Snipe-IT Group memberships based on AD Groups and/or AD OUs

[sjackson0109]

Server (please complete the following information):

• Snipe-IT Version: 4.9.4+
• OS: [CentOS]
• Web Server: <docker app - assumed nginx>
• PHP Version: unknown

FEATURE REQUEST Looking for the capability to LDAP Sync users, and automatically map then into Snipe-IT Group memberships based on one of two conditions: Condition 1) The user is located inside a given OU (THIS FEATURE ALREADY EXISTS) (ADuser.distringuishedname = ","+ SnipeITgroup.baseDN) Condition 2) The user is a member of an AD Security/Distribution Group (LOOKING TO IMPLEMENT THIS FEATURE) A = LdapSearch ( ldap:///base-DN: ) 1x record should be returned B = LdapSearch ( ldap:///base-DN:(&(objectCategory=Person)(sAMAccountName=)(memberOf:1.2.840.113556.1.4.1941:=<distinguishedName of A)) (SnipeITgroup.members = results of B -> get CN

Note the LDAP bitmask identifier... it's the way to include NESTED AD Group membership searches. So users don't necessarily have to be a direct member of the given AD Group - extremely handy. It can be annoying if other users modify the OU Structure, so hard-coding the Group DN is a bad idea (hence doing 2x searches as suggested above). https://confluence.atlassian.com/crowdkb/active-directory-user-filter-does-not-search-nested-groups-715130424.html A toggle option to switch between using the OU or Group membership to automatically sync members.

Looking for:

• A DB field to store the 'LDAP FILTER' inside the group; along side the existing group.baseDN
• A GUI options to add the LDAP FILTER along side the BASE DN.
• A GUI option to choose LDAP Filter or Base DN as the automatic identification selection criteria.
• A Checkbox in the Global LDAP settings, to automatically sync members ON/OFF. Based on SnipeIT group ldap search critera.

Cannot think of an alternative feature like this.

[sjackson0109]

Any thoughts/comments from developers? This is a heavily desired feature...

[snipe]

We are aware it's a sought-after feature. We cannot do anything until v5 is out. Once we ship that, we can do a lot more here (and everywhere else.)

[sjackson0109]

hey @snipe appreciate the 'change free period on v4'... but am also aware that v5 release is still not in the calendar. any way of giving us a rough ballpark figure... month/quater/year.. just to manage my expectations on when to re-raise this.. am aware your bot is going to close this after replies go stale.

[snipe]

v5 will be out within the next week or so.

[sjackson0109]

i just realised v5 rc is out already.. #win

i'll get my lab back online and download it over the next couple of days.

[stale[bot]]

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail. This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

[ryanmerolle]

This would be super helpful with managing users.

[stale[bot]]

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

[nickfury0711]

any update on this? Also, requesting that nested groups are supported as well.

[snipe]

No update at this time.

[VaultVanderHuge]

any update on this? Also, requesting that nested groups are supported as well.

You can use LDAP rules in conjunction with your groups to enable nested groups. I import just one group into my users via Active Directory. The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN which will enable nested groups. My string for importing general users is the following under "LDAP Filter". Full rules are at https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP,OU=OU2 ,OU=OU1,DC=domain,DC=com)

Active Directory: LDAP Syntax Filters - TechNet Articles - United States (English) - TechNet Wiki

Technical articles, content and resources for IT Professionals working in Microsoft technologies

[craftyshaun]

I import just one group into my users via Active Directory.

Hi @VaultVanderHuge can you please point me in the direction to where you can configure AD Group to Snipe Group mapping. I'm running 5.2 but can't see where to enable this?

Any tips would be awesome! Thanks!

[ikcalB]

@snipe any updates on ldap in v6?

[benwa]

This looks to be a duplicate of #4877