NTLM Logins

bwm367 · 2010-01-18 23:00:16

I've been using NTLM with GLPI for a while now without many issues.
We are about to finish moving users over from using our old helpdesk system to the GLPI helpdesk, but we've ran into this problem a couple times:
We have a generic windows user that is used by quite a few computers in our company, because the users all log into an application and don't really use anything else all day. The problem is is that when someone using the generic user goes onto GLPI to submit a ticket, the IT department has no way of telling who or where that user is, and no way to contact them.

Is there a way to disable NTLM for one user? Is there something that can be done in GLPI where if they were to auto-login, it would kick them back to a login screen where they could use their own credentials?

We tried at one point to do this through group policy by disabling it in the user's Internet Explorer, but there is actually another application we use that depends on this type of authentication, and without it enabled it prompts for logins every time a page is loaded.

Anyone have any thoughts on this?

Last edited by bwm367 (2010-01-18 23:00:28)

bwm367 · 2010-01-20 19:34:54

Bumping, I'd like to get people's thoughts or experiences with this...

steffens · 2010-01-21 11:52:41

In my configuration you can use "Logout" from GLPI and login with a different user even while SSO enabled. In my former Windows 2003 server version it was not working, but on this where running lower versions of GLPI ( < 0.72.2).

Best regards, Steffens.

bwm367 · 2010-02-01 19:21:51

Thanks Steffens, In my testing using the logout button actually causes it to log out and immediately log back in. Even if it did work, I need to find a way to automate it so the user's don't have to click logout.

I'd like it to be that this particular user just gets a login screen, and all others are automatically logged in. Is there a way to deny a user access to GLPI? If I delete the user from GLPI, they are just re-added when they try to login, because of LDAP and NTLM. Anyone have any ideas?

dmartine1 · 2010-02-02 13:38:29

Here is an idea which I unfortunately can not test.

In the Administration of users, there is a tab for synchronisation of user with LDAP. In this tab, you can change the user authentication method to be either local or LDAP (or other).

If you force that specific user to authenticate in local mode and chenge the password, would that then force users to enter a valid network login to get into GLPI?

We have pretty much the same situation on our end, lots of generic logins but did not address that yet as we are in the startup stage of implementing GLPI.

Good luck

maltyx · 2010-02-02 22:25:18

what about import users with LDAP and disable the generic account in GLPI?

bwm367 · 2010-02-08 19:06:10

Thank you both for the suggestions, I'm going to try them today and I'll post my results.

bwm367 · 2010-02-10 20:32:57

After playing around I've found that having the user deleted, in the Trashcan and not Purged, prompts a message when the user logs in that says the account has been disabled and a little link that sends them to the login screen. This will probably work for our uses, although its not as automatic as I'd like. Also, how long will the user stay in the trashcan before automatically purging itself?

For maltyx's suggestion, I could not find any option to "disable" a user in GLPI, am I missing it somewhere?

And Dmartine1, I tried your suggestion but it seems that it resets the Authentication type when NTLM tries to login the user using the domain credentials.

One thing I might try next is purging the user, and adding a user with the same name without LDAP, hoping this prevents the user from being automatically added when they login since the name already exists. I think the solution I already have might be better for the end users though.

maltyx · 2010-02-10 21:55:47

there is ACTIVE = YES/NO option in the user properties ...

bwm367 · 2010-02-11 16:34:35

Thanks Maltyx, I can't believe I didn't notice that. Doing that seems to have the same effect as having the user in the trash can, but now I don't have to worry about it being automatically purged and the error message they receive is better.

Thanks for everyone's help, this can be closed.

Forum GLPI-Project

Announcement

#1 2010-01-18 23:00:16

NTLM Logins

#2 2010-01-20 19:34:54

Re: NTLM Logins

#3 2010-01-21 11:52:41

Re: NTLM Logins

#4 2010-02-01 19:21:51

Re: NTLM Logins

#5 2010-02-02 13:38:29

Re: NTLM Logins

#6 2010-02-02 22:25:18

Re: NTLM Logins

#7 2010-02-08 19:06:10

Re: NTLM Logins

#8 2010-02-10 20:32:57

Re: NTLM Logins

#9 2010-02-10 21:55:47

Re: NTLM Logins

#10 2010-02-11 16:34:35

Re: NTLM Logins

Board footer