Open R4MPi opened 6 years ago
Open an edit location page, you’ll see the ldap sync field to choose the filter for that location.
Hmm.. I trie to give the users automatically after the sync our added permisson group. So where can I define the default permisson grouP? :)
Oh groups, I’m sorry, I thought you meant the users location field. I’m not sure that that’s possible, but I’ll defer to the others for that one.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions!
Any news on this?
Yes I would like to see this feature as well! This really is the last feature that is missing for my install!
I came to this thread after Googling around trying to see if this was possible or not.
Our use case: We would like users in the "Domain Admins" group to have admin access without having to manually add them to an "Admin" group inside Snipe-IT.
Bump. Is this doable?
yet another bump.... can we reopen this issue?
Hi,
if there is a chance to bring this new feature online. Yes we can! 😉
Wir bleiben in Kontakt
Christian Kreutz Teamlead IT-Operations E-Mail
christian.kreutz@un-iq.demailto:christian.kreutz@un-iq.de
Phone
+49 2301 8978924
[http://signatures.un-iq.de/logos/uniq_logo_schwarz.png]https://www.un-iq.de/
UNIQ GmbH Rhenus Platz 2 59439 Holzwickede www.un-iq.dehttps://www.un-iq.de
[http://signatures.un-iq.de/social-media/fb_klein.jpg]https://www.facebook.com/wirsinduniq/[http://signatures.un-iq.de/social-media/insta_klein.jpg]https://www.instagram.com/uniq_inside/[http://signatures.un-iq.de/social-media/xing_klein.jpg]https://www.xing.com/companies/uniqgmbh/
HR Amtsgericht Hamm RegisterNr. HRB 8204 Geschäftsführung Daniel Krahn & Daniel Marx
[http://signatures.un-iq.de/brands/ug_klein.jpg]https://www.urlaubsguru.de/[http://signatures.un-iq.de/brands/fee_klein.jpg]https://www.fashionfee.de/[http://signatures.un-iq.de/brands/mh_klein.jpg]https://www.mein-haustier.de/[http://signatures.un-iq.de/brands/ck_klein.jpg]https://www.captain-kreuzfahrt.de/[http://signatures.un-iq.de/brands/prinz_klein.jpg]https://www.prinz-sportlich.de/ Von: Renato Quinhoneiro Todorov notifications@github.com Gesendet: Freitag, 1. Februar 2019 11:01 An: snipe/snipe-it snipe-it@noreply.github.com Cc: Christian Kreutz christian.kreutz@un-iq.de; Author author@noreply.github.com Betreff: Re: [snipe/snipe-it] User Sync auto assign group (#4877)
yet another bump.... can we reopen this issue?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/snipe/snipe-it/issues/4877#issuecomment-459669796, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Ah4rNItKcrsWUg8h0jeJR78VRNI9QmEoks5vJBB0gaJpZM4RnAw0.
Is there a chance to reopen this? Would be great!
Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!
I'd like to also let it be known that it'd be an awesome feature.
Would very much like to have this featue.
This also needs to un-assign group permissions when a user leaves an LDAP group.
Would also be handy to be able to assign permissions for
Is there any updates on being able to do this? I see this was opened a few years ago.
Is there any updates on being able to do this? I see this was opened a few years ago.
Nope. Has unfortunately still not been included. This would be such a helpful function
@snipe could you please comment? There are multiple requests (#6508, #8356, #10430), but it seems unclear whether you find this feature feasible and/or worthy of consideration. Thanks.
There is already a PR in progress for this #11736
@snipe I've read through that pr - what I was hoping for is something on the Group Management page that would allow you to sync users to groups based on the LDAP group they are in. Perhaps something that would run alongside an LDAP sync that would view members of defined x,y,z groups and update their SnipeIT group accordingly. This would also help with removal of users from these groups.
I'm not sure if I am misunderstanding - is that pr for one singular default group when someone gets added to snipeit or will it allow the functionality I have outlined above?
Thanks,
@snipe That PR is not what people are asking for, we are asking for the ability to sync group membership from AD to keep our installs secure and to make sure people have the correct level of access when they are onboarded. So I'd argue that PR does not satisfy or solve this feature request.
