LDAP Synchrone

silvvmh · 2023-08-29 18:07:42

Hello,

I encounter this message when synchronizing my users: glpiphplog. WARNING: *** PHP User Warning (512): Missing field samaccountname for LDAP entry objectguid f208bd75-c196-4441-9d42-0bc4a81c92a7 in C:\glpi\src\AuthLDAP.php at line 1979

And this error message prevents the synchronization of all my users.

Do you know how to help me?

PS: GLPI 10.0.9.

Thank you

cconard96 · 2023-08-29 20:43:24

Which LDAP server are you using? Active Directory?

silvvmh · 2023-08-29 21:26:51

Hello, Thank you for your feedback.
I'm on Active Directory on Windows Server 2019.

My BaseDN is unchanged and since the switch to GLPI 10.0.9 my users no longer synchronize.

silvvmh · 2023-08-30 10:51:36

Hello @cconard96,

Here is my baseDN: (&(objectClass=user)(objectCategory = person)(!( userAccountControl:1.2.840.113556.1.4.803:=2))) and here is the result obtained in cmd.bat:

C:\glpi>echo Yes | php bin/console glpi:ldap:sync
+---------------+---------------+
| Serveurs LDAP | LDAP-DC02 (3) |
| Filtre LDAP | |
| Date de début | |
| Date de fin | |
+---------------+---------------+
Voulez-vous continuer ? [Yes/no]Serveur LDAP "3" en cours de traitement ...
Importation des utilisateurs du serveur "3" ...
Aucun utilisateur trouvé.
Synchronisation des utilisateurs avec le serveur "3" ...
1/1 [============================] 100%
+--------------+---------+-------------+--------------------------+----------------------------------+
| Serveur LDAP | Importé | Synchronisé | Supprimé du serveur LDAP | Restauré depuis un annuaire LDAP |
+--------------+---------+-------------+--------------------------+----------------------------------+
| 3 | 0 | 1 | 0 | 43 |
+--------------+---------+-------------+--------------------------+----------------------------------+

C:\glpi>echo Yes | php bin/console glpi:ldap:sync

As soon as I modify my DN database: (&(objectClass=user)(!( userAccountControl:1.2.840.113556.1.4.803:=2)))

C:\glpi>echo Yes | php bin/console glpi:ldap:sync
+---------------+---------------+
| Serveurs LDAP | LDAP-DC02 (3) |
| Filtre LDAP | |
| Date de début | |
| Date de fin | |
+---------------+---------------+
Voulez-vous continuer ? [Yes/no]Serveur LDAP "3" en cours de traitement ...
Importation des utilisateurs du serveur "3" ...
323/323 [============================] 100%
Synchronisation des utilisateurs avec le serveur "3" ...
1/1 [============================] 100%
+--------------+---------+-------------+--------------------------+----------------------------------+
| Serveur LDAP | Importé | Synchronisé | Supprimé du serveur LDAP | Restauré depuis un annuaire LDAP |
+--------------+---------+-------------+--------------------------+----------------------------------+
| 3 | 0 | 1 | 0 | 43 |
+--------------+---------+-------------+--------------------------+----------------------------------+

And this is the PHP-Error :

[2023-08-29 17:38:32] glpiphplog.WARNING: *** PHP User Warning (512): Missing field samaccountname for LDAP entry objectguid f208bd75-c196-4441-9d42-0bc4a81c92a7 in C:\glpi\src\AuthLDAP.php at line 1979
Backtrace :
src\AuthLDAP.php:1979 trigger_error()
src\AuthLDAP.php:2109 AuthLDAP::searchForUsers()
src\Console\Ldap\SynchronizeUsersCommand.php:297 AuthLDAP::getAllUsers()
vendor\symfony\console\Command\Command.php:298 Glpi\Console\Ldap\SynchronizeUsersCommand->execute()
vendor\symfony\console\Application.php:1040 Symfony\Component\Console\Command\Command->run()
src\Console\Application.php:272 Symfony\Component\Console\Application->doRunCommand()
vendor\symfony\console\Application.php:301 Glpi\Console\Application->doRunCommand()
vendor\symfony\console\Application.php:171 Symfony\Component\Console\Application->doRun()
bin\console:122 Symfony\Component\Console\Application->run()

Thank you for your help,

cconard96 · 2023-08-30 12:50:06

The objectCategory part in the connection filter seems like it would be mandatory unless you absolutely know for sure you wouldn't have any computer objects in the Base DN. Both users and computers are considered "users" in AD and technically both have a password to authenticate against the domain.

