tag:help-archives.hannonhill.com,2010-02-09:/discussions/how-do-i/16927-sync-ldap-without-adding-a-groupCascade CMS: Discussion 2015-04-06T19:05:49Ztag:help-archives.hannonhill.com,2010-02-09:Comment/363757362015-03-24T20:04:54Z2015-03-24T20:04:54ZSync LDAP without adding a group<div><p>Hi,</p>
<p>Unfortunately I can't think of a great way to do this with your
current setup. Back around version 7.2 we released the LDAP
configuration UI which also had more strict validation for LDAP
policies. Prior to the UI, the XML LDAP configuration would allow
for admins to submit a policy without specifying Groups or Roles.
This was actually a bug that was fixed with the more strict
validation. The reason for this is that you can't create a User
without assigning at least one Group and one Role (this can be seen
in the UI for creating a new User within the application).</p>
<p>Approximately how many users in total are you attempting to
sync? Of those, do you know how many are managers?</p></div>Timtag:help-archives.hannonhill.com,2010-02-09:Comment/363757362015-03-24T20:08:45Z2015-03-24T20:08:45ZSync LDAP without adding a group<div><p>So previously when we were using LDAP, it would basically just
sync with<br>
the users we have in Cascade already. Our flow was to add a user
to<br>
Cascade, then when LDAP was synced again, their password would be
added.<br>
For the last few years, we were using CAS authentication
exclusively and<br>
leaving LDAP behind, but since mod_auth_cas doesn't work with
Apache 2.4+<br>
we're moving back to LDAP.</p>
<p>So this is about 200 users we need synced from LDAP, where our
LDAP has a<br>
few thousand staff members. The groups aren't really reliable, so
the<br>
previous flow worked best.</p></div>cpayantag:help-archives.hannonhill.com,2010-02-09:Comment/363757362015-03-25T21:00:27Z2015-03-25T21:00:27ZSync LDAP without adding a group<div><p>Gotcha. That makes sense. I don't see any way to make Cascade
allow for you to create a User without specifying a minimum of 1
Group and 1 Role moving forward, so I'm trying to think of the
least painful way for you all to accomplish this.</p>
<p>Would it be possible to place the folks that you know are going
to be managers into a specific group in your LDAP implementation
and then filter on those in an LDAP user policy? Then, perhaps you
can use a different filter (and another user policy) to bring in
everybody else. Each user policy would be assigning different
Cascade Groups to the subsets of users from your LDAP server. For
example, maybe 'all users' can be assigned to 'GroupA' in Cascade
(which is a Group with basically no access to anything) and
managers can be assigned to 'GroupB'? I'm hoping this would prevent
your managers from seeing others that belong to their Group.</p>
<p>Keep in mind that both user policies would be configured so as
<em>not</em> to remove the users from existing Groups/Roles.</p>
<p>Let me know if that helps at all. I realize it can be a bit
confusing.</p></div>Timtag:help-archives.hannonhill.com,2010-02-09:Comment/363757362015-04-06T18:15:46Z2015-04-06T18:15:46ZSync LDAP without adding a group<div><p>I'm working with IT to set something like that up.</p>
<p>I have a question about something that's unclear to me from the
knowledge<br>
base. When we run an LDAP sync, if there are no filtering
attributes <em>just<br>
for Cascade</em> then it'll add everyone in the organizational unit
to Cascade?</p></div>cpayantag:help-archives.hannonhill.com,2010-02-09:Comment/363757362015-04-06T18:23:30Z2015-04-06T18:23:30ZSync LDAP without adding a group<div><blockquote>
<p>When we run an LDAP sync, if there are no filtering attributes
<em>just for Cascade</em> then it'll add everyone in the
organizational unit to Cascade?</p>
</blockquote>
<p>Correct. It will basically bring in every user under your
container identifier.</p></div>Timtag:help-archives.hannonhill.com,2010-02-09:Comment/363757362015-04-06T18:35:26Z2015-04-06T18:35:26ZSync LDAP without adding a group<div><p>Would all those people be able to log into Cascade?</p>
<p>Also, was it always like this?</p>
<p>As I recall, we would add someone to Cascade, then sync with
LDAP and only<br>
those users who were in Cascade and had a username that matched
with LDAP<br>
were synced.</p></div>cpayantag:help-archives.hannonhill.com,2010-02-09:Comment/363757362015-04-06T18:55:59Z2015-04-06T18:55:59ZSync LDAP without adding a group<div><blockquote>
<p>Would all those people be able to log into Cascade? Also, was it
always like this? As I recall, we would add someone to Cascade,
then sync with LDAP and only those users who were in Cascade and
had a username that matched with LDAP<br>
were synced.</p>
</blockquote>
<p>Yes. All of those users would then have the ability to log into
Cascade Server using their standard LDAP credentials. This behavior
hasn't changed. Perhaps you are thinking about custom
authentication? In the case of someone using Shibboleth or CAS, for
example, a user would first have to exist in Cascade Server in
order to be able to log in. Otherwise, they would simply receive an
error upon attempting to log in.</p>
<p>Let me know if you have any additional questions and I'll be
happy to answer them.</p>
<p>Thanks</p></div>Timtag:help-archives.hannonhill.com,2010-02-09:Comment/363757362015-04-06T19:01:30Z2015-04-06T19:01:30ZSync LDAP without adding a group<div><p>Yea, I'm mostly catching up on LDAP. Our previous experience
with LDAP was<br>
(I believe) the 6.x Cascade series, so apparently it's changed
pretty significantly since then.</p>
<p>Thank you very much, I think you've answered everything.</p></div>cpayantag:help-archives.hannonhill.com,2010-02-09:Comment/363757362015-04-06T19:05:45Z2015-04-06T19:05:45ZSync LDAP without adding a group<div><p>No problem! I'll go ahead and close out the discussion for now,
but don't hesitate to comment back if something else comes up
related to this. We'll be happy to help out further.</p>
<p>Have a good one!</p></div>Tim