Sync LDAP without adding a group
I don't need to add a group to a user, everyone's got the groups they need, and I don't want all current Managers to be able to get to everyone by having them all in one group.
Our LDAP is set up with one large pool, so I'd be syncing everyone's info at once.
in Cascade 7.12.4, the LDAP config requires me to have a group specified, and errors out. Previous Cascade versions didn't require me to add anyone to a group.
Please let me know how to have an LDAP sync without adding anyone to a group.
Discussions are closed to public comments.
If you need help with Cascade CMS please
start a new discussion.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Tim on 24 Mar, 2015 08:04 PM
Hi,
Unfortunately I can't think of a great way to do this with your current setup. Back around version 7.2 we released the LDAP configuration UI which also had more strict validation for LDAP policies. Prior to the UI, the XML LDAP configuration would allow for admins to submit a policy without specifying Groups or Roles. This was actually a bug that was fixed with the more strict validation. The reason for this is that you can't create a User without assigning at least one Group and one Role (this can be seen in the UI for creating a new User within the application).
Approximately how many users in total are you attempting to sync? Of those, do you know how many are managers?
2 Posted by cpayan on 24 Mar, 2015 08:08 PM
So previously when we were using LDAP, it would basically just sync with
the users we have in Cascade already. Our flow was to add a user to
Cascade, then when LDAP was synced again, their password would be added.
For the last few years, we were using CAS authentication exclusively and
leaving LDAP behind, but since mod_auth_cas doesn't work with Apache 2.4+
we're moving back to LDAP.
So this is about 200 users we need synced from LDAP, where our LDAP has a
few thousand staff members. The groups aren't really reliable, so the
previous flow worked best.
Support Staff 3 Posted by Tim on 25 Mar, 2015 09:00 PM
Gotcha. That makes sense. I don't see any way to make Cascade allow for you to create a User without specifying a minimum of 1 Group and 1 Role moving forward, so I'm trying to think of the least painful way for you all to accomplish this.
Would it be possible to place the folks that you know are going to be managers into a specific group in your LDAP implementation and then filter on those in an LDAP user policy? Then, perhaps you can use a different filter (and another user policy) to bring in everybody else. Each user policy would be assigning different Cascade Groups to the subsets of users from your LDAP server. For example, maybe 'all users' can be assigned to 'GroupA' in Cascade (which is a Group with basically no access to anything) and managers can be assigned to 'GroupB'? I'm hoping this would prevent your managers from seeing others that belong to their Group.
Keep in mind that both user policies would be configured so as not to remove the users from existing Groups/Roles.
