search

janeczku / calibre-web

:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database
GNU General Public License v3.0
13.04k stars 1.39k forks source link

AD User import #2369

Open Mrothyr opened 2 years ago

Mrothyr commented 2 years ago

Hi,

AD User import no user with same CN, but different DN, account name or so on.

LDAP group object: (& (objectclass=group)(cn=%s)) LDAP group name: Books LDAP group member: member LDAP member user filter: (&(objectclass=user)(CN=%s))

Import works, but user with the same CN are not imported. calibre-web.log say "Already in Database"

The ldapsearch with this:

ldapsearch -H ldap://server -x -D "cn=proxyuser,dc=domain,dc=tld" -W -b "dc=domain,dc=tld" '(& (objectclass=group)(cn=Books))' member

give you not CNs, in member are true DNs. So I changed

LDAP member user filter: (&(objectclass=user)(distinguishedName=%s))

But no user are imported. The calibre-web.log say:

[2022-04-11 00:19:10,147] WARN {cps.admin:1875} Could Not Parse LDAP User: CN=user,dc=domain,dc=tld

for every single user. With ldapsearch:

ldapsearch -H ldap://server -x -D "cn=proxyuser,dc=domain,dc=tld" -W -b "dc=domain,dc=tld" (& (objectclass=user)(distinguishedName=CN=user,DC=domain,DC=tld))' *

everything works ok.

Can you identify the problem?

OzzieIsaacs commented 2 years ago

I'm not good in this LDAP stuff (I have no idea what CN, DN is):

grafik

Setting the "LDAP Member User Filter Detection" to Custom filter could help. Member user field could be: distinguishedName=CN=%s,DC=domain,DC=tld in this case??

To really help you I would need a output like the following, with 2 users which are detected as same and should be different (of course I don't need the passwords):

dn: uid=user122,ou=people, dc=calibreweb,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: user122
gn: John1
sn: Smith1
userPassword: eekretsay

# create the cps entry
dn: cn=cps,ou=groups,dc=calibreweb,dc=com
objectclass: groupofnames
cn: cps
member: uid=user122,ou=People,dc=calibreb,dc=com
member: cn=user124,ou=People,dc=calibreweb,dc=com
member: uid=user13,ou=People,dc=calibreweb,dc=com

Ticking or unticking "LDAP Server is OpenLDAP?" is often a good idea

Mrothyr commented 2 years ago

I'm not good in this LDAP stuff (I have no idea what CN, DN is):

CN aka Common Name is likely a simple name for a LDAP object. This is only exclusve in the same unit of the LDAP tree.

DN aka Distinguished Name is the full name of an LDAP object with the complete LDAP tree. You found the CN at the beginning of the DN as the first label and they are exclusive in the complete directory.

An LDAP group contains not the CNs of the object (they are not exclusive), the group contains the DNs. You can search by the given CN containing in the DN, but it makes things going wrong in special circumstances.

Setting the "LDAP Member User Filter Detection" to Custom filter could help. Member user field could be: distinguishedName=CN=%s,DC=domain,DC=tld in this case??

No. If it works you bekome only the objects on the base of the tree. An DN can be CN=name,CN=unit,OU=label,DC=domain,DC=tld or similar.

To really help you I would need a output like the following, with 2 users which are detected as same and should be different (of course I don't need the passwords):

I make the two user in my directory - but the output of what is needed?