Skip to content

User/Group Synchronization

Please create a complete backup before making any changes to an interface/import. If the result is not satisfactory, the backup can then be restored

This article shows you how to import users and groups from Active Directory into i-doit in a targeted manner. The import is always performed via the console.php command ldap-sync. At the end of this article you will find a complete example of an extended configuration.

Prerequisites:

  • You have already set up the basic LDAP/AD configuration.
  • You have basic knowledge in the area of AD/LDAP.

In the following examples, objectClass = user is used for persons and objectClass = group for groups. If you do not want to synchronize all users or groups of the domain, enter the DN/CN of an OU or container under Search for users in (OU).

ldap_personen-suchen

Configuring the filters#

Import of all users#

With this filter you synchronize exclusively users -- groups are not created in this process:

ldap_personen-importb

1
(objectClass=user)

Import of users with specific attributes#

You can filter for a specific attribute. In the following example, only the user whose sAMAccountName has the value MichaelO is synchronized:

ldap_personen-importba

1
(&(objectClass=user)(sAMAccountName=MichaelO))

Import of all users and all groups#

This filter creates both users and groups and assigns the users to the respective groups:

ldap_personen-importbg

1
(|(objectClass=user)(objectClass=group))

Import of users who are members of the group idoit-read#

With this filter you synchronize only users who are members of the group idoit-read:

ldap_personen-importbmg

1
(&(objectClass=user)(memberOf=CN=idoit-read,CN=Users,DC=synetics,DC=test))

Import of users who are members of both idoit-read and idoit-write#

This filter synchronizes only users who are simultaneously members of the groups idoit-read and idoit-write:

ldap_personen-importbmgrw

1
(&(objectClass=user)(&(memberOf=CN=idoit-read,CN=Users,DC=synetics,DC=test)(memberOf=CN=idoit-write,CN=Users,DC=synetics,DC=test)))

Import of users and groups that are below a nested group#

Assume you have a group idoit in which the groups idoit-read and idoit-write are members. With this filter, the subordinate groups and their users are automatically created.

The parent group idoit itself is not created in this process. Note that groups in i-doit cannot have other groups as members.

ldap_personen-importbgng

1
(memberOf:1.2.840.113556.1.4.1941:=CN=idoit,CN=Users,DC=synetics,DC=test)

How to filter users with more than one objectClass#

If users are distinguished by having two objectClass attributes (e.g. person and user), build the filter as follows:

ldap_personen-filter

1
(&(objectClass=person)(objectClass=user))

Which additional attributes can be imported via the ldap.ini#

Make sure you are familiar with the ldap.ini configuration and have already configured the attribute extensions. The following settings use the [additional] section of the .ini file.

Configuring the attribute extensions#

ldap_personen-config

The configuration as a table:

Field name Attribute Mapping with
Field name 1 objectSid Key: custom_1
Field name 2 objectGUID Key: custom_2
Field name 3 - Key: custom_3
Field name 4 - Key: custom_4
Field name 5 - Key: custom_5
Field name 6 - Key: custom_6
Field name 7 - Key: custom_7
Field name 8 - Key: custom_8

Statically assign users to rooms#

In the ldap.ini you can enter fixed assignments of users to rooms. The users are then assigned to the respective room as a contact. The rooms must already exist in i-doit.

1
2
;Attach users to Rooms statically
rooms["Room"]=["Username1","Username2"]

Assign users as contacts to rooms#

It is possible to assign persons as contacts to rooms via the import_rooms function. To do so, the option must be set to true. Rooms are automatically created, however without a location.

1
2
3
;Import rooms from ldap
import_rooms=true
attributes[office]=physicalDeliveryOfficeName

Setting the salutation#

To automatically set the salutation during import, configure the option attributes[salutation]= in the .ini file. In the following example, the AD attribute displayNamePrintable is used. You can also use other attributes, as long as they are present in the AD.

The value of the attribute displaynamePrintable could be e.g. "Herr", "Mr", "Mr." or "Frau", "Mrs.", "Mrs", "Ms.", "Ms", "Miss". These values can be configured in the Administration under [tenant-name] Administration > Settings for [tenant-name] > LDAP.

1
attributes[salutation]=displayNamePrintable

This setting has been included in the example of the complete .ini file at the end of this article.

How to import attributes from LDAP#

If you have already configured the attribute extensions, you must next adjust the configuration file of the LDAP sync (ldap.ini).

The available attributes can be found in your AD configuration. An overview of which attributes belong to which field can be found e.g. at SelfADSI.

