Sync LDAP without adding a group

cpayan's Avatar

cpayan

24 Mar, 2015 06:41 PM

I don't need to add a group to a user, everyone's got the groups they need, and I don't want all current Managers to be able to get to everyone by having them all in one group.

Our LDAP is set up with one large pool, so I'd be syncing everyone's info at once.

in Cascade 7.12.4, the LDAP config requires me to have a group specified, and errors out. Previous Cascade versions didn't require me to add anyone to a group.

Please let me know how to have an LDAP sync without adding anyone to a group.

  1. Support Staff 1 Posted by Tim on 24 Mar, 2015 08:04 PM

    Tim's Avatar

    Hi,

    Unfortunately I can't think of a great way to do this with your current setup. Back around version 7.2 we released the LDAP configuration UI which also had more strict validation for LDAP policies. Prior to the UI, the XML LDAP configuration would allow for admins to submit a policy without specifying Groups or Roles. This was actually a bug that was fixed with the more strict validation. The reason for this is that you can't create a User without assigning at least one Group and one Role (this can be seen in the UI for creating a new User within the application).

    Approximately how many users in total are you attempting to sync? Of those, do you know how many are managers?

  2. 2 Posted by cpayan on 24 Mar, 2015 08:08 PM

    cpayan's Avatar

    So previously when we were using LDAP, it would basically just sync with
    the users we have in Cascade already. Our flow was to add a user to
    Cascade, then when LDAP was synced again, their password would be added.
    For the last few years, we were using CAS authentication exclusively and
    leaving LDAP behind, but since mod_auth_cas doesn't work with Apache 2.4+
    we're moving back to LDAP.

    So this is about 200 users we need synced from LDAP, where our LDAP has a
    few thousand staff members. The groups aren't really reliable, so the
    previous flow worked best.

  3. Support Staff 3 Posted by Tim on 25 Mar, 2015 09:00 PM

    Tim's Avatar

    Gotcha. That makes sense. I don't see any way to make Cascade allow for you to create a User without specifying a minimum of 1 Group and 1 Role moving forward, so I'm trying to think of the least painful way for you all to accomplish this.

    Would it be possible to place the folks that you know are going to be managers into a specific group in your LDAP implementation and then filter on those in an LDAP user policy? Then, perhaps you can use a different filter (and another user policy) to bring in everybody else. Each user policy would be assigning different Cascade Groups to the subsets of users from your LDAP server. For example, maybe 'all users' can be assigned to 'GroupA' in Cascade (which is a Group with basically no access to anything) and managers can be assigned to 'GroupB'? I'm hoping this would prevent your managers from seeing others that belong to their Group.

    Keep in mind that both user policies would be configured so as not to remove the users from existing Groups/Roles.

    Let me know if that helps at all. I realize it can be a bit confusing.

  4. 4 Posted by cpayan on 06 Apr, 2015 06:15 PM

    cpayan's Avatar

    I'm working with IT to set something like that up.

    I have a question about something that's unclear to me from the knowledge
    base. When we run an LDAP sync, if there are no filtering attributes *just
    for Cascade* then it'll add everyone in the organizational unit to Cascade?

  5. Support Staff 5 Posted by Tim on 06 Apr, 2015 06:23 PM

    Tim's Avatar

    When we run an LDAP sync, if there are no filtering attributes just for Cascade then it'll add everyone in the organizational unit to Cascade?

    Correct. It will basically bring in every user under your container identifier.

  6. 6 Posted by cpayan on 06 Apr, 2015 06:35 PM

    cpayan's Avatar

    Would all those people be able to log into Cascade?

    Also, was it always like this?

    As I recall, we would add someone to Cascade, then sync with LDAP and only
    those users who were in Cascade and had a username that matched with LDAP
    were synced.

  7. Support Staff 7 Posted by Tim on 06 Apr, 2015 06:55 PM

    Tim's Avatar

    Would all those people be able to log into Cascade? Also, was it always like this? As I recall, we would add someone to Cascade, then sync with LDAP and only those users who were in Cascade and had a username that matched with LDAP
    were synced.

    Yes. All of those users would then have the ability to log into Cascade Server using their standard LDAP credentials. This behavior hasn't changed. Perhaps you are thinking about custom authentication? In the case of someone using Shibboleth or CAS, for example, a user would first have to exist in Cascade Server in order to be able to log in. Otherwise, they would simply receive an error upon attempting to log in.

    Let me know if you have any additional questions and I'll be happy to answer them.

    Thanks

  8. 8 Posted by cpayan on 06 Apr, 2015 07:01 PM

    cpayan's Avatar

    Yea, I'm mostly catching up on LDAP. Our previous experience with LDAP was
    (I believe) the 6.x Cascade series, so apparently it's changed pretty
    significantly since then.

    Thank you very much, I think you've answered everything.

  9. Support Staff 9 Posted by Tim on 06 Apr, 2015 07:05 PM

    Tim's Avatar

    No problem! I'll go ahead and close out the discussion for now, but don't hesitate to comment back if something else comes up related to this. We'll be happy to help out further.

    Have a good one!

  10. Tim closed this discussion on 06 Apr, 2015 07:05 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac