glpi-project
LDAP: impossible to import the same login user from multiple AD
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
Is there an existing issue for this?
- [x] I have searched the existing issues
Version
10.0.18
Bug description
I am not able to import the same login user from different domain
Relevant log output
Page URL
No response
Steps To reproduce
- Administration
- Users
- LDap directory link
- Import new user
- Select "LDAP directory choice"
6. "Select the desidered entity"
7. push "search"
- The same for the oder Domain
9. Import the user from the first domain (for example CMSR)
- Try to import the same user from an other domain (for example VillaBerica) this is the result
Your GLPI setup information
Information about system installation and configuration
GLPI 10.0.18 ( => /data/www/html/glpi-10.0.18) Installation mode: TARBALL Current language:en_GB
Server
Operating system: Linux xxxxxx 6.8.0-60-generic #63-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 15 19:04:15 UTC 2025 x86_64 PHP 8.3.6 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apcu, bcmath, bz2, calendar, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imagick, imap, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, random, readline, session, shmop, soap, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib) Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files" upload_max_filesize="2M" disable_functions="" Software: Apache/2.4.58 (Ubuntu) (Apache/2.4.58 (Ubuntu) Server at xxxxxxx Port 443 ) Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Server Software: Ubuntu 24.04 Server Version: 10.11.11-MariaDB-0ubuntu0.24.04.2-log Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION Parameters: xxxxxx@xxxxxxxxglpi Host info: xxxxxxxx via TCP/IPPHP version (8.3.6) is supported. Sessions configuration is OK. Allocated memory is sufficient. mysqli extension is installed. Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter. curl extension is installed. gd extension is installed. intl extension is installed. zlib extension is installed. The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present. Database engine version (10.11.11) is supported. No files from previous GLPI version detected. The log file has been created successfully. Write access to /data/www/html/glpi-10.0.18/files/_cache has been validated. Write access to /data/www/html/glpi-10.0.18/files/_cron has been validated. Write access to /data/www/html/glpi-10.0.18/files has been validated. Write access to /data/www/html/glpi-10.0.18/files/_dumps has been validated. Write access to /data/www/html/glpi-10.0.18/files/_graphs has been validated. Write access to /data/www/html/glpi-10.0.18/files/_lock has been validated. Write access to /data/www/html/glpi-10.0.18/files/_pictures has been validated. Write access to /data/www/html/glpi-10.0.18/files/_plugins has been validated. Write access to /data/www/html/glpi-10.0.18/files/_rss has been validated. Write access to /data/www/html/glpi-10.0.18/files/_sessions has been validated. Write access to /data/www/html/glpi-10.0.18/files/_tmp has been validated. Write access to /data/www/html/glpi-10.0.18/files/_uploads has been validated.
Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details. The following directories should be placed outside "/data/www/html/glpi-10.0.18": ‣ "/data/www/html/glpi-10.0.18/files" ("GLPI_VAR_DIR") You can ignore this suggestion if your web server root directory is "/data/www/html/glpi-10.0.18/public". PHP directive "session.cookie_secure" should be set to "on" when GLPI can be accessed on HTTPS protocol. OS and PHP are relying on 64 bits integers. exif extension is installed. ldap extension is installed. openssl extension is installed. Following extensions are installed: bz2, Phar, zip. Zend OPcache extension is installed. Following extensions are installed: ctype, iconv, mbstring, sodium. Write access to /data/www/html/glpi-10.0.18/marketplace has been validated. Timezones seems loaded in database.
