FreePBX | Register | Issues | Wiki | Portal | Support

Some users missing group membership from ldap/ad


#1

I’m trying to hunt down an issue where some (but not all) of my AD synced users are missing all of their group memberships. For example, my own personal user account is part of the “VOIP Users” and “Office Users” groups, which most of the other user accounts are as well, however mine shows no group membership in User Manager.

The (slightly redacted) ldapseach string pbxact is using for groups is
ldapsearch -w redacted -H “ldap://ad.redacted.com:389” -D “voip@redacted” -b “cn=users,dc=ad,dc=redacted,dc=com” -s sub “(&(&(objectcategory=group)(memberof=cn=voip groups,cn=users,dc=ad,dc=redacted,dc=com))(objectclass=group))”

Running the fwconsole userman sync with the verbose flag shows what I expect, all users are a part of at least one group.
fwconsole userman --sync 2 --force --verbose

Running the openldap search on another linux host also shows what I expect.

But in User Manager my account along with several others are not a part of any groups.
Right now I’m assigning permissions and settings to individual users, but even with only 25 users it’s becoming painful to manage, I really need to sort out group membership.

Does this look like a bug, or am I missing something?