I modified html/includes/authenticaion/ldap.inc.php

~ Line 260 I changed the user LDAP search filter to the following:
 $filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" . $username . "))";

This will only work properly with AD (given the sAMAccountName property) but it correctly looks up the users.

This is what I get out of the login debug page now for my user:

LDAP[Filter][(&(objectCategory=person)(objectClass=user)(sAMAccountName=sryan))][OU=All Users,DC=arbor,DC=net]
LDAP[UserID][Converted objectSid S-1-5-21-1708537768-682003330-1417001333-18980 to user ID 18980]

I'm not sure if you need to add a flag in the config for which item to search for in the filter, but that filter should work fine for any AD installation.


Spencer Ryan | Senior Systems Administrator | sryan@arbor.net
Arbor Networks
+1.734.794.5033 (d) | +1.734.846.2053 (m)

On Thu, Feb 26, 2015 at 10:53 AM, Ryan, Spencer <sryan@arbor.net> wrote:
I'm having an issue with our OU's and how devices are assigned to users in Observium.

To keep the explanation simple our users OU structure basically looks like this:
arbor.net
---All Users
------Ann Arbor
------City 2
------City 3

I have the base set to the top "all users":
$config['auth_ldap_prefix'] = "CN=";
$config['auth_ldap_suffix'] = ",OU=All Users,DC=arbor,DC=net";

The issue is that the ldap module won't look down into the sub OU's to find the users, so any device associations fail.

If I create a test user in the "All Users" OU directly it works properly.

Is there any way to make this work properly? I have users logging in in various sub OU's so I can't just point it at one of the city OU's directly.

Thanks!

Spencer Ryan | Senior Systems Administrator | sryan@arbor.net
Arbor Networks