GLPI constants
GLPI_ROOT: "/data/www/html/glpi-10.0.18" GLPI_CONFIG_DIR: "/data/www/html/glpi-10.0.18/config" GLPI_VAR_DIR: "/data/www/html/glpi-10.0.18/files" GLPI_MARKETPLACE_DIR: "/data/www/html/glpi-10.0.18/marketplace" GLPI_USE_CSRF_CHECK: "1" GLPI_CSRF_EXPIRES: "7200" GLPI_CSRF_MAX_TOKENS: "100" GLPI_USE_IDOR_CHECK: "1" GLPI_IDOR_EXPIRES: "7200" GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false GLPI_SERVERSIDE_URL_ALLOWLIST: ["#^http://[^@:]+(:80)?(/.)?$#","#^https://[^@:]+(:443)?(/.)?$#","#^feed://[^@:]+(/.)?$#"] GLPI_DISALLOWED_UPLOADS_PATTERN: "/\.(php\d|phar)$/i" GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org" GLPI_INSTALL_MODE: "TARBALL" GLPI_NETWORK_MAIL: "[email protected]" GLPI_NETWORK_SERVICES: "https://services.glpi-network.com" GLPI_MARKETPLACE_ALLOW_OVERRIDE: true GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true GLPI_USER_AGENT_EXTRA_COMMENTS: "" GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1" GLPI_AJAX_DASHBOARD: "1" GLPI_CALDAV_IMPORT_STATE: 0 GLPI_DEMO_MODE: "0" GLPI_CENTRAL_WARNINGS: "1" GLPI_TEXT_MAXSIZE: "4000" GLPI_DOC_DIR: "/data/www/html/glpi-10.0.18/files" GLPI_CACHE_DIR: "/data/www/html/glpi-10.0.18/files/_cache" GLPI_CRON_DIR: "/data/www/html/glpi-10.0.18/files/_cron" GLPI_DUMP_DIR: "/data/www/html/glpi-10.0.18/files/_dumps" GLPI_GRAPH_DIR: "/data/www/html/glpi-10.0.18/files/_graphs" GLPI_LOCAL_I18N_DIR: "/data/www/html/glpi-10.0.18/files/_locales" GLPI_LOCK_DIR: "/data/www/html/glpi-10.0.18/files/_lock" GLPI_LOG_DIR: "/data/www/html/glpi-10.0.18/files/_log" GLPI_PICTURE_DIR: "/data/www/html/glpi-10.0.18/files/_pictures" GLPI_PLUGIN_DOC_DIR: "/data/www/html/glpi-10.0.18/files/_plugins" GLPI_RSS_DIR: "/data/www/html/glpi-10.0.18/files/_rss" GLPI_SESSION_DIR: "/data/www/html/glpi-10.0.18/files/_sessions" GLPI_TMP_DIR: "/data/www/html/glpi-10.0.18/files/_tmp" GLPI_UPLOAD_DIR: "/data/www/html/glpi-10.0.18/files/_uploads" GLPI_INVENTORY_DIR: "/data/www/html/glpi-10.0.18/files/_inventories" GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/" GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/" GLPI_I18N_DIR: "/data/www/html/glpi-10.0.18/locales" GLPI_VERSION: "10.0.18" GLPI_SCHEMA_VERSION: "10.0.18@d64066799f068b16ee973b377bdd13f984fe062a" GLPI_MARKETPLACE_PRERELEASES: false GLPI_MIN_PHP: "7.4.0" GLPI_MAX_PHP: "8.4.0" GLPI_YEAR: "2025"
Libraries
htmlawed/htmlawed version 1.2.14 in (/data/www/html/glpi-10.0.18/vendor/htmlawed/htmlawed) phpmailer/phpmailer version 6.8.0 in (/data/www/html/glpi-10.0.18/vendor/phpmailer/phpmailer/src) simplepie/simplepie version 1.5.8 in (/data/www/html/glpi-10.0.18/vendor/simplepie/simplepie/library) tecnickcom/tcpdf version 6.8.0 in (/data/www/html/glpi-10.0.18/vendor/tecnickcom/tcpdf) michelf/php-markdown in (/data/www/html/glpi-10.0.18/vendor/michelf/php-markdown/Michelf) true/punycode in (/data/www/html/glpi-10.0.18/vendor/true/punycode/src) iamcal/lib_autolink in (/data/www/html/glpi-10.0.18/vendor/iamcal/lib_autolink) sabre/dav in (/data/www/html/glpi-10.0.18/vendor/sabre/dav/lib/DAV) sabre/http in (/data/www/html/glpi-10.0.18/vendor/sabre/http/lib) sabre/uri in (/data/www/html/glpi-10.0.18/vendor/sabre/uri/lib) sabre/vobject in (/data/www/html/glpi-10.0.18/vendor/sabre/vobject/lib) laminas/laminas-i18n in (/data/www/html/glpi-10.0.18/vendor/laminas/laminas-i18n/src) laminas/laminas-servicemanager in (/data/www/html/glpi-10.0.18/vendor/laminas/laminas-servicemanager/src) monolog/monolog in (/data/www/html/glpi-10.0.18/vendor/monolog/monolog/src/Monolog) sebastian/diff in (/data/www/html/glpi-10.0.18/vendor/sebastian/diff/src) donatj/phpuseragentparser in (/data/www/html/glpi-10.0.18/vendor/donatj/phpuseragentparser/src/UserAgent) elvanto/litemoji in (/data/www/html/glpi-10.0.18/vendor/elvanto/litemoji/src) symfony/console in (/data/www/html/glpi-10.0.18/vendor/symfony/console) scssphp/scssphp in (/data/www/html/glpi-10.0.18/vendor/scssphp/scssphp/src) laminas/laminas-mail in (/data/www/html/glpi-10.0.18/vendor/laminas/laminas-mail/src/Protocol) laminas/laminas-mime in (/data/www/html/glpi-10.0.18/vendor/laminas/laminas-mime/src) rlanvin/php-rrule in (/data/www/html/glpi-10.0.18/vendor/rlanvin/php-rrule/src) ramsey/uuid in (/data/www/html/glpi-10.0.18/vendor/ramsey/uuid/src) psr/log in (/data/www/html/glpi-10.0.18/vendor/psr/log/Psr/Log) psr/simple-cache in (/data/www/html/glpi-10.0.18/vendor/psr/simple-cache/src) psr/cache in (/data/www/html/glpi-10.0.18/vendor/psr/cache/src) league/csv in (/data/www/html/glpi-10.0.18/vendor/league/csv/src) mexitek/phpcolors in (/data/www/html/glpi-10.0.18/vendor/mexitek/phpcolors/src/Mexitek/PHPColors) guzzlehttp/guzzle in (/data/www/html/glpi-10.0.18/vendor/guzzlehttp/guzzle/src) guzzlehttp/psr7 in (/data/www/html/glpi-10.0.18/vendor/guzzlehttp/psr7/src) glpi-project/inventory_format in (/data/www/html/glpi-10.0.18/vendor/glpi-project/inventory_format/lib/php) wapmorgan/unified-archive in (/data/www/html/glpi-10.0.18/vendor/wapmorgan/unified-archive/src) paragonie/sodium_compat in (/data/www/html/glpi-10.0.18/vendor/paragonie/sodium_compat/src) symfony/cache in (/data/www/html/glpi-10.0.18/vendor/symfony/cache) html2text/html2text in (/data/www/html/glpi-10.0.18/vendor/html2text/html2text/src) symfony/css-selector in (/data/www/html/glpi-10.0.18/vendor/symfony/css-selector) symfony/dom-crawler in (/data/www/html/glpi-10.0.18/vendor/symfony/dom-crawler) twig/twig in (/data/www/html/glpi-10.0.18/vendor/twig/twig/src) twig/string-extra in (/data/www/html/glpi-10.0.18/vendor/twig/string-extra) symfony/polyfill-ctype not found symfony/polyfill-iconv not found symfony/polyfill-mbstring not found symfony/polyfill-php80 not found symfony/polyfill-php81 not found symfony/polyfill-php82 in (/data/www/html/glpi-10.0.18/vendor/symfony/polyfill-php82) league/oauth2-client in (/data/www/html/glpi-10.0.18/vendor/league/oauth2-client/src/Provider) league/oauth2-google in (/data/www/html/glpi-10.0.18/vendor/league/oauth2-google/src/Provider) thenetworg/oauth2-azure in (/data/www/html/glpi-10.0.18/vendor/thenetworg/oauth2-azure/src/Provider) phpCas version 1.6.0 in (/usr/share/php/CAS/source)
LDAP directories
Server: 'xxxxxx', Port: '389', BaseDN: 'OU=xxxxxxx,DC=xxxxxxx,DC=local', Connection filter: '(&(objectClass=user)(objectCategory=person))', RootDN: 'CN=xxxxxx,OU=xxxxxxxxx xxxxxxx,DC=xxxxxxxx,DC=local', Use TLS: none Server: 'xxxxxxxx', Port: '389', BaseDN: 'DC=xxxxxxxx,DC=local', Connection filter: '(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))', RootDN: 'CN=xxxxxxxxx,OU=xxxxxxxxx,DC=xxxxxxx,DC=local', Use TLS: none Server: 'xxxxxxx', Port: '389', BaseDN: 'DC=xxxxxxxxx,DC=local', Connection filter: '(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))', RootDN: 'CN=xxxxxxxx,OU=xxxxxxxx,DC=xxxxxxxx,DC=local', Use TLS: none
SQL replicas
Not active
Notifications
Way of sending emails: PHP
Plugins list
fields Name: Campi aggiuntivi Version: 1.21.22 State: Enabled