The following example shows a typical attribute mapping:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
;defaultfelder die bereits in den Stammdaten von Personen present sind
attributes[department]=department
attributes[phone_company]=telephonenumber
attributes[phone_home]=homephone
attributes[phone_mobile]=mobile
attributes[fax]=facsimileTelephoneNumber
attributes[description]=info
attributes[personnel_number]=employeeid
attributes[organization]=company
attributes[street]=streetAddress
attributes[city]=l
attributes[zip_code]=postalCode
attributes[function]=title
attributes[service_designation]=title
attributes[pager]=pager

;Attributerweiterung nur für Personen
attributes[custom_1]=objectSid
attributes[custom_2]=objectGUID
;attributes[custom_3]=
;attributes[custom_4]=
;attributes[custom_5]=
;attributes[custom_6]=
;attributes[custom_7]=
;attributes[custom_8]=

In this example, the master data attribute department is mapped to the LDAP attribute of the same name. Additionally, the attribute extension is used. The structure for e.g.

1
attributes[custom_1]=objectSid

works as follows:

attributes instructs the handler to synchronize the i-doit attribute [custom_1] with the LDAP attribute objectSid. After synchronization you will find the following master data:

ldap_personen-sync

Additional options#

autoReactivateUsers#

This setting automatically sets all users to "normal" status before synchronization. This is helpful if users have been accidentally archived or deleted.

Info

Be aware that with NDS or OpenLDAP it is currently not possible to identify deleted users in order to archive them later. Users are then always enabled!

1
autoReactivateUsers=false

ignoreUsersWithAttributes#

With this option you prevent the synchronization of unwanted directory objects. A user is not synchronized when ignoreFunction fails for ALL selected attributes.

By default ignoreUsersWithAttributes=[] is set, so nothing is ignored.

In the following example, only users are imported whose attributes samaccountname, sn, givenname, and mail are not empty:

1
2
3
4
ignoreUsersWithAttributes[] = "samaccountname"
ignoreUsersWithAttributes[] = "sn"
ignoreUsersWithAttributes[] = "givenname"
ignoreUsersWithAttributes[] = "mail"

ignoreFunction#

The check function for ignoring users (see ignoreUsersWithAttributes). This can be any function name callable via call_user_func or the following defined functions:

1
2
3
4
empty
!empty
isset
!isset

Example: empty would be executed as empty($value)

To check for empty attributes:

1
ignoreFunction=empty

Synchronize empty attributes#

This option decides whether emptied attributes from AD should be synchronized with i-doit or not.

1
syncEmptyAttributes=true

The complete ldap.ini#

Here you will find a complete, customizable .ini file. The first part is based on the configuration file for console commands.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
[commandArguments]
[commandOptions]
user=admin
password=admin
tenantId=1
[additional]
;Import rooms from ldap
import_rooms=false
attributes[office]=physicalDeliveryOfficeName

;Automatically assign this company to every ldap user
defaultCompany=''

;What to do with deleted users - archive, delete, purge
deletedUsersBehaviour=archive

;What to do with disabled users - archive, delete, disable_login
disabledUsersBehaviour=disable_login

;Attach users to Rooms statically
;rooms["Room"]=["Username1","Username2"]

;LDAP Attributes are individual. This default configuration is prepared for Active Directory:
attributes[department]=department
attributes[phone_company]=telephonenumber
attributes[phone_home]=homephone
attributes[phone_mobile]=mobile
attributes[fax]=facsimileTelephoneNumber
attributes[description]=info
attributes[personnel_number]=employeeid
attributes[organization]=company
attributes[street]=streetAddress
attributes[city]=l
attributes[zip_code]=postalCode
attributes[function]=title
attributes[service_designation]=title
attributes[pager]=pager
attributes[salutation]=displayNamePrintable

;Category extension for persons. Only has a effect when activated
attributes[custom_1]=objectSid
attributes[custom_2]=objectGUID
;attributes[custom_3]=
;attributes[custom_4]=
;attributes[custom_5]=
;attributes[custom_6]=
;attributes[custom_7]=
;attributes[custom_8]=

;Automatically sets all users to status normal NDS and OpenLDAP
autoReactivateUsers=false

;Disable sync for users with Attributes checked against 'ignoreFunction'
ignoreUsersWithAttributes[]="sn"

;The check function used for ignoring users (see 'ignoreUsersWithAttributes') empty - !empty - isset - !isset
ignoreFunction=empty

;This option decides whether empty or emptied attributes from AD should be synchronized with i-doit or not.
syncEmptyAttributes=true

For the .ini file to be used, it must be specified with the -c parameter.

1
sudo -u www-data php console.php ldap-sync -c /var/www/html/src/handler/config/ldap-sync.ini

ldap.ini