Forum GLPI-Project

mps

Member

Registered: 2022-10-04

Posts: 32

LDAP Usersync, set user inactive when disabled in Active Directory

Hello!

We're implementing GLPI in our company and trying to use LDAP to synchronize the user base from Active Directory. It works. But one thing we've just noticed during tests; don't know if it's a bug or intended.

• When a user is disabled in Active Directory, the user in GLPI isn't set to inactive after new sync.

When the user in AD is deleted, there is an option to handle that and that works. It seems the disabled state in AD is ignored. We would expect, that when a user is disabled in AD, that the corresponding user in GLPI is also set to inactive.

br

cconard96

Moderator

Registered: 2018-07-31

Posts: 2,809

Website

Re: LDAP Usersync, set user inactive when disabled in Active Directory

GLPI does not currently do any checks on if an LDAP account is disabled or not. If they are disabled in LDAP, then of course they cannot log in but it doesn't change the user in GLPI.

---

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Kaya84

Member

Registered: 2019-06-13

Posts: 217

Re: LDAP Usersync, set user inactive when disabled in Active Directory

We did this inside a daily cronjob
DATA_INIZIO_SYNC=`/bin/date -d '-3 days' '+%Y%m%d'`
DATA_FINE_SYNC=`/bin/date -d '+1 day' '+%Y%m%d'
/usr/bin/php /path/to/glpi/bin/console glpi:ldap:synchronize_users -u --begin-date="$DATA_INIZIO_SYNC" --end-date="$DATA_FINE_SYNC" -f "(userAccountControl:1.2.840.113556.1.4.803:=2)" -n #-q

This will search and update users that are disabled on AD.

mps

Member

Registered: 2022-10-04

Posts: 32

Re: LDAP Usersync, set user inactive when disabled in Active Directory

Hi!

This will search and update users that are disabled on AD.

Thats not exactly what we're trying to achive. Indeed, it will search and find the disabled user. But it will not disable (set active=true) the user in GLPI.

Last edited by mps (2023-05-22 14:22:16)

mps

Member

Registered: 2022-10-04

Posts: 32

Re: LDAP Usersync, set user inactive when disabled in Active Directory

GLPI does not currently do any checks on if an LDAP account is disabled or not. If they are disabled in LDAP, then of course they cannot log in but it doesn't change the user in GLPI.

You're right, one can't login against LDAP using a disabled account. But still the user in GLPI is marked as active, which is not correct in terms of an LDAP-synced user, don't you think?

cconard96

Moderator

Registered: 2018-07-31

Posts: 2,809

Website

Re: LDAP Usersync, set user inactive when disabled in Active Directory

If I had to guess, I'd say the lack of support has to do with the fact that GLPI sticks to the base LDAP standard for its connection. There is no concept of a disabled user account in LDAP.
Active Directory on the other hand adds its own "ms-DS-User-Account-Disabled" attribute.
Therefore, this functionality would only work if the customer uses Microsoft Active Directory (which to be fair is probably a large portion of them), but not OpenLDAP or any other LDAP system.

---

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

mps

Member

Registered: 2022-10-04

Posts: 32

Re: LDAP Usersync, set user inactive when disabled in Active Directory

In regard to the MS-dependency you have an argument. I think we'll find a solution for ourselves; and if it we'll find something useful for everyone, we can make a feature request.

Kaya84

Member

Registered: 2019-06-13

Posts: 217

Re: LDAP Usersync, set user inactive when disabled in Active Directory

Hi!

This will search and update users that are disabled on AD.

Thats not exactly what we're trying to achive. Indeed, it will search and find the disabled user. But it will not disable (set active=true) the user in GLPI.

I'm not sure if I undestand what you are trying to do, but I can assure you sure that if a user is disabled in AD, it will be disabled in GLPI (active=false) too.

Last edited by Kaya84 (2023-05-24 10:27:27)

mps

Member

Registered: 2022-10-04

Posts: 32

Re: LDAP Usersync, set user inactive when disabled in Active Directory

Kaya84 I tried it with your script. I see the user is touched but the active-flag is not changed here to false.
We're using the most recent GLPI version.

Kaya84

Member

Registered: 2019-06-13

Posts: 217

Re: LDAP Usersync, set user inactive when disabled in Active Directory

Check in Setup -> Authentication-> setup ->  "Action when a user is deleted from the LDAP directory" is set to "Disable"

After that check in connection filter: (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Now I'm sure what I say cause i tried (usi GUI, not CLI, but it's the same code I guess) to disable an account, force sync, and see Disabled to yes in the user configuratione pane.

1337user

Member

Registered: 2023-06-08

Posts: 4

Re: LDAP Usersync, set user inactive when disabled in Active Directory

Hi,

did you ever find a solution to set inactive AD user to inactive in GLPI automatically?
I currently face the same challenge as you did.

Best regards