You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2024-10-14 11:02:28

InfiniteByteCo
Member
Registered: 2024-04-11
Posts: 6

LDAP Directories - Best practice?

Hi,

we are using the Microsoft AD for our users, right now we have added every OU (for each location) in GLPI as a separate LDAP Directory.
This is so we don't import Shared Mailboxes etc. If we change settings, we have to do that to every LDAP Directory, which is a massive time consumer.

The Idea is to create a single LDAP Directory which BaseDN is the root of our AD, but with that we lose the "Filtering" for Users only.

Is there a best practice or recommendation to Filter the Users, so only everything under the Sub-OU "Users" is imported.
For example

CN=Testuser,OU=Users,OU=XX,OU=YY,DC=example,DC=com

but not

CN=ExternalUser,OU=external,OU=Users,OU=XX,OU=YY,DC=example,DC=com

Another question, how can i move everyone to the new LDAP Directory without producing problems for the End-User?

Thanks and best regards.

Offline

#2 2024-10-14 12:22:36

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,806
Website

Re: LDAP Directories - Best practice?

AFAIK you cannot exclude OUs directly in the LDAP filter. However, you can create a new Authorization Assignment rule in Administration > Rules that checks the OU for the criteria and uses the "To be unaware of import" action to avoid importing users from that OU.

In the upcoming GLPI 11 version, if you want those users in GLPI for some reason like assigning assets to them but don't want them to be able to actually log in, you can use the "Deny login" action instead of "To be unaware of import".

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#3 2024-10-14 12:27:07

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,806
Website

Re: LDAP Directories - Best practice?

For changing LDAP directories (as defined in GLPI and not actual new domains), you can add the new LDAP entry in GLPI and then do bulk changes from the user search results choosing the "Change the authentication method" action. You can try this with a single user just as a test. Once everyone is no longer associated with the old LDAP entries, you can make them inactive or delete them. You can search users by the LDAP directory they are associated with.

Since it is the same domain, the object ID and OU information are all the same so it shouldn't cause issues.

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#4 2024-10-16 11:11:31

joseluis.teixeira
Member
From: PT - GMR
Registered: 2013-05-07
Posts: 51

Re: LDAP Directories - Best practice?

Hello, I think that you are mixing concepts.

You can import users based on OUs, if so you need to create different LDAP directories (in GLPI)

I have two LDAP directories:
MY_ENTITY-NAME ["normal" users] <- users, managers, technicians will be here
MY_ENTITY-NAME_ADMIN [super-admins only, users on a different AD OU] <- this is used only to make SYSTEM changes

this will lead to a list box on GLPI authentication that needs to be switched.

In each LDAP directory you have connection filter, on the connection filter you can INCLUDE or EXCLUDE based on attributes.
You can read a little here: https://confluence.atlassian.com/kb/how … 96933.html

Offline

#5 2024-10-16 11:44:06

cconard96
Moderator
Registered: 2018-07-31
Posts: 2,806
Website

Re: LDAP Directories - Best practice?

"You can import users based on OUs, if so you need to create different LDAP directories (in GLPI)"

You really don't.

1. Create one LDAP directory that can see all of the users.
2. Create Authorization Assignment rules for your "normal" and "admin" users to automatically give them access to entities/profiles based on Distinguished Name (Which the OU is part of), Group membership, or any other required LDAP criteria.

There is a default rule that automatically grants the "Self-Service" profile on the Root Entity, but you can disable or modify the rule if all of your users are covered by other rules or have profiles manually assigned.

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

Offline

#6 2024-10-23 13:21:03

NoxWorld
Member
Registered: 2022-03-21
Posts: 3

Re: LDAP Directories - Best practice?

For the record, i did also create two LDAP directories in my GLPI, but not for this issue.

Our root LDAP contains around 10K users. We make support for 3 different "big" departments. These 3 departments have nothing in common in the LDAP structure, so we had to filter on the DN to get a filter on the OU.

Note that this is also (mainly) due to our LDAP structure. But we found no other solution.
The structure is as follow :

A
-- B100
--- B101
--- B102
--- B103
-- B200
-- B300
-- BB400
-- BB500
-- BB600

We have to allow users connexions and manage requests for B200, BB500 and B101 only.
If we created only one "main" LDAP , it would also work, but i would have something like 8K users i don't need in my database.

Offline

Pages: 1

Board footer

Powered by FluxBB