Unable to pull users from multiple OU's although two locations have been configured

[madkins-fareva]

Expected Behavior (or desired behavior if a feature request)

(what you expect to happen goes here)

Two locations have been setup to be pull users from two different OU's.

Actual Behavior

(what actually happens goes here)

Only users for one OU are pulled when syncing LDAP on each location.

Please confirm you have done the following before posting your bug report:

• [x] I have enabled debug mode
• [x] I have read checked the Common Issues page

Provide answers to these questions:

• Is this a fresh install or an upgrade?
• Fresh installation
• Version of Snipe-IT you're running
• 5.1.4 build 5886
• Version of PHP you're running
• 7.4.13
• Version of MySQL/MariaDB you're running
• Maria DB 10.5.5
• What OS and web server you're running Snipe-IT on
• Windows Server 2012 R2 and IIS 8
• What method you used to install Snipe-IT (install.sh, manual installation, docker, etc)
• Manual install of preqs and GIT for Windows for Snipe-IT
• WITH DEBUG TURNED ON, if you're getting an error in your browser, include that error
• No, it only pulls users from one OU.
• What specific Snipe-IT page you're on, and what specific element you're interacting with to trigger the error
• LDAP Sync User
• If a stacktrace is provided in the error, include that too.
• Any errors that appear in your browser's error console.
• No
• Confirm whether the error is reproducible on the demo: https://snipeitapp.com/demo.
• Cannot duplicate since the demo instance is outside my environment.
• Include any additional information you can find in storage/logs and your webserver's logs.
• storage/logs only has one comment, !.gitignore.
• IIS logs - No errors
• Include what you've done so far in the installation, and if you got any error messages along the way.
• Added the OU that I can't pull data from to Admn > LDAP and it can pull sample users from the OU when tested.
• Indicate whether or not you've manually edited any data directly in the database -No data was manually edited.

Please do not post an issue without answering the related questions above. If you have opened a different issue and already answered these questions, answer them again, once for every ticket. It will be next to impossible for us to help you.

https://snipe-it.readme.io/docs/getting-help

[madkins-fareva]

More details

Base Bind DN in Admin > LDAP/AD Settings OU=USERS,OU=ACCOUNTS,OU=Site1,OU=Parent_OU1,DC=Domain_Name,DC=PRIV

Location 1 LDAP Search OU OU=USERS,OU=ACCOUNTS,OU=Site1,OU=Parent_OU1,DC=Domain_Name,DC=PRIV

Location 2 LDAP Search OU OU=MFG,OU=ACCOUNTS,OU=Site1,OU=Parent_OU2,DC=Domain_Name,DC=PRIV

[madkins-fareva]

Checking in to see if anyone has any insight on the issue.

[uberbrady]

Try running via the CLI with --json_summary to see if you get any interesting output. Definitely check out your storage/logs/laravel.log.

Most of the time it's someone typo'ing one of the elements of their OU - "dc=companyname,dc=cmo" instead of "dc=com", stuff like that. But it's always an adventure, this LDAP stuff...

[madkins-fareva]

Our OU path ends with "dc=companyname,dc-priv".

I have verified the spelling of the OU path for Location 2 and ran the following commands, but both command displayed users in Location 1 only.

php artisan snipeit:ldap-sync --json_summary php artisan snipeit:ldap-sync --location=[Location name] --summary php artisan snipeit:ldap-sync --location_id=2 --summary

It seems as though the OU paths in the Locations settings is being ignored and the OU path Admin > LDAP is being used. Note: the OU path in Location 1 is the same as the OU path in Admin > LDAP.

I also noticed "ldap_location_override:true" in the summary.

If I copy the OU path from Location 2, paste it into Admin > LDAP, and test it, it will pull a sample list of users from the OU.

The only log fine in storage/logs is a blank file with the info below. * !.gitignore

[madkins-fareva]

I reviewed the article on https://snipe-it.readme.io/docs/ldap-sync, but I did not find what I needed until I reviewed the code in ldapsync.php. The article did not include the "--base_dn=" switch.

