search

snipe / snipe-it

A free open source IT asset/license management system
https://snipeitapp.com
GNU Affero General Public License v3.0
11.2k stars 3.2k forks source link

Enable Login SnipeIT AD users based on AD Department Attribute #15821

Open FabioD79 opened 2 weeks ago

FabioD79 commented 2 weeks ago

Is your feature request related to a problem? Please describe.

Hello I need to enable Login SnipeIT to users pulled from AD but only to those users that have the Departement attibute with a specific value, for example "dep1". Now, all users are already pulled from AD based on membership group and it's ok, but only some of those must have login to snipeIT enable, the attribute management could be a solution. What must be modify to configure this correctly?

For the other AD user state (lock, disable, expired) snipeIT must follow Active Directory Thanks in advance

Describe the solution you'd like

Probably should i modify the Ldap.php in thise way?

'ldap_user_active_attribute' => 'department',       // Attribute to check in AD
'ldap_user_active_value' => 'Dep1',                 // Value that enables login (only 'Dep1' allows login)
'ldap_user_inactive_value' => ' ',                   // Empty value disables login

Describe alternatives you've considered

Probably in the future other AD users will have the snipe login enable but with different attribute value "dep2", it will be possible have something like this:

'ldap_filter' => '(&(objectClass=user)(|(department=Dep1)(department=Dep2)(department=Dep3)))',
'ldap_user_active_attribute' => 'department',
'ldap_user_active_value' => '*',         // Match any department value allowed by the filter
'ldap_user_inactive_value' => '',        // Users not in Dep1, Dep2, or Dep3 will be inactive

In every case if the department attribute is empty the AD user must be on SnipeIT but with Login disable.

Additional context

No response

FabioD79 commented 3 days ago

Anyone could provide suggest or php code? It would be appreciated Thanks