The problem with the default group approach is that you end up with everyone in that group and it become very onerous to go through and update them all manually. Catch all things like that should be a last resort, not a first attempt.
@jarrodCoombes thats why this issue is still open and not marked as resolved.
@jarrodCoombes the issue that’s been there the whole time - and remains - is that there may not be parity between manually created groups in Snipe-IT and ones in AD/LDAP/Google Workspace - and even if they exist, since our permissions and AD permissions might not match up, there is always the danger of elevating permissions because of name collisions, etc. And I’d argue that the default group should handle most cases, since you don’t want that many admins and superadmins on any system, imho.
When we find a reasonable solve for this, we’ll execute on it, but right now, there are still a lot of limitations and footguns.
Glad you are taking a cautious approach to this.
there may not be parity between manually created groups in Snipe-IT and ones in AD/LDAP/Google Workspace
The manually mapping is what creates the parity. Unless I am missing some sort of fundamental points about how the sync actually works.
To be clear, I am not suggesting Snipe automatically creates new groups based on what is synced from the directory, I am suggesting you simply allow group mapping between Snipe and the directory. In other words, I create group in Snipe and manually tell it which AD group it maps to (similarly to how you can map a location to an OU currently). As a side note, this is actually how a ton of other platforms do this exact thing.
our permissions and AD permissions might not match up
This sort of confuses me, as you don't sync any AD permissions as far as I can tell. So the only thing that would matter to Snipe is what group the user is in and if that group is actually mapped to an existing Snipe group. All of this is on the admin who sets this up and not you as devs.
Running through that workflow in my mind, I cannot see where the danger of privilege elevations comes in, unless I, as the super admin, maps the wrong group, or add the AD user to the wrong group in AD.
You’re assuming a world where 1) admins will remember to map those at all and 2) admins will continue to remember to map over time as new groups get added to their directory. This project is a decade old. While I’d love to believe that everyone’s install is perfect, pristine, and up to date, a decade of xp tells me that’s not true. While one could argue that’s not really on us, we also try hard to not provide opportunities where “the asset management initiative” was started by someone who doesn’t even work there anymore, has been inherited by someone who doesn’t know what needs to be done, and falls into disrepair. Because permissions are important here, we want to make sure we minimize the places where things can get wonky when regimes change, people change roles, etc.
(I’m not arguing with you btw - just explaining that this, like so many other parts of this project, is more complicated than it seems if we want to do it right in the long term)
Yep, no argument here, just debate (thanks for engaging).
1) admins will remember to map those at all and 2) admins will continue to remember to map over time as new groups get added to their directory.
If they don't, then the user falls into the default group as per the settings, or no group with no permissions if that's not setup (basically how it does it now). If it's a new group, not mapped, then nothing changes with the current setup. So it "fails" into a safe state, or at least a status quo state.
I think we are missing each other on something here. I believe you are assuming that people would want all new directory groups to be automatically added to Snipe and have it's permissions mapped accordingly? If so, this is not the case at all. Most people will simply want to pick or create a Snipe group and then tell it to put people in it from the directory who are in this particular directory group and ignore all other groups.
A working example would be what we need. I have Staff members and I have students. I would like any AD user in the "Snipe-Staff" AD group to be places in the "Staff" Group in Snipe, and anyone in the "Snipe-Student" AD group to be placed in the "Student" group in Snipe. All other directory groups should be completely ignored, and if a user is in neither of those groups, then what happens now should continue to happen.
Late 2023 it seems this is still not possible? Even the LDAP Permissions Group
setting doesn't seem to be at all functional.
Is this still not possible? When i onboard new users, I need to manually set their correct group in SnipeIT!
I've ran into the same problem. I wrote a quick and dirty node script to synchronize my active directory users to snipe.
Check it out at https://github.com/droid-sheep/snipe-it-ldap-group-sync
GitHubSynchronizes ldap ad group memberships to snipe it groups - droid-sheep/snipe-it-ldap-group-sync
Expected Behavior (or desired behavior if a feature request)
Looking for a function to auto assign groups for the new Windows AD Sync users.
Actual Behavior
After a sync with LDAP (Windows AD) we need a auto assign for the new users. So we dont need to assign manually the right group.
Or is there an attribute in AD for it?
Thx :)