I want to upgrade to iTop 2.7, and this AD_import_accounts script is deprecated (designed for iTop 1.0.x).
So I am trying to use "Data collector for LDAP" extension in replacement (https://www.itophub.io/wiki/page?id=extensions%3Aldap-data-collector)
I am facing the following issue, I do not want to import all users from an OU of my AD
I only want to import users from a particular user group "iTop_users" of my AD
Does someone know if "Data collector for LDAP" can accomplish this task ?
I did not succeed to make it work in this way (e.g. by playing with ldapdn parameter)
The old AD_import_accounts scripts was working this way, it synchronizes only users from my "iTop_users" group from my AD ; it is still working in iTop 2.6.3
Best Regards,
Ed
Last edit: EdG 2020-06-11
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I dont know the older script, but, as far as I understand the new one, you won't be able to do that this way.
But I think that, playing with the LDAP filter, you should be able to gain your result, by using a filter like 'memberof={DN of your group}'
At least, it's atest to do.
the limit of this solution is that it won't work for indirect groups, that means your account has to be directly in your filter group (not in a group member of your group)
Another point to notice is as far as i remember that you have to write 'memberof' and not memberOf' in the filter (not sure, in one point in the module, you have to put everything lowercase);
i'm not connected at work now, (and, despite my huge personal computer world, I don't have an AD at home :)) so I cannot be more precise.
HTH,
Pascal
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It is very kind of you to take time to answer me, thank you very much.
You indicated to play with the LDAP filter, which one ?
<ldapdn>
or
<ldapuserfilter>
or
<itop_group_pattern> </itop_group_pattern></ldapuserfilter></ldapdn>
My "iTop_users" is in LDAP syntaxe located at :
CN=iTop_Users,OU=Groups-Role,OU=IPG,DC=IPGAD,DC=MYDC,DC=FR
It is in OU "Groups-Role" (not in a group member of your group), so it should work.
The filter should be "like 'memberof={DN of your group}'"
Something like that : 'memberof={CN=iTop_Users,OU=Groups-Role,OU=IPG,DC=IPGAD,DC=MYDC,DC=FR}' ?
Best Regards,
Ed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Warning : no ', " ou { } around the group name, and this works even with groups with space in the name (at least here ! AD servers are running Windows 2016)
Then applying that same filter as <ldapuserfilter> and running a php exec.php --collect_only gave me the expected results : I had only the member of the group in my iTopUserLDAPCollector-1.csv file.</ldapuserfilter>
Selecting the 'person' or the 'user' filter depends on you.
Person filter is for the list of person member of your organization (in other word, people you want to 'see' for 'ticket requests' or whatever)
User filter are the accounts allowed to log in iTop.
In our case, the two lists are basically the same, playing with the groups for giving roles in iTop : by default, all member of the organization have a 'Portal User' access, and we use specifc AD group to give more powerfull access in iTop.
And, rereading what I wrote : no case trouble, here is the exact syntax I used in the param.local.xml file : <ldapuserfilter>(&(objectClass=person)(objectClass=user)(memberOf=CN=xxxxx xxxxx,OU=xxxxxxxx,OU=xxxxxxxx,OU=xxxxxxxxxx,OU=xxxxxxxxxx,DC=xxxxxx,DC=fr))</ldapuserfilter>
I find useful to use Apache Directory Studio to 'copy/paste' the exact group DN, it's to bad to lost hours and hours only because a mispelled group name :)
HTH,
Pascal
Last edit: schirrms 2020-06-16
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am sorry, because I am still facing my issue.
I changed my conf file according your advices :
- conf/params.local.xml -
<?xml version="1.0" encoding="UTF-8"?>
<parameters>
<itop_url>https://myitopserver.mydomain.fr/itop/</itop_url>
<itop_login>admin</itop_login>
<itop_password>xxxxxx</itop_password>
<contact_to_notify>contact@mydomain.fr</contact_to_notify>
<synchro_user>admin</synchro_user>
<ldaphost>ldaps://myadserv1.mydomain.fr</ldaphost>
<ldapport>636</ldapport>
<ldapdn>OU=xxx,DC=xxxx,DC=xxxxxx,DC=xx</ldapdn>
<ldaplogin>CN=xxxxx,OU=xxxx,DC=xxxx,DC=xxxxxx,DC=xx</ldaplogin>
<ldappassword>xxxxxxxx</ldappassword>
<prefix></prefix>
<json_placeholders>
<full_load_interval>604800</full_load_interval>
<synchro_status>production</synchro_status>
</json_placeholders></parameters>
Then I run the command :
php ../exec.php --console_log_level=9 --collect_only
...
