[user rules] Users are loosing their profil on synchronisation after update

[keguira]

Code of Conduct

• I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• I have searched the existing issues

Version

10.0.9

Bug description

Currently, we have assignment rules for users during LDAP import.

Rule 1 :
if user come from one of our LDAP, we assign

• an entity (the same for all LDAP)
• a default entity (same as previous specified one)
• a "default profile" we created (named Self Service for this explanation)
• 'active' to 'yes' to reactivate user deactivated in LDAP

Rule 2 (with multiple iteration for different profile but they are the same purpose and same kind of criterias) :
If user contains a specific keyword in '(LDAP) MemberOf', we assign :

• a dedicated profile we created as profile (name it Technician for this explanation)
• a dedicated profile we created as default profile

Until now, and this behavior is still the same in production :

• users without the specific keyword in memberOf have the profile Self Service for the entity and Self Service as default profile
• Users with it have Technician as profile for the entity and Technician as default profile

I understood it was the correct behavior as the profile would be deduced from default profile and applied in list of profiles automatically.

Now, the issue, on my REC, I had to do some tests for a user that is not allowed to login due to a non-resolution of profile, even if it has one for the entity, during connection (Error message : You don't have right to connect).

I tried to play with rules and at some point added an action to rule 1 (a thing i've tested some months ago) :
new action : "add profile Self-Service".

Previously, this kind of action would have the following result :

• users without the specific keyword in memberOf have the profile Self Service for the entity and Self Service as default profile.
• Users with it have two profiles for the entity Technician and Self Service ; default profile is Technician

Now, I see this :

• users without the specific keyword in memberOf have the profile Self Service for the entity and Self Service as default profile. --> OK
• users with keyword have only Self-Service for the entity and Self Service as default profile, no more Technician Profile --> KO

Weider :

I removed the "new" action such as i was in the same state as before and in production but now the result of sync is this one :

• users without the specific keyword in memberOf have no profile for any entity and no default profile --> KO
• Users with it have Technician for the entity and Technician as default profile --> OK

Edit: precisions and rewording

Relevant log output

No revelant log found

Page URL

No response

Steps To reproduce

No response

Your GLPI setup information

Informations sur le système, l'installation et la configuration

GLPI 10.0.9 ( => /home/glpi/public_html/glpi-10.0.9)
Installation mode: TARBALL
Current language:fr_FR

Server

 

Operating system: Linux REXEX 5.10.0-19-amd64 #1 SMP Debian 5.10.149-1 (2022-10-17) x86_64

PHP 8.1.18 fpm-fcgi (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, bz2, calendar, cgi-fcgi, ctype, curl, date,

dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre,

pdo_mysql, posix, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlreader,

xmlwriter, xsl, zip, zlib)

Setup: max_execution_time="600" memory_limit="64M" post_max_size="8M" safe_mode="" session.save_handler="files"

upload_max_filesize="2M"

Software: nginx/1.18.0

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.46

Server Software: MySQL Community Server - GPL

Server Version: 8.0.31

Server SQL Mode: STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION

Parameters: glpiusr@127.0.0.1/glpi

Host info: 127.0.0.1 via TCP/IP

PHP version (8.1.18) is supported.

Sessions configuration is OK.

Allocated memory is sufficient.

mysqli extension is installed.

Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.

curl extension is installed.

gd extension is installed.

intl extension is installed.

zlib extension is installed.

The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.

Database engine version (8.0.31) is supported.

No files from previous GLPI version detected.

The log file has been created successfully.

Write access to /var/lib/glpi/_cache has been validated.

Write access to /home/glpi/etc has been validated.

Write access to /var/lib/glpi/_cron has been validated.

Write access to /var/lib/glpi has been validated.

Write access to /var/lib/glpi/_dumps has been validated.

Write access to /var/lib/glpi/_graphs has been validated.

Write access to /var/lib/glpi/_lock has been validated.

Write access to /var/lib/glpi/_pictures has been validated.

Write access to /var/lib/glpi/_plugins has been validated.

Write access to /var/lib/glpi/_rss has been validated.

Write access to /var/lib/glpi/_sessions has been validated.

Write access to /var/lib/glpi/_tmp has been validated.

Write access to /var/lib/glpi/_uploads has been validated.
Web server root directory configuration seems safe.

Sessions configuration is secured.

OS and PHP are relying on 64 bits integers.

exif extension is installed.

ldap extension is installed.

openssl extension is installed.

Following extensions are installed: bz2, Phar, zip.

Zend OPcache extension is installed.

Following extensions are installed: ctype, iconv, mbstring, sodium.

Write access to /home/glpi/public_html/glpi-10.0.9/marketplace has been validated.

Timezones seems loaded in database.

GLPI constants

 

GLPI_ROOT: "/home/glpi/public_html/glpi-10.0.9"

GLPI_CONFIG_DIR: "/home/glpi/etc"

GLPI_VAR_DIR: "/var/lib/glpi"

GLPI_LOG_DIR: "/var/log/glpi"

GLPI_SYSTEM_CRON: true

GLPI_MARKETPLACE_DIR: "/home/glpi/public_html/glpi-10.0.9/marketplace"

GLPI_USE_CSRF_CHECK: "1"

GLPI_CSRF_EXPIRES: "7200"

GLPI_CSRF_MAX_TOKENS: "100"

GLPI_USE_IDOR_CHECK: "1"

GLPI_IDOR_EXPIRES: "7200"

GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false

GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\/\/[^@:]+(\/.*)?$/"]

GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"

GLPI_INSTALL_MODE: "TARBALL"

GLPI_NETWORK_MAIL: "glpi@teclib.com"

GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"

GLPI_MARKETPLACE_ALLOW_OVERRIDE: true

GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true

GLPI_USER_AGENT_EXTRA_COMMENTS: ""

GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"

GLPI_AJAX_DASHBOARD: "1"

GLPI_CALDAV_IMPORT_STATE: 0

GLPI_DEMO_MODE: "0"

GLPI_CENTRAL_WARNINGS: "1"

GLPI_DOC_DIR: "/var/lib/glpi"

GLPI_CACHE_DIR: "/var/lib/glpi/_cache"

GLPI_CRON_DIR: "/var/lib/glpi/_cron"

GLPI_DUMP_DIR: "/var/lib/glpi/_dumps"

GLPI_GRAPH_DIR: "/var/lib/glpi/_graphs"

GLPI_LOCAL_I18N_DIR: "/var/lib/glpi/_locales"

GLPI_LOCK_DIR: "/var/lib/glpi/_lock"

GLPI_PICTURE_DIR: "/var/lib/glpi/_pictures"

GLPI_PLUGIN_DOC_DIR: "/var/lib/glpi/_plugins"

GLPI_RSS_DIR: "/var/lib/glpi/_rss"

GLPI_SESSION_DIR: "/var/lib/glpi/_sessions"

GLPI_TMP_DIR: "/var/lib/glpi/_tmp"

GLPI_UPLOAD_DIR: "/var/lib/glpi/_uploads"

GLPI_INVENTORY_DIR: "/var/lib/glpi/_inventories"

GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"

GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"

GLPI_I18N_DIR: "/home/glpi/public_html/glpi-10.0.9/locales"

GLPI_VERSION: "10.0.9"

GLPI_SCHEMA_VERSION: "10.0.9@77fc44668eaae89b61d95fe606d20d93d66110cd"

GLPI_MARKETPLACE_PRERELEASES: false

GLPI_MIN_PHP: "7.4.0"

GLPI_MAX_PHP: "8.3.0"

GLPI_YEAR: "2023"

Libraries

 

htmlawed/htmlawed version 1.2.14 in (/home/glpi/public_html/glpi-10.0.9/vendor/htmlawed/htmlawed)

phpmailer/phpmailer version 6.8.0 in (/home/glpi/public_html/glpi-10.0.9/vendor/phpmailer/phpmailer/src)

simplepie/simplepie version 1.5.8 in (/home/glpi/public_html/glpi-10.0.9/vendor/simplepie/simplepie/library)

tecnickcom/tcpdf version 6.6.2 in (/home/glpi/public_html/glpi-10.0.9/vendor/tecnickcom/tcpdf)

michelf/php-markdown in (/home/glpi/public_html/glpi-10.0.9/vendor/michelf/php-markdown/Michelf)

true/punycode in (/home/glpi/public_html/glpi-10.0.9/vendor/true/punycode/src)

