You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2009-03-19 12:15:08

hadez16
Member
From: Germany
Registered: 2009-03-13
Posts: 9

Setting filter for LDAP Users - OU??

Hello

i'm trying to set an search filter for my ldap authentification.

(&(objectClass=user)(objectCategory=person))

works fine.

Now i want to restrict the search that only Users of a special OU can authenticate to GLPI.

i tried

(&(objectClass=user)(objectCategory=person)(ou=Users,ou=Office1,dc=domain,dc=local))

and i tried

(&(objectClass=user)(objectCategory=person)(cn=*,ou=Users,ou=Office1,dc=domain,dc=local))

and i tried

(&(&(objectClass=user)(objectCategory=person))(distinguishedName=CN=*,OU=Users,OU=Office1,DC=domain,DC=local))


nothing works.

How do i do that right? Can anybody help me please?

Thanks

Last edited by hadez16 (2009-03-19 12:25:39)

Offline

#2 2009-03-20 19:48:27

dinamax
Member
Registered: 2009-03-20
Posts: 2

Re: Setting filter for LDAP Users - OU??

Hi,
you must be careful as it's written the name of the OU because the ldap search filter is key sensitive ... I had the same problem and I solved it ... I hope that is the same problem.

Bye

Offline

#3 2009-03-23 10:50:11

hadez16
Member
From: Germany
Registered: 2009-03-13
Posts: 9

Re: Setting filter for LDAP Users - OU??

no matter if i care about key sensitivity...it doesn't work

no one else has solution for this??

EDIT: it seems that the ldap search filter in GLPI does not support wildcards either

Last edited by hadez16 (2009-03-23 10:50:56)

Offline

#4 2009-03-30 09:32:21

hadez16
Member
From: Germany
Registered: 2009-03-13
Posts: 9

Re: Setting filter for LDAP Users - OU??

push

Offline

#5 2010-04-28 10:55:49

behd
Member
Registered: 2010-04-23
Posts: 6

Re: Setting filter for LDAP Users - OU??

hadez16 wrote:

push

Having the same problem... AD is on Win Srv 2003 and can't get it right...

I used ADSIEdit.msc to see the correct case in AD, and additionnaly tried the following syntax (also w/o success):

(&(objectClass=user)(objectCategory=person)(memberof:1.2.840.113556.1.4.1941:=(CN=MyGroup,OU=MyOU1,OU=MyOU2,DC=MyDomName,DC=MyDomExt)))

(&(objectClass=user)(objectCategory=person)(canonicalName=MyDomName.MyDomExt\2fOU\2f*))

(&(objectClass=user)(objectCategory=person)(canonicalName=MyDomName.MyDomExt/OU/*))

Trying all case, replcacing special characters...
http://msdn.microsoft.com/en-us/library … S.85).aspx

Isn't there any trick, just like samaccountname that MUST be all in lowercase (even if name have a different case in AD)?

[EDIT] Thinking that it could be a bug due to the fact that \2f is escaped on submit -> meaning change on query.
Additionnaly pre-escaping \\2f doesn't change anything as any single backslash is then escaped and result in a \\\\2f

[EDIT2] As a temporary workaround - Search for all active users belonging to group:
(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=CN=MyGroup,OU=MyOU2,OU=MyOU1,DC=MyDomName,DC=MyDomExt))

Last edited by behd (2010-04-28 11:29:14)

Offline

#6 2010-04-28 11:50:08

yllen
GLPI-DEV
From: Sillery (51)
Registered: 2008-01-14
Posts: 15,278

Re: Setting filter for LDAP Users - OU??

hadez16 : have you try to put your OU restriction in basedn field ? (ou=Office1,dc=MyDomain,dc=de) if your domain is MyDomain.de

CentOS 6.5 - CentOS 7.x
PHP 5.6 - PHP 7.x - MySQL 5.6  - MariaDB 10.2 + APC + oOPcache
GLPI from 0.72 to dev version
Certifiée ITIL (ITV2F, ITILF, ITILOSA)

Offline

#7 2010-04-28 12:02:16

behd
Member
Registered: 2010-04-23
Posts: 6

Re: Setting filter for LDAP Users - OU??

yllen wrote:

hadez16 : have you try to put your OU restriction in basedn field ? (ou=Office1,dc=MyDomain,dc=de) if your domain is MyDomain.de

This is sadly not an option for me, as I need to define an "OR" at next level after basedn...

(|(OU=BE)(OU=NL)(OU=LU))

But thanks for reply...

Offline

#8 2010-04-29 12:06:06

Chad_Gray
Member
Registered: 2010-03-10
Posts: 7

Re: Setting filter for LDAP Users - OU??

I don't think it's possible to specify an OU within the search filter (when using Active Directory), I tried to do this for ages without success. Apparently AD does not support extensible search filters which are required for this to work.

I ended up putting my users in a group and adding a "memberof" section to the filter. Bit of a workaround, but it works...

I don't know about non-AD LDAP authentication, but the syntax I saw when reading up went along the lines of ou:dn:=OUName to match on "OUName" in the path.

Last edited by Chad_Gray (2010-04-29 13:17:13)

Offline

#9 2022-06-09 17:11:54

frederic.garcia
Member
Registered: 2021-07-02
Posts: 4

Re: Setting filter for LDAP Users - OU??

Hello, its an old question but you cannot find any answer on Internet or i didn't find out yet.
So here a solution to go around.

The problem here, its that you cannot change the BaseDn with the ldap filter from glpi, you don't have this option.
The BaseDn is configured in the glpi database in the glpi_authldaps.

so you can update it in a bash script
UPDATE glpi_authldaps SET basedn='OU=xxx,DC=contoso,DC=lcom' WHERE id=X

then
send your ldap_mass_filter.php with your action option

then send again an
UPDATE glpi_authldaps SET basedn='your configured originally basedn' WHERE id=X

you program this in the cron if you have glpi on linux and it works like a charm.

1/ positive : its works
2/ negative : be wary of where you put your script because when your update glpi the orginal code is rewritten.

Offline

Pages: 1

Board footer

Powered by FluxBB