For those of you that are new to Snipe-IT and PHP, the full command and switches are below. snipeit:ldap-sync {--location=} {--location_id=} {--base_dn=} {--summary} {--json_summary}

I ran the command below and it populated Location 2. php artisan snipeit:ldap-sync --location="Location 2" --base_dn="OU=MFG,OU=ACCOUNTS,OU=site,OU=Org2,DC=domain,DC=PRIV"

The above is not ideal, but it works.

A script and scheduled task will be needed to run the commands below. php artisan snipeit:ldap-sync --location="Location 1" --base_dn="OU=USERS,OU=ACCOUNTS,OU=site,OU=Org1,DC=domain,DC=PRIV" php artisan snipeit:ldap-sync --location="Location 2" --base_dn="OU=MFG,OU=ACCOUNTS,OU=site,OU=Org2,DC=domain,DC=PRIV"

Will there be a feature in the future that will sync multiple OU's without writing a script?

Snipe-IT Documentation

LDAP Sync

You can set up a cron to automatically sync LDAP users using the following:location and location_id are optional. So for example, if you know the location_id of the location you're trying to add the users to, you could use: Or if you know the name of the location, you could use:See the full document...

[madkins-fareva]

Now that the LDAP sync issue is resolved, users that are not in the Base Bind DN, which are users in Location 2, cannot log into Snipe-IT. Is there a work around for this?

[madkins-fareva]

The only workaround that I found to allow users outside the Base Bind DN configured in Admin > LDAP/AD Settings (OU=USERS,OU=ACCOUNTS,OU=Site1,OU=Parent_OU1,DC=Domain_Name,DC=PRIV) to log in is to truncate the path to DC=Domain_Name,DC=PRIV.

A side effect of this change generates a " 500 Server Error. Please check your server logs for more information" when Test LDAP Synchronization is executed in Admin > LDAP/AD Settings. Also, Snipe-IT will crash generating a "HTTP 500 error" in any web browser when I attempt to run LDAP Sync via People > LDAP Sync and select any location in the list to sync.

I would like to note that even though I get the above errors, if I execute Test LDAP Login, it works fine.

The error and browser crash related to my LDAP filter? My current LDAP filter: &(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)). We are a large global organization, but am only focusing on two sites in the US in our Snipe-IT implementation.

No logs were generated in X:\inetpub\wwwroot\snipe-it\storage\logs.

The following was generated in X:\inetpub\logs\LogFiles\W3SVC1.

2021-04-26 13:54:40 10.3.99.21 POST /snipe-it/public/users/ldap - 80 - 10.3.xx.24 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/89.0.4389.90+Safari/537.36 http://server.domain_name.priv/snipe-it/public/users/ldap 500 0 0 15364 2021-04-26 14:01:09 10.3.99.21 GET /snipe-it/public/admin - 80 - 10.3.xx.24 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/89.0.4389.90+Safari/537.36 http://server.domain_name.priv/snipe-it/public/users/ldap 200 0 0 249 2021-04-26 14:01:11 10.3.99.21 GET /snipe-it/public/admin/ldap - 80 - 10.3.xx.24 Mozilla/5.0+(Windows+NT+6.1;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/89.0.4389.90+Safari/537.36 http://server.domain_name.priv/snipe-it/public/admin 200 0 0 234

At this point, scripts in a scheduled task are my only option to sync with LDAP and I agree that this is the ideal way to import new users, but it seems that LDAP sync is using the Base Bind DN configured in Admin > LDAP/AD Settings as default and ignoring the LDAP Search OU settings in each location when trying to sync manually. Is it possible to add a feature where you can add multiple Base DN's to Admin > LDAP/AD Settings? For example, we use GLPI as well and it allows you to add multiple LDAP directories for authentication.

I look forward to any replies.