Info - iTopPersonLDAPCollector beginning of data collection...
Info - (Persons) Number of entries found on LDAP: 192
Info - Writing to file '/root/LDAPS/ldap-data-collector/data/iTopPersonLDAPCollector-1.csv'.
Info - iTopPersonLDAPCollector end of data collection.
Info - iTopUserLDAPCollector beginning of data collection...
Info - (Users) Number of entries found in LDAP: 141
Info - Writing to file '/root/LDAPS/ldap-data-collector/data/iTopUserLDAPCollector-1.csv'.
Info - iTopUserLDAPCollector end of data collection.
I get 141 entries, but my iTop_users has only 103 members...
What did I wrong ?
Best Regards,
Ed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I finally found what was wrong.
I edited a collectors/params.local.xml
But this file was never parse because the correct file to edit is collectors/params.distrib.xml
It is a bit weird, because in conf/ directory , this is conf/params.local.xml to edit (conf/params.distrib.xml should not be edited)
So now, I get well 103 members of my iTop_users AD group.
I have a last question... about the way to retrieve the user password.
Maybe, do you have the answer : Does the Data collector for LDAP extension is collecting a hash of each AD user password, at each synchronization ?
Or does the extension enable a LDAP connexion within iTop to authenticate against the AD server ?
I ask for this, because when a user will changes his password in Active Directory, I would like to be sure that he still will be able to log in iTop (with his new password).
Best regards,
Ed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
this creates the connection with ldap (for passwords), it is enough that the user account (LDAP user) is created in itop with the login linked to the LDAP account.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I did this mistake too at the beginning. But in fact, all 'local' informations have to be put in conf/params.local.xml, regardless whitch distrib file contains the original information.
Don't remember how I found that, but I have the bad habit to open the php file when I don't understand something ;)
For the second point : my teammates made a very nice work to integrate our Linux / Apache servers in Active Directory (Trough Kerberos). So, from iTop point of view, all users (except 3 local technical accounts) are 'external users' and peoble don't need to 'sign on' when they connect to iTop. And iTop don't have to know anything about their credentials :))
But as far as I know, there is no way to 'sync' password between iTop and AD (except to have a front app to change password and who does the actual changes in iTop and AD. But that wxould be a serious challenge to do that in a secure way.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The sync is working well now.
I noticed just one thing, is it possible to sync user ldap from differents groups of AD ?
By exemple,
iTop_users AD group -> profile "portal users" in iTop
iTop_managers AD group -> profile "admin" (or other) in iTop
By default, all ldap user gets the "portal users" profile via the sync.
Changes are removed t each sync.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
That's exactly the use of the group section :
First, you have to setup a filter about the group nane. I don't excactly remember the default filter, I think the script search for group in the form CN=iTop-*
and that was OK for me.
So, by default, I put all accounts in portal user (as this is the most common connection - at least for me !- but the default profile can be overided.
And then, depending of theiTop-* membership, people go to Admin Profile or one 'read only Back Office' Profile I created.
And I think that part works for my 'out of the box'.
Pascal
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear iTop Users,
I was till now using a script to import Active Directory users profiles in my iTop users. My itop version is 2.6.3
The script is AD_import_accounts still available at https://www.combodo.com/documentation/AD_import_accounts.txt
I want to upgrade to iTop 2.7, and this AD_import_accounts script is deprecated (designed for iTop 1.0.x).
So I am trying to use "Data collector for LDAP" extension in replacement (https://www.itophub.io/wiki/page?id=extensions%3Aldap-data-collector)
I am facing the following issue, I do not want to import all users from an OU of my AD
I only want to import users from a particular user group "iTop_users" of my AD
Does someone know if "Data collector for LDAP" can accomplish this task ?
I did not succeed to make it work in this way (e.g. by playing with ldapdn parameter)
The old AD_import_accounts scripts was working this way, it synchronizes only users from my "iTop_users" group from my AD ; it is still working in iTop 2.6.3
Best Regards,
Ed
Last edit: EdG 2020-06-11
Hi Ed,
I dont know the older script, but, as far as I understand the new one, you won't be able to do that this way.
But I think that, playing with the LDAP filter, you should be able to gain your result, by using a filter like 'memberof={DN of your group}'
At least, it's atest to do.
the limit of this solution is that it won't work for indirect groups, that means your account has to be directly in your filter group (not in a group member of your group)
Another point to notice is as far as i remember that you have to write 'memberof' and not memberOf' in the filter (not sure, in one point in the module, you have to put everything lowercase);
i'm not connected at work now, (and, despite my huge personal computer world, I don't have an AD at home :)) so I cannot be more precise.
