GLPI behavior differs when user login and user is synchronized

[CHRPAR]

Code of Conduct

• I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• I have searched the existing issues

Version

10.0.16

Bug description

Problem with dynamic groups from ldap when user logins.
When syncing a user, all groups (and rulerights) are present.
When this user logs in GLPI, the groups have disappeared (and also the profiles he could have had whith the rules)

Relevant log output

There is nothing in the logs when both actions (synchronization / login) are completed

Page URL

No response

Steps To reproduce

1 : synchronize user
2 : see the groups with the user in
3 : user login
4 : observation : the user is no more in the groups

Your GLPI setup information

Informations sur le système, l'installation et la configuration

GLPI 10.0.16 ( => /var/www/glpi_val)
Installation mode: TARBALL
Current language:fr_FR

Server

 

Operating system: Linux xxxxxxxxxx.xxxxxx.xxxx 5.14.0-362.18.1.el9_3.x86_64 #​1 SMP PREEMPT_DYNAMIC Wed

Jan 3 15:54:45 EST 2024 x86_64

PHP 8.3.8 fpm-fcgi (Core, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, bz2, calendar, cgi-fcgi, ctype, curl, date, dom,

exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre,

pdo_mysql, pdo_sqlite, pdo_sqlsrv, random, session, soap, sockets, sodium, sqlite3, sqlsrv, standard, tokenizer, xml, xmlreader,

xmlwriter, xsl, zip, zlib)

Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files"

upload_max_filesize="2M" disable_functions=""

Software: Apache/2.4.57 (Red Hat Enterprise Linux) ()

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Iron Safari/537.36

Server Software: MariaDB Server

Server Version: 10.11.8-MariaDB

Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

Parameters: remoteAcces@10.206.83.248/glpivalidation

Host info: 10.206.83.248 via TCP/IP

PHP version (8.3.8) is supported.

Sessions configuration is OK.

Allocated memory is sufficient.

mysqli extension is installed.

Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.

curl extension is installed.

gd extension is installed.

intl extension is installed.

zlib extension is installed.

The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.

Database engine version (10.11.8) is supported.

No files from previous GLPI version detected.

The log file has been created successfully.

Write access to /var/lib/glpi_val/_cache has been validated.

Write access to /var/lib/glpi_val/_cron has been validated.

Write access to /var/lib/glpi_val has been validated.

Write access to /var/lib/glpi_val/_dumps has been validated.

Write access to /var/lib/glpi_val/_graphs has been validated.

Write access to /var/lib/glpi_val/_lock has been validated.

Write access to /var/lib/glpi_val/_pictures has been validated.

Write access to /var/lib/glpi_val/_plugins has been validated.

Write access to /var/lib/glpi_val/_rss has been validated.

Write access to /var/lib/glpi_val/_sessions has been validated.

Write access to /var/lib/glpi_val/_tmp has been validated.

Write access to /var/lib/glpi_val/_uploads has been validated.

For security reasons, SELinux mode should be Enforcing.
Web server root directory configuration seems safe.

OS and PHP are relying on 64 bits integers.

exif extension is installed.

ldap extension is installed.

openssl extension is installed.

Following extensions are installed: bz2, Phar, zip.

Zend OPcache extension is installed.

Following extensions are installed: ctype, iconv, mbstring, sodium.

Write access to /var/www/glpi_val/marketplace has been validated.

Timezones seems loaded in database.

GLPI constants

 

GLPI_ROOT: "/var/www/glpi_val"

GLPI_CONFIG_DIR: "/etc/glpi_val"

GLPI_VAR_DIR: "/var/lib/glpi_val"

GLPI_LOG_DIR: "/var/log/glpi_val"

GLPI_MARKETPLACE_DIR: "/var/www/glpi_val/marketplace"

GLPI_USE_CSRF_CHECK: "1"

GLPI_CSRF_EXPIRES: "7200"

GLPI_CSRF_MAX_TOKENS: "100"

GLPI_USE_IDOR_CHECK: "1"

GLPI_IDOR_EXPIRES: "7200"

GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false

GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\/\/[^@:]+(\/.*)?$/"]

GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"

GLPI_INSTALL_MODE: "TARBALL"

GLPI_NETWORK_MAIL: "glpi@teclib.com"

GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"

GLPI_MARKETPLACE_ALLOW_OVERRIDE: true

GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true

GLPI_USER_AGENT_EXTRA_COMMENTS: ""

GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"

GLPI_AJAX_DASHBOARD: "1"

GLPI_CALDAV_IMPORT_STATE: 0

GLPI_DEMO_MODE: "0"

GLPI_CENTRAL_WARNINGS: "1"