iamcal/lib_autolink in (/home/glpi/public_html/glpi-10.0.9/vendor/iamcal/lib_autolink)

sabre/dav in (/home/glpi/public_html/glpi-10.0.9/vendor/sabre/dav/lib/DAV)

sabre/http in (/home/glpi/public_html/glpi-10.0.9/vendor/sabre/http/lib)

sabre/uri in (/home/glpi/public_html/glpi-10.0.9/vendor/sabre/uri/lib)

sabre/vobject in (/home/glpi/public_html/glpi-10.0.9/vendor/sabre/vobject/lib)

laminas/laminas-i18n in (/home/glpi/public_html/glpi-10.0.9/vendor/laminas/laminas-i18n/src)

laminas/laminas-servicemanager in (/home/glpi/public_html/glpi-10.0.9/vendor/laminas/laminas-servicemanager/src)

monolog/monolog in (/home/glpi/public_html/glpi-10.0.9/vendor/monolog/monolog/src/Monolog)

sebastian/diff in (/home/glpi/public_html/glpi-10.0.9/vendor/sebastian/diff/src)

donatj/phpuseragentparser in (/home/glpi/public_html/glpi-10.0.9/vendor/donatj/phpuseragentparser/src/UserAgent)

elvanto/litemoji in (/home/glpi/public_html/glpi-10.0.9/vendor/elvanto/litemoji/src)

symfony/console in (/home/glpi/public_html/glpi-10.0.9/vendor/symfony/console)

scssphp/scssphp in (/home/glpi/public_html/glpi-10.0.9/vendor/scssphp/scssphp/src)

laminas/laminas-mail in (/home/glpi/public_html/glpi-10.0.9/vendor/laminas/laminas-mail/src/Protocol)

laminas/laminas-mime in (/home/glpi/public_html/glpi-10.0.9/vendor/laminas/laminas-mime/src)

rlanvin/php-rrule in (/home/glpi/public_html/glpi-10.0.9/vendor/rlanvin/php-rrule/src)

blueimp/jquery-file-upload in (/home/glpi/public_html/glpi-10.0.9/vendor/blueimp/jquery-file-upload/server/php)

ramsey/uuid in (/home/glpi/public_html/glpi-10.0.9/vendor/ramsey/uuid/src)

psr/log in (/home/glpi/public_html/glpi-10.0.9/vendor/psr/log/Psr/Log)

psr/simple-cache in (/home/glpi/public_html/glpi-10.0.9/vendor/psr/simple-cache/src)

psr/cache in (/home/glpi/public_html/glpi-10.0.9/vendor/psr/cache/src)

league/csv in (/home/glpi/public_html/glpi-10.0.9/vendor/league/csv/src)

mexitek/phpcolors in (/home/glpi/public_html/glpi-10.0.9/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)

guzzlehttp/guzzle in (/home/glpi/public_html/glpi-10.0.9/vendor/guzzlehttp/guzzle/src)

guzzlehttp/psr7 in (/home/glpi/public_html/glpi-10.0.9/vendor/guzzlehttp/psr7/src)

glpi-project/inventory_format in (/home/glpi/public_html/glpi-10.0.9/vendor/glpi-project/inventory_format/lib/php)

wapmorgan/unified-archive in (/home/glpi/public_html/glpi-10.0.9/vendor/wapmorgan/unified-archive/src)

paragonie/sodium_compat in (/home/glpi/public_html/glpi-10.0.9/vendor/paragonie/sodium_compat/src)

symfony/cache in (/home/glpi/public_html/glpi-10.0.9/vendor/symfony/cache)

html2text/html2text in (/home/glpi/public_html/glpi-10.0.9/vendor/html2text/html2text/src)

symfony/css-selector in (/home/glpi/public_html/glpi-10.0.9/vendor/symfony/css-selector)

symfony/dom-crawler in (/home/glpi/public_html/glpi-10.0.9/vendor/symfony/dom-crawler)

twig/twig in (/home/glpi/public_html/glpi-10.0.9/vendor/twig/twig/src)

twig/string-extra in (/home/glpi/public_html/glpi-10.0.9/vendor/twig/string-extra)

symfony/polyfill-ctype not found

symfony/polyfill-iconv not found

symfony/polyfill-mbstring not found

symfony/polyfill-php80 not found

symfony/polyfill-php81 not found

symfony/polyfill-php82 in (/home/glpi/public_html/glpi-10.0.9/vendor/symfony/polyfill-php82)

league/oauth2-client in (/home/glpi/public_html/glpi-10.0.9/vendor/league/oauth2-client/src/Provider)

league/oauth2-google in (/home/glpi/public_html/glpi-10.0.9/vendor/league/oauth2-google/src/Provider)

thenetworg/oauth2-azure in (/home/glpi/public_html/glpi-10.0.9/vendor/thenetworg/oauth2-azure/src/Provider)

