I modified html/includes/authenticaion/ldap.inc.php

~ Line 260 I changed the user LDAP search filter to the following: $filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" . $username . "))";

This will only work properly with AD (given the sAMAccountName property) but it correctly looks up the users.

This is what I get out of the login debug page now for my user:

LDAP[Filter][(&(objectCategory=person)(objectClass=user)(sAMAccountName=sryan))][OU=All Users,DC=arbor,DC=net] LDAP[UserID][Converted objectSid S-1-5-21-1708537768-682003330-1417001333-18980 to user ID 18980]

I'm not sure if you need to add a flag in the config for which item to search for in the filter, but that filter should work fine for any AD installation.

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com

On Thu, Feb 26, 2015 at 10:53 AM, Ryan, Spencer sryan@arbor.net wrote:

I'm having an issue with our OU's and how devices are assigned to users in Observium.

To keep the explanation simple our users OU structure basically looks like this: arbor.net ---All Users ------Ann Arbor ------City 2 ------City 3

I have the base set to the top "all users": $config['auth_ldap_prefix'] = "CN="; $config['auth_ldap_suffix'] = ",OU=All Users,DC=arbor,DC=net";

The issue is that the ldap module won't look down into the sub OU's to find the users, so any device associations fail.

If I create a test user in the "All Users" OU directly it works properly.

Is there any way to make this work properly? I have users logging in in various sub OU's so I can't just point it at one of the city OU's directly.

Thanks!

*Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com