GLPI_TEXT_MAXSIZE: "4000"

GLPI_DOC_DIR: "/var/lib/glpi_val"

GLPI_CACHE_DIR: "/var/lib/glpi_val/_cache"

GLPI_CRON_DIR: "/var/lib/glpi_val/_cron"

GLPI_DUMP_DIR: "/var/lib/glpi_val/_dumps"

GLPI_GRAPH_DIR: "/var/lib/glpi_val/_graphs"

GLPI_LOCAL_I18N_DIR: "/var/lib/glpi_val/_locales"

GLPI_LOCK_DIR: "/var/lib/glpi_val/_lock"

GLPI_PICTURE_DIR: "/var/lib/glpi_val/_pictures"

GLPI_PLUGIN_DOC_DIR: "/var/lib/glpi_val/_plugins"

GLPI_RSS_DIR: "/var/lib/glpi_val/_rss"

GLPI_SESSION_DIR: "/var/lib/glpi_val/_sessions"

GLPI_TMP_DIR: "/var/lib/glpi_val/_tmp"

GLPI_UPLOAD_DIR: "/var/lib/glpi_val/_uploads"

GLPI_INVENTORY_DIR: "/var/lib/glpi_val/_inventories"

GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"

GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"

GLPI_I18N_DIR: "/var/www/glpi_val/locales"

GLPI_VERSION: "10.0.16"

GLPI_SCHEMA_VERSION: "10.0.16@b13256c443dd4fdb27b4a0d3b8fea8caba4dfaa9"

GLPI_MARKETPLACE_PRERELEASES: false

GLPI_MIN_PHP: "7.4.0"

GLPI_MAX_PHP: "8.4.0"

GLPI_YEAR: "2024"

Libraries

 

htmlawed/htmlawed version 1.2.14 in (/var/www/glpi_val/vendor/htmlawed/htmlawed)

phpmailer/phpmailer version 6.8.0 in (/var/www/glpi_val/vendor/phpmailer/phpmailer/src)

simplepie/simplepie version 1.5.8 in (/var/www/glpi_val/vendor/simplepie/simplepie/library)

tecnickcom/tcpdf version 6.4.4 in (/var/www/glpi_val/plugins/pdf/vendor/tecnickcom/tcpdf)

michelf/php-markdown in (/var/www/glpi_val/vendor/michelf/php-markdown/Michelf)

true/punycode in (/var/www/glpi_val/vendor/true/punycode/src)

iamcal/lib_autolink in (/var/www/glpi_val/vendor/iamcal/lib_autolink)

sabre/dav in (/var/www/glpi_val/vendor/sabre/dav/lib/DAV)

sabre/http in (/var/www/glpi_val/vendor/sabre/http/lib)

sabre/uri in (/var/www/glpi_val/vendor/sabre/uri/lib)

sabre/vobject in (/var/www/glpi_val/vendor/sabre/vobject/lib)

laminas/laminas-i18n in (/var/www/glpi_val/vendor/laminas/laminas-i18n/src)

laminas/laminas-servicemanager in (/var/www/glpi_val/vendor/laminas/laminas-servicemanager/src)

monolog/monolog in (/var/www/glpi_val/vendor/monolog/monolog/src/Monolog)

sebastian/diff in (/var/www/glpi_val/vendor/sebastian/diff/src)

donatj/phpuseragentparser in (/var/www/glpi_val/vendor/donatj/phpuseragentparser/src/UserAgent)

elvanto/litemoji in (/var/www/glpi_val/vendor/elvanto/litemoji/src)

symfony/console in (/var/www/glpi_val/vendor/symfony/console)

scssphp/scssphp in (/var/www/glpi_val/vendor/scssphp/scssphp/src)

laminas/laminas-mail in (/var/www/glpi_val/vendor/laminas/laminas-mail/src/Protocol)

laminas/laminas-mime in (/var/www/glpi_val/vendor/laminas/laminas-mime/src)

rlanvin/php-rrule in (/var/www/glpi_val/vendor/rlanvin/php-rrule/src)

ramsey/uuid in (/var/www/glpi_val/vendor/ramsey/uuid/src)

psr/log in (/var/www/glpi_val/vendor/psr/log/Psr/Log)

psr/simple-cache in (/var/www/glpi_val/vendor/psr/simple-cache/src)

psr/cache in (/var/www/glpi_val/vendor/psr/cache/src)

league/csv in (/var/www/glpi_val/vendor/league/csv/src)

mexitek/phpcolors in (/var/www/glpi_val/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)

guzzlehttp/guzzle in (/var/www/glpi_val/vendor/guzzlehttp/guzzle/src)

