kakwa
commented
5 years ago It's unfortunately not possible.
LdapCherry by itself doesn't store roles allocation, it only deduces them on the fly, one user at a time, from the groups of this user.
Basically, to do that it would most likely require a permanent storage (aka a DB) to store role allocation which is a significant architecture change, and add deployment complexity.
As a side note, temporary role allocation is also something I have in the back of my mind as a limitation for LdapCherry.
Here is a full list of LdapCherry limitations (at least the ones I could think of):
- The groups/roles are statically defined in a yaml file, so it's not really dynamic
- There is no real tooling to audit/normalize the backends content (for example after a role definition change)
- There is no mechanism to temporary delegate a role to a person
- There is only one "big" admin group, no notion of "this role can be set by this group, and this other role by this other group"
- There is no request/notification mechanism when a user requests approval for being member of a role
- I'm not completely sure how I could handle forgotten password for users more cleanly
- I'm not sure how the UI would look with hundreds of roles (probably not great since all roles will be displayed...)
To solve all these would most likely require a DB, which I'm a little reluctant to do at least in the base product. However, maybe as external modules, this could be done cleanly (provided that an API for such complex module is actually implemented...).
We are using LdapCherry to manage user roles, we need to assign user to some roles temporary, so we need to review the users in particular roles, is it possible to make the role clickable, so that we can list the users in each AD group.