Best way to add multiple Groups to single Users

xperseguers / t3ext-ig_ldap_sso_auth

TYPO3 Extension ig_ldap_sso_auth. This extension provides LDAP and SSO support for TYPO3.

https://extensions.typo3.org/extension/ig_ldap_sso_auth

27 stars 64 forks source link

Best way to add multiple Groups to single Users #95

Closed chrosey closed 2 years ago

chrosey commented 4 years ago

We have a TYPO3, in which several domains are maintained. Now we have the following case:

Four users: UserA, UserB, UserC, UserD Two groups: Group1, Group2 Two LDAP configurations: LDAP1, LDAP2

LDAP1 (Group1) LDAP2 (Group2)

UserA (LDAP1) UserB (LDAP2) UserC (LDAP1 and also Group2) UserD (LDAP2)

Do I now only have to create a new LDAP configuration for UserC (LDAP3 (Group1, Group2)) to be a member of both groups? Is there any way to manually assign UserC to a group or both LDAP configurations without resetting it the next time he logs in?

I would assume something like "disable synchronization for users", as there is for groups.

xperseguers commented 2 years ago

Very long time without any answer but better late than never... this extension is not supported multiple LDAP connections with the purpose of "merging" info together but allowing (independent) users to be found into multiple LDAP backends. Unsure just like that how complex it would be to merge info together but for sure not that easy since the various connections are checked in turn while authenticating until one succeeds, rationale being to be as quick as possible and we don't expect the "same" user to be present in multiple configurations.

Quite unsure about your actual use case which sounds (by reading) really exotic. Maybe you could describe a bit more or think whether having some aggregation of information in the middle wouldn't be just more logical (and easy to handle).

chrosey commented 2 years ago

That's long time. I can barely remember the situation... It was most likely that there is no possibilty for that scenario.

We had a large LDAP-Forest in with many subtrees. Basically there was a user who worked part time for two of these subtrees, and so he had one account in each of them. To work in TYPO3-Backend, he had to relog everytime, when he wanted to work on a different access area.

Basically the same problem existed for many users in frontend (but was not disturbing because SSO). The reason I asked for a solution was, that all users where readable all time by everyone in the LDAP-Forest, but they had no possibility to manage groups over the borders of a single LDAP-Tree where I could have said: allow users in Group A or Group B to this area.

I needed separate Extension-Configurations for each Tree in the Forest to allow the same User.

I can try to explain this better, but since I am not longer in that company, I have no further intent to do so.