Support ms-DS-ConsistencyGuid as LDAP sync_field#24367
Merged
cedric-anne merged 1 commit intoJun 1, 2026
Merged
Conversation
AuthLDAP only handled the attribute named objectGUID when reading and searching binary GUID values. Any other binary GUID attribute used as sync_field was stored and shown as raw bytes, and user lookups against it returned no results because the LDAP filter was not hex-escaped. ms-DS-ConsistencyGuid has the same binary layout as objectGUID and is the immutable anchor used in Entra ID Connect hybrid setups, where it survives inter-forest migrations that objectGUID does not. The conversion now applies to a small list of binary GUID attribute names in both places: when building the LDAP search filter and when reading the value back from the directory. Signed-off-by: Daniel <daniel@ticgal.com>
cconard96
approved these changes
May 28, 2026
cconard96
left a comment
cconard96
left a comment
Contributor
There was a problem hiding this comment.
I don't have the type of environment needed to fully test this, but it seems OK.
cedric-anne
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Checklist before requesting a review
Description
Closes #24332
AuthLDAPonly handled the attribute namedobjectGUIDwhen reading and searching binary GUID values. Any other binary GUID attribute used assync_fieldwas stored and shown as raw bytes, and user lookups against it returned no results because the LDAP filter was not hex-escaped.ms-DS-ConsistencyGuidhas the same binary layout asobjectGUIDand is the immutable anchor used in Entra ID Connect hybrid setups, where it survives inter-forest migrations thatobjectGUIDdoes not.Changes
The conversion now applies to a small case-insensitive list of binary GUID attribute names (
objectguid,ms-ds-consistencyguid) in two places:searchUserDn()— the value is hex-escaped before building the LDAP filter, so the directory search actually matches. Without this, user import and synchronization byms-DS-ConsistencyGuidreturn no results.getFieldValue()— the value read back from the directory is converted to the canonical GUID string for display and storage.Attribute names are matched case-insensitively per RFC 4512.
Tests
Added to
tests/LDAP/AuthLdapTest.php, alongside the existingtestGetFieldValue()andtestGuidToHex()(both kept untouched as non-regression checks):testGetFieldValueConvertsObjectGuidBinary— existingobjectGUIDconversion still works on binary input.testGetFieldValueConvertsMsDsConsistencyGuid— the new attribute.testGetFieldValueIsCaseInsensitiveForGuidAttributes— mixed-case name, as it appears in Microsoft documentation.testGetFieldValueDoesNotDoubleConvertGuidString— values already in GUID string form are returned unchanged.testGuidToHexForBinaryGuidSearch— the hex-escaped formsearchUserDn()builds for the LDAP filter.Verified against a real directory
Tested on a GLPI 11.0.7 instance against an Active Directory with
ms-DS-ConsistencyGuidpopulated on user objects, with the LDAPsync_fieldset to that attribute.Before — the value is stored and shown as raw bytes in the LDAP information tab:
After — the same value is rendered as a canonical GUID string:
User synchronization — users are correctly imported and synchronized using
ms-DS-ConsistencyGuidassync_field:Out of scope
objectSiduses a different binary layout (SID → SDDL) and would need its own decoder. Happy to address in a follow-up if there is interest.Local checks
php -lclean on both files.php-cs-fixer fix --dry-runclean against the project config.phpstan analyze src/AuthLDAP.phpclean.AI-assisted: used an LLM to verify code references and draft the wording; all logic reviewed and authored by me.