LDAP directories

 

Server: 'domaine.example.one', Port: '389', BaseDN: 'DC=domaine', Connection filter:

'(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=))', RootDN:

'svc_example', Use TLS: none

Server: 'domaine.example.two', Port: '389', BaseDN: 'DC=domaine', Connection filter:

'(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=))', RootDN:

'svc_example', Use TLS: none

Locales overrides

Anything else?

Both REC and PROD have same system configuration, GLPI version, plugins, rules, LDAP connectors and profiles.

[cedric-anne]

Hi,

Are you using the same GLPI version on both servers, or is there a difference in GLPI versions, plugins, ...?

[keguira]

yes, i added this to "anything else" : both REC and PROD have same system configuration, GLPI version, plugins, rules, LDAP connectors and profiles.

The behavior on REC, if i summarize is that the default profile is not applied by my rule or not resolved to create the profil entry in the User.
If i delete a user now and try to reimport it, i won't be created as i forbid user creation without habilitation ("Add a user without accreditation from a LDAP directory" to "No") .

First though is that it looks like the behavior of my new user on production during login : no profil is deduced during sync of login and he is kicked out of GLPI.

[cedric-anne]

What is the specific keyword in '(LDAP) MemberOf'?

[keguira]

Rule 1 :

Criteria: LDAP directory is domaine.example.one OR LDAP directory is domaine.example.two

Action:

• Entity Assign Entité racine > Example
• Default entity Assign Entité racine > Example
• Active Assign Yes
• Default profile Assign Self-Service

Rule 2 :

Criteria: (LDAP) MemberOf contains CN=GG-GLPI_Technicians_R

Action:

• Profiles Assign Technician
• Default profile Assign Technician

Ordered like that.

Simplest rule added by administrators to identify a specific group on multiple LDAP to assign a profil.

---

After modification :

Rule 1 :

• Entity Assign Entité racine > Example
• Default entity Assign Entité racine > Example
• Active Assign Yes
• Default profile Assign Self-Service
• Profiles Self-Service

Then I rollbacked and explained the change of behavior

[keguira]

Just tried another simplier rule :

With all other rules for users disabled, the new rule is :

Criteria :

• Authentication type is LDAP directory:

Action :

• Default entity Assign Entité racine > Example
• Active Assign Yes
• Default profile Assign Self-Service

My users does not gain any dynamic authorization.

Did i miss some other conf somewhere ? i see nothing on entity, Authentication conf or general conf that could impact it.

"Test Rule" show a correct result.
Sync / clean and force sync does not modify the user correctly

[keguira]

@cedric-anne ok, i've found a difference between REC and PROD : the profile self-service was not the "default profile" in the list of profiles. More : no profile had this checkbox checked .
After checking it, users gained this profile.

As i'm seeing this, it is not the intended behavior : the default profile should have been applied from my rules and takes precedence unless the "default profile" on rule's action is only in the case of a user with multiple profile and not to be use on profile deduction and setted on user only in this case (which is disturbing).

I also tried to define another "default profile" : this is the one assigned to users and authorization if i do not set any "profile" by rule.

To summarize, what i understood of the mecanism of assigning an autorization to a user by rules :

1. if profile setted by rule : adding autorization with the entity specified by rule ("entity" has precedence over "default entity" computed until now")
2. or else if default profile setted by rule : adding autorization with the entity specified by rule ("entity" has precedence over "default entity" computed until now")
3. or else if take default profile : adding autorization with the entity specified by rule ("entity" has precedence over "default entity" computed until now")

If no entity specified by rule or any other configuration -> no autorization automaticaly added.

From what i see, 2. is not real and just a confusion from me or a real bug. If not a bug, i have to edit my rules to comply and be less confusing for futur admins

[github-actions]

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue.
If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.