Closed MrMontesa closed 3 years ago
welcome[bot]
commented
3 years ago š Thanks for opening your first issue here! If you're reporting a š bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.
MrMontesa
commented
3 years ago Hey,
was reading more documentation on the LDAP sync. One of the early recommendations was to use email address as username and how to update database usiung SQL command. So this looks like the way to go.
On the other hand, down in the docu you still suggest to set the LDAP attribute samaccountname as "Username Field" which will then use the username instead of email again.
I guess we should change that value from samaccountname to mail, right?
So my action plan would look like this:
Small additional question: Since LDAP docu page also contains a word for AzureAD, would you suggest to pull users out of the cloud instead of local AD? Currently we sync users from local LDAP before they log in to Snipe so that we can assign users hardware independent of they logged in already or not. Many thanks for your help
snipe
commented
3 years ago I think that really depends on what your AD expects as a username. We suggest email address as username because a lot of hosted directory services (Okta, JumpCloud, etc) want you to use email as a username, and we want to avoid a sync creating duplicates. The real key here is just to be consistent across your locally (CSV/manually created) and your hosted directory. Username in our system is what we treat as the unique identifier, since theoretically not all users would have email addresses.
Iām not 100% sure how Azure wants/demands you do it, but as long as the conventions in Snipe-IT and in Azure are the same, you should be alright. (Typically in self-hosted AD, it would be samaccountname, which is usually just a username, not email address.)
MrMontesa
commented
3 years ago Thanks for your reply. I plucked up courage and aligned the Snipe Database to what AzureAD SAML needs (email as username) and adjusted the LDAP import from samaccountname to mail attribute. After cleaning some duplicate entries and a few LDAP syncs later, all is fine now, and I can login using SAML. Thanks
rj2382244
commented
3 years ago @MrMontesa how did you get this to work, I just get an error each time no matter which IDP I use.
rj2382244
commented
3 years ago @MrMontesa I missed a key element you mentioned in the process...it is all synced and working now. Thanks for posting your success.
rasari03
commented
11 months ago I did this under LDAP/AD Settings in SNIPE-IT
And Deleted all users (except the Super Admin Account I was logged in with) and once all users were deleted , I did a LDAP Sync from the People Tab in Snipe--IT . This created all users with email address as their username.
Hey, not quite a big report, but I need some help on setting up SAML with AzureAD. The help pages got me going real good. I have my app in Azure and exchanged all the needed fields. Clicking on "login using SAML" I get redirected, authenticate in AzureAD and will be returned to Snipe install. But there I get a login rejected error. As per debug info on the docu page I ran chrome network analysis and found ACS data containing the NameID as per documentation.
But I cant get my head around the docu sentence: ...If you have existing users configured in Snipe-IT, make sure that their usernames match the value of the NameID element!...
My users are LDAP synced and username in the database is
first.lastand notemailaddress. So I suspect my problem is here. But what do I have to do now?Some details about my system: OS: Debian 10 Webserver: nginx/1.14.2 PHP: 7.3.19-1~deb10u1 Snipe: v5.0.9
Thanks much for your help!