snipe / snipe-it

A free open source IT asset/license management system
https://snipeitapp.com
GNU Affero General Public License v3.0
11.11k stars 3.18k forks source link

Snipe-IT Group memberships based on AD Groups and/or AD OUs #8356

Closed sjackson0109 closed 1 year ago

sjackson0109 commented 4 years ago

Server (please complete the following information):

FEATURE REQUEST Looking for the capability to LDAP Sync users, and automatically map then into Snipe-IT Group memberships based on one of two conditions: Condition 1) The user is located inside a given OU (THIS FEATURE ALREADY EXISTS) (ADuser.distringuishedname = ","+ SnipeITgroup.baseDN) Condition 2) The user is a member of an AD Security/Distribution Group (LOOKING TO IMPLEMENT THIS FEATURE) A = LdapSearch ( ldap:///base-DN: ) 1x record should be returned B = LdapSearch ( ldap:///base-DN:(&(objectCategory=Person)(sAMAccountName=)(memberOf:1.2.840.113556.1.4.1941:=<distinguishedName of A)) (SnipeITgroup.members = results of B -> get CN

Note the LDAP bitmask identifier... it's the way to include NESTED AD Group membership searches. So users don't necessarily have to be a direct member of the given AD Group - extremely handy. It can be annoying if other users modify the OU Structure, so hard-coding the Group DN is a bad idea (hence doing 2x searches as suggested above). https://confluence.atlassian.com/crowdkb/active-directory-user-filter-does-not-search-nested-groups-715130424.html A toggle option to switch between using the OU or Group membership to automatically sync members.

Looking for:

Cannot think of an alternative feature like this.

sjackson0109 commented 4 years ago

Any thoughts/comments from developers? This is a heavily desired feature...

snipe commented 4 years ago

We are aware it's a sought-after feature. We cannot do anything until v5 is out. Once we ship that, we can do a lot more here (and everywhere else.)

sjackson0109 commented 4 years ago

hey @snipe appreciate the 'change free period on v4'... but am also aware that v5 release is still not in the calendar. any way of giving us a rough ballpark figure... month/quater/year.. just to manage my expectations on when to re-raise this.. am aware your bot is going to close this after replies go stale.

snipe commented 4 years ago

v5 will be out within the next week or so.

sjackson0109 commented 4 years ago

i just realised v5 rc is out already.. #win

i'll get my lab back online and download it over the next couple of days.

stale[bot] commented 3 years ago

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail. This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

ryanmerolle commented 3 years ago

This would be super helpful with managing users.

stale[bot] commented 3 years ago

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

nickfury0711 commented 3 years ago

any update on this? Also, requesting that nested groups are supported as well.

snipe commented 3 years ago

No update at this time.

VaultVanderHuge commented 3 years ago

any update on this? Also, requesting that nested groups are supported as well.

You can use LDAP rules in conjunction with your groups to enable nested groups. I import just one group into my users via Active Directory. The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN which will enable nested groups. My string for importing general users is the following under "LDAP Filter". Full rules are at https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP,OU=OU2 ,OU=OU1,DC=domain,DC=com)

Active Directory: LDAP Syntax Filters - TechNet Articles - United States (English) - TechNet Wiki
Technical articles, content and resources for IT Professionals working in Microsoft technologies
craftyshaun commented 3 years ago

I import just one group into my users via Active Directory.

Hi @VaultVanderHuge can you please point me in the direction to where you can configure AD Group to Snipe Group mapping. I'm running 5.2 but can't see where to enable this?

Any tips would be awesome! Thanks!

ikcalB commented 2 years ago

@snipe any updates on ldap in v6?

benwa commented 2 years ago

This looks to be a duplicate of #4877