LDAP_C_SDK

I hope this can help someone.

Last edited by Paulo Rodrigues (2024-08-05 11:50:28)

Forum GLPI-Project

Announcement

#1 2020-08-31 10:51:11

Import users from LDAP

#2 2020-08-31 11:07:58

Re: Import users from LDAP

#3 2020-08-31 12:08:38

Re: Import users from LDAP

#4 2020-08-31 13:32:48

Re: Import users from LDAP

#5 2020-08-31 18:31:38

Re: Import users from LDAP

#6 2020-08-31 19:24:38

Re: Import users from LDAP

#7 2020-09-03 12:11:49

Re: Import users from LDAP

#8 2020-09-20 21:05:14

Re: Import users from LDAP

#9 2020-09-21 06:53:55

Re: Import users from LDAP

#10 2020-09-22 10:13:29

Re: Import users from LDAP

#11 2021-09-03 15:06:05

Re: Import users from LDAP

#12 2021-09-07 09:38:51

Re: Import users from LDAP

#13 2021-09-07 12:01:04

Re: Import users from LDAP

#14 2021-09-07 15:41:31

Re: Import users from LDAP

#15 2021-09-07 18:34:46

Re: Import users from LDAP

#16 2021-09-08 08:42:17

Re: Import users from LDAP

#17 2021-09-08 14:36:25

Re: Import users from LDAP

#18 2021-09-09 11:55:30

Re: Import users from LDAP

#19 2021-09-13 16:16:27

Re: Import users from LDAP

#20 2021-09-15 13:57:42

Re: Import users from LDAP

#21 2021-09-16 09:28:41

Re: Import users from LDAP

#22 2024-08-05 11:04:03

Re: Import users from LDAP

Board footer