HTH,
Pascal
Hi Pascal,
It is very kind of you to take time to answer me, thank you very much.
You indicated to play with the LDAP filter, which one ?
<ldapdn>
or
<ldapuserfilter>
or
<itop_group_pattern> </itop_group_pattern></ldapuserfilter></ldapdn>
My "iTop_users" is in LDAP syntaxe located at :
CN=iTop_Users,OU=Groups-Role,OU=IPG,DC=IPGAD,DC=MYDC,DC=FR
It is in OU "Groups-Role" (not in a group member of your group), so it should work.
The filter should be "like 'memberof={DN of your group}'"
Something like that : 'memberof={CN=iTop_Users,OU=Groups-Role,OU=IPG,DC=IPGAD,DC=MYDC,DC=FR}' ?
Best Regards,
Ed
Hi Ed,
Sorry for the late answer.
I just ran a Ldapsearch in Apache Directory Studio, and this is actually working :
Warning : no ', " ou { } around the group name, and this works even with groups with space in the name (at least here ! AD servers are running Windows 2016)
Then applying that same filter as <ldapuserfilter> and running a php exec.php --collect_only gave me the expected results : I had only the member of the group in my iTopUserLDAPCollector-1.csv file.</ldapuserfilter>
Selecting the 'person' or the 'user' filter depends on you.
Person filter is for the list of person member of your organization (in other word, people you want to 'see' for 'ticket requests' or whatever)
User filter are the accounts allowed to log in iTop.
In our case, the two lists are basically the same, playing with the groups for giving roles in iTop : by default, all member of the organization have a 'Portal User' access, and we use specifc AD group to give more powerfull access in iTop.
And, rereading what I wrote : no case trouble, here is the exact syntax I used in the param.local.xml file :
<ldapuserfilter>(&(objectClass=person)(objectClass=user)(memberOf=CN=xxxxx xxxxx,OU=xxxxxxxx,OU=xxxxxxxx,OU=xxxxxxxxxx,OU=xxxxxxxxxx,DC=xxxxxx,DC=fr))</ldapuserfilter>I find useful to use Apache Directory Studio to 'copy/paste' the exact group DN, it's to bad to lost hours and hours only because a mispelled group name :)
HTH,
Pascal
Last edit: schirrms 2020-06-16
Hello Pascal,
I really appreciated your help.
I am sorry, because I am still facing my issue.
I changed my conf file according your advices :
- conf/params.local.xml -
<?xml version="1.0" encoding="UTF-8"?>
<parameters>
<itop_url>https://myitopserver.mydomain.fr/itop/</itop_url>
<itop_login>admin</itop_login>
<itop_password>xxxxxx</itop_password>
<contact_to_notify>contact@mydomain.fr</contact_to_notify>
<synchro_user>admin</synchro_user>
<ldaphost>ldaps://myadserv1.mydomain.fr</ldaphost>
<ldapport>636</ldapport>
<ldapdn>OU=xxx,DC=xxxx,DC=xxxxxx,DC=xx</ldapdn>
<ldaplogin>CN=xxxxx,OU=xxxx,DC=xxxx,DC=xxxxxx,DC=xx</ldaplogin>
<ldappassword>xxxxxxxx</ldappassword>
<prefix></prefix>
<json_placeholders>
<full_load_interval>604800</full_load_interval>
<synchro_status>production</synchro_status>
</json_placeholders></parameters>
<?xml version="1.0" encoding="UTF-8"?>
<parameters>
<ldaphost>ldaps://myadserv1.mydomain.fr</ldaphost>
<ldapport>636</ldapport>
<ldapdn>OU=xxx,DC=xxxx,DC=xxxxxx,DC=xx</ldapdn>
<ldaplogin>CN=xxxxx,OU=xxxx,DC=xxxx,DC=xxxxxx,DC=xx</ldaplogin>
<ldappassword>xxxxxxxx</ldappassword>
<ldappersonfilter>(objectClass=person)</ldappersonfilter>
<collect_person_only>yes</collect_person_only>
<ldapuserfilter>(&(objectClass=user)(objectClass=person)(memberOf=CN=iTop_Users,OU=Groups-Role,OU=xxxx,DC=xxxx,DC=xxxxxx,DC=xx))</ldapuserfilter>
<synchronize_profiles>yes</synchronize_profiles>
<itop_group_pattern>/^CN=iTop_(.),OU=./</itop_group_pattern>
<person_fields>
<primary_key>samaccountname</primary_key>
<name>sn</name>
<first_name>givenname</first_name>
<email>mail</email>
<phone>telephonenumber</phone>
<mobile_phone>mobile</mobile_phone>
<function>title</function>
<employee_number>employeenumber</employee_number>
</person_fields>
<person_defaults>
<org_id>IPG</org_id>
<status>active</status>
</person_defaults>
<user_fields>
<primary_key>samaccountname</primary_key>
<login>samaccountname</login>
<contactid>mail</contactid>
</user_fields>
<profile>Portal user</profile>
<language>FR FR</language>
</parameters>
Then I run the command :
php ../exec.php --console_log_level=9 --collect_only
...