guzzlehttp/psr7 in (/var/www/glpi_val/vendor/guzzlehttp/psr7/src)

glpi-project/inventory_format in (/var/www/glpi_val/vendor/glpi-project/inventory_format/lib/php)

wapmorgan/unified-archive in (/var/www/glpi_val/vendor/wapmorgan/unified-archive/src)

paragonie/sodium_compat in (/var/www/glpi_val/vendor/paragonie/sodium_compat/src)

symfony/cache in (/var/www/glpi_val/vendor/symfony/cache)

html2text/html2text in (/var/www/glpi_val/vendor/html2text/html2text/src)

symfony/css-selector in (/var/www/glpi_val/vendor/symfony/css-selector)

symfony/dom-crawler in (/var/www/glpi_val/vendor/symfony/dom-crawler)

twig/twig in (/var/www/glpi_val/vendor/twig/twig/src)

twig/string-extra in (/var/www/glpi_val/vendor/twig/string-extra)

symfony/polyfill-ctype not found

symfony/polyfill-iconv not found

symfony/polyfill-mbstring not found

symfony/polyfill-php80 not found

symfony/polyfill-php81 not found

symfony/polyfill-php82 in (/var/www/glpi_val/vendor/symfony/polyfill-php82)

league/oauth2-client in (/var/www/glpi_val/vendor/league/oauth2-client/src/Provider)

league/oauth2-google in (/var/www/glpi_val/vendor/league/oauth2-google/src/Provider)

thenetworg/oauth2-azure in (/var/www/glpi_val/vendor/thenetworg/oauth2-azure/src/Provider)

LDAP directories

 

Server: 'ldaps://XXXXXXXXX.XXXX.XXXX', Port: '636', BaseDN: 'ou=XXXXXX,dc=XXXXX', Connection filter:

'(&(objectClass=XXXXXX)(uid=)(nsAccountLock=FALSE))', RootDN: 'ou=XXXX,ou=XXXXXX,ou=XXXXX,dc=XXXX',

Use TLS: none

Server: 'ldap://XXXXXXX.XXX.XXXXX', Port: '389', BaseDN: 'DC=XXXX,DC=XXX,DC=XXXXXX', Connection filter:

'(&(objectClass=user)(objectCategory=person)(mail=)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))', RootDN:

'XXXXX\XXXXXXX', Use TLS: none

Server: 'ldap://XXXXXXX.XXX.XXXXX', Port: '389', BaseDN: 'ou=XXXXXXX,dc=XXXXXX', Connection filter:

'(&(objectClass=XXXXX)(uid=*)(nsAccountLock=FALSE))', RootDN:

'cn=XXXXXI,ou=XXXX,ou=XXXXX,OU=XXXX,dc=XXXX', Use TLS: none

SQL replicas

 

Not active

Notifications

 

Way of sending emails: SMTP (anonymous@XXX.XX.XXXXX)

Plugins list

 

addressing           Name: Adressage IP                   Version: 3.0.1      State: To update

Install Method: Manual

treeview             Name: Arborescence                   Version: 1.10.2     State: Enabled

Install Method: Manual

behaviors            Name: Comportements                  Version: 2.7.2      State: Installed / not activated

Install Method: Manual

datainjection        Name: Data Injection                 Version: 2.13.5     State: Installed / not activated

Install Method: Manual

sundry               Name: Divers                         Version: 4.0.0      State: Enabled

Install Method: Manual

tag                  Name: Gestion des tags               Version: 2.11.7     State: Not installed

Install Method: Manual

pdf                  Name: Impression pdf                 Version: 3.0.0      State: Enabled

Install Method: Manual

interface            Name: Interface                      Version: 4.0.0      State: Enabled

Install Method: Manual

igx                  Name: IVANTI                         Version: 3.1.0      State: Not installed

Install Method: Manual

reports              Name: Rapports                       Version: 1.16.0     State: Enabled

Install Method: Manual

Anything else?

First of all is the ldap server is 389 Directory Server (first of the list and aimed to be the only one in future) and the thing to observe is that the user has very few right on the ldap server (due to our security service) opposite to the rootdn which can view more things.
We noticed that there's a ldap_bind (in Auth class, function connection_ldap) with the ID and password of the user and the next functions (like getFromLdap) use the same ID.
$bind_result = $this->user_found ? @ldap_bind($this->ldap_connection, $dn, $password) : false;
To return with the rootdn link, we add just after :
@ldap_bind($this->ldap_connection, $ldap_method['rootdn'],(new GLPIKey())->decrypt($ldap_method['rootdn_passwd']));
With this line, everything returns to normal behavior.