Install Method: Marketplace formcreator Name: Form Creator Version: 2.13.10 State: Enabled
Install Method: Marketplace glpiinventory Name: GLPI Inventory Version: 1.5.3 State: Enabled
Install Method: Marketplace mreporting Name: More Reporting Version: 1.8.7 State: Enabled
Install Method: Marketplace oauthimap Name: Oauth IMAP Version: 1.4.3 State: Enabled
Install Method: Marketplace tasklists Name: Tasks list Version: 2.0.4 State: Not installed
Install Method: Marketplace
Anything else?
No response
What Synchronization field is configured for these Authentication servers in GLPI?
Thank you for reply If I have understood correctly, the synchronization field are: Last Name --> sn First Name --> givenname Email --> mail Phone --> telephonenumber The data of LDAP Directories are: Connection Filter --> (&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) BaseDN --> DC=domain,DC=local
I think that the issue is only in this page https://domain/front/ldap.import.php I tried to connect with the same user (Test) in every domain The login was good and I see three users test in users list
As it happens, we've had this problem for a few years. In 2018 we made a fresh instance to with 11 domains, using objectguid as sync_field and syncing the ADs with bin/console glpi:ldap:synchronize_users.
The console call correctly imports colliding names (at last check, which was admittedly a while ago).
But there's a caveat: if you use SSO (with auth_gssapi or auth_kerb), GLPI takes your Kerberos principal and jettisons the realm part, keeping only the username part to do its user search.
So if A.ORG\username and B.ORG\username both exist in GLPI, both having the same login "username", SSO will log them both as the first user created in the base.
And if username exists in C.ORG but not in GLPI, SSO will also happily log them in as the first match for "username" in the base.
I've had to patch src/Auth.php and src/AuthLDAP.php to add realm-checking, though it's rather rough and probably misses some edge cases. I haven't had the time to test with v11 yet, maybe that's been corrected?
I've had to patch src/Auth.php and src/AuthLDAP.php to add realm-checking, though it's rather rough and probably misses some edge cases. I haven't had the time to test with v11 yet, maybe that's been corrected?
Not sure it has been corrected. Could you provide your patch or open a pull request with the proposed changes?
I can do that; although the patch is against 10.0.19, not master. Should I make the PR against 10.0/bugfixes or some other branch?
I can in theory rebase on master, but I wouldn't be able to test it right now.
I can do that; although the patch is against 10.0.19, not master. Should I make the PR against 10.0/bugfixes or some other branch?
I can in theory rebase on master, but I wouldn't be able to test it right now.
As log as it fixes a bug, if it does not introduces too much code change, then you can open a PR against the 10.0/bugfixes branch.
Unless the patch is really huge or may affect stability/current behavior, it's OK top open the PR on 10.0/bugfixes branch.
Thank you!
~~Just to note, the initial question was: “What Synchronization field is configured for these Authentication servers in GLPI?”~~ ~~I'm not sure if this has been correctly answered. You may find this information in the LDAP directory:~~
~~his field is here for having a way to deduplicate users while keeping the imported login on another field.~~
Forget about it, I need to read better