Info - iTopPersonLDAPCollector beginning of data collection...
Info - (Persons) Number of entries found on LDAP: 192
Info - Writing to file '/root/LDAPS/ldap-data-collector/data/iTopPersonLDAPCollector-1.csv'.
Info - iTopPersonLDAPCollector end of data collection.
Info - iTopUserLDAPCollector beginning of data collection...
Info - (Users) Number of entries found in LDAP: 141
Info - Writing to file '/root/LDAPS/ldap-data-collector/data/iTopUserLDAPCollector-1.csv'.
Info - iTopUserLDAPCollector end of data collection.
I get 141 entries, but my iTop_users has only 103 members...
What did I wrong ?
Best Regards,
Ed
Hello Pascal,
I finally found what was wrong.
I edited a collectors/params.local.xml
But this file was never parse because the correct file to edit is collectors/params.distrib.xml
It is a bit weird, because in conf/ directory , this is conf/params.local.xml to edit (conf/params.distrib.xml should not be edited)
So now, I get well 103 members of my iTop_users AD group.
I have a last question... about the way to retrieve the user password.
Maybe, do you have the answer :
Does the Data collector for LDAP extension is collecting a hash of each AD user password, at each synchronization ?
Or does the extension enable a LDAP connexion within iTop to authenticate against the AD server ?
I ask for this, because when a user will changes his password in Active Directory, I would like to be sure that he still will be able to log in iTop (with his new password).
Best regards,
Ed
Hello,
the connection is made thanks to this conf file /var/www/html/conf/production/config-itop.php
This part needs to be changed:
$MyModuleSettings = array(
'authent-ldap' => array (
'host' => 'test.com',
'port' => 389,
'default_user' => 'User-Admin',
'default_pwd' => 'PASSWORD',
'base_dn' => 'dc=TEST,dc=com', '
user_query' => '(samaccountname=%1$s)', '
options' => array (
17 => 3,
8 => 0,
),
'start_tls' => false, '
debug' => false,
this creates the connection with ldap (for passwords), it is enough that the user account (LDAP user) is created in itop with the login linked to the LDAP account.
Ha !
I did this mistake too at the beginning. But in fact, all 'local' informations have to be put in conf/params.local.xml, regardless whitch distrib file contains the original information.
Don't remember how I found that, but I have the bad habit to open the php file when I don't understand something ;)
For the second point : my teammates made a very nice work to integrate our Linux / Apache servers in Active Directory (Trough Kerberos). So, from iTop point of view, all users (except 3 local technical accounts) are 'external users' and peoble don't need to 'sign on' when they connect to iTop. And iTop don't have to know anything about their credentials :))
But as far as I know, there is no way to 'sync' password between iTop and AD (except to have a front app to change password and who does the actual changes in iTop and AD. But that wxould be a serious challenge to do that in a secure way.
Hello,
The sync is working well now.
I noticed just one thing, is it possible to sync user ldap from differents groups of AD ?
By exemple,
iTop_users AD group -> profile "portal users" in iTop
iTop_managers AD group -> profile "admin" (or other) in iTop
By default, all ldap user gets the "portal users" profile via the sync.
Changes are removed t each sync.
Hi,
That's exactly the use of the group section :
First, you have to setup a filter about the group nane. I don't excactly remember the default filter, I think the script search for group in the form
CN=iTop-*and that was OK for me.
So, by default, I put all accounts in portal user (as this is the most common connection - at least for me !- but the default profile can be overided.
And then, depending of the
iTop-*membership, people go to Admin Profile or one 'read only Back Office' Profile I created.And I think that part works for my 'out of the box'.
Pascal
good morning,
I am also looking to be able to change the choice of an OU, I would like to be able to choose several OUs, I think it is at the place of my capture.
Thanks
Last edit: Mathis 2020-06-16