Although, that shouldn't be the cause of the warning in general since all objects with the "user" objectClass should have the samaccountname attribute.
It is only a warning, and all other users should be synced properly though.

Please try to identify the object that GLPI is trying to import using PowerShell:
Get-ADObject -ID f208bd75-c196-4441-9d42-0bc4a81c92a7

Piping the output to "Format-List" may make it more readable.

silvvmh · 2023-08-30 13:44:52

Thank you for your reply.

In fact there is something that I have trouble understanding, the launches my synchronization and it always synchronizes 1 single account and always the same. And yet this account is placed in the same OR as other accounts already synchronized. This is the synchronization field f208bd75-c196-4441-9d42-0bc4a81c92a7, it does not exist in the GLPI database.

I left the DN database like this: (&(objectClass=user)(objectCategory = person)(!( userAccountControl:1.2.840.113556.1.4.803:=2)))

Here's the message:
>php bin/console glpi:ldap:synchronize_users
+---------------+----------+
| Serveurs LDAP | LDAP (5) |
| Filtre LDAP | |
| Date de début | |
| Date de fin | |
+---------------+----------+
Voulez-vous continuer ? [Yes/no]y
Serveur LDAP "5" en cours de traitement ...
Importation des utilisateurs du serveur "5" ...
Aucun utilisateur trouvé.
Synchronisation des utilisateurs avec le serveur "5" ...
Aucun utilisateur trouvé.
+--------------+---------+-------------+--------------------------+----------------------------------+
| Serveur LDAP | Importé | Synchronisé | Supprimé du serveur LDAP | Restauré depuis un annuaire LDAP |
+--------------+---------+-------------+--------------------------+----------------------------------+
| 5 | 0 | 0 | 0 | 0 |
+--------------+---------+-------------+--------------------------+----------------------------------+

Without php-error error message. But it doesn't sync my accounts. Kind regards

silvvmh · 2023-08-30 13:55:15

Re,

I just found out why, because the synchronization field that blocks (f208bd75-c196-4441-9d42-0bc4a81c92a7) is a "contact" type and not a "user".

Now, I have to figure out how to restart the synchronization without necessarily the account in the synchronization.

Cdt

cconard96 · 2023-08-31 01:11:39

silvvmh wrote:

I left the DN database like this: (&(objectClass=user)(objectCategory = person)(!( userAccountControl:1.2.840.113556.1.4.803:=2)))

silvvmh wrote:

I just found out why, because the synchronization field that blocks (f208bd75-c196-4441-9d42-0bc4a81c92a7) is a "contact" type and not a "user"

That is a connection filter, not a DN. The Base DN is the location that GLPI will search in. It should look something like:
CN=Users,DC=ad,DC=example,DC=com
In that example, it tells GLPI to search the Users container in the ad.example.com domain.

The connection filter then describes what to look for. The default filter GLPI sets for AD connections specifies to look for only users that are "persons". That filter should not return any contacts because they have an objectCategory of "contact". It also ensures that computer objects aren't returned as they have an objectClass of "user", but an objectCategory of "computer".

Forum GLPI-Project

Announcement

#1 2023-08-29 18:07:42

LDAP Synchrone

#2 2023-08-29 20:43:24

Re: LDAP Synchrone

#3 2023-08-29 21:26:51

Re: LDAP Synchrone

#4 2023-08-30 10:51:36

Re: LDAP Synchrone

#5 2023-08-30 12:50:06

Re: LDAP Synchrone

#6 2023-08-30 13:44:52

Re: LDAP Synchrone

#7 2023-08-30 13:55:15

Re: LDAP Synchrone

#8 2023-08-31 01:11:39

Re: LDAP Synchrone

Board footer