How to add connection to active directory via ldap

[ruben-herold]

sysPass Version

3.2 docker install

Describe the question

I tried to install syspass at our company and connect it to the active directory. But I'm not clear if it works like planed:

1. Login is very slow since activating ldap even for mysql users
2. The Group configuration in ldap can't work with groups which contains spaces
3. Why must I define a bind user and bind password? Each user can self read his own object to check in which groups he is. So why did you not use the username /pass from login to bind to ldap? Selfauth is no new concept ...
4. Each new user is asked for the masterpassword on first login.This makes complete no sense from my point of view, cause what is if a employee leafs the company, i must change the masterpassword every time... why? Why not read the email from the user out of the LDAP and send an email with an temporary masterpassword to this user to validate?

Do I see here something wrong?

[FooBarTrixibell]

Hi,

I am also a new user to sysPass, I set this up yesterday and have not had any issues with login speeds as yet.

From what I can see though, the bind user is used to run the test and to import the users from LDAP(AD), it does not save.

I have imported a number of groups with spaces and have almost all of those in an OU containing a space so I don't think that is an issue. I have seen a suggestion to try the ldap setting as standard even if you use AD so perhaps give that a go?

Once imported the users have a little building symbol next to them, existing users which were also in AD do not have a building so I assume they do not get linked (ie. delete local users before importing from AD).

In my case the users which were imported need the master password the first time they log in (not a wonderfully handy thing). but once they enter that it works without it.

I have also set up the google authenticator which works fine in my installation.

Perhaps try to simplify your LDAP settings as much as possible? Make sure the server name is a server not a grouped cname, make the search base as close to your users and groups as possible (in my case it is one level down) and make sure the group the users are in doesn't contain nested groups (especially recursively nested).

I don't know how big your AD is, mine is only a few hundred users but I know there are a number of issues with other systems which bind to ADs with over a thousand users.

[nuxsmin]

Hello @ruben-herold

regarding your questions:

Login is very slow since activating ldap even for mysql users

I shouldn't be, but it would make some delay because the LDAP server connection

The Group configuration in ldap can't work with groups which contains spaces

Sorry, I'm don't understand this point.

Why must I define a bind user and bind password? Each user can self read his own object to check in which groups he is. So why did you not use the username /pass from login to bind to ldap? Selfauth is no new concept ...

Yes, user bind is used during login, but on the first steps of the login, sysPass needs to be able to lookup the groups the user belongs to (direct and reverse lookups), but after that the user's credentials are used to log in.

Each new user is asked for the masterpassword on first login.This makes complete no sense from my point of view, cause what is if a employee leafs the company, i must change the masterpassword every time... why? Why not read the email from the user out of the LDAP and send an email with an temporary masterpassword to this user to validate?.

Every user must "have" a copy of the master password in the database (encrypted), so they can decrypt the accounts' data with it. It's up to the sysPass administrator to send the temporary master password to the users by email. If the user leaves the company, the temporary master pass will be useless if it's used and renewed (you can set the expiration date and usage count). Please notice that the temporary master password is not meant to be set without any expiration, so it should be renewed every time it's needed by a user.

Regards

[elmirjunioi]

Good morning I'm new to using Syspass and I would like to configure LDAP with Windows Server, could anyone help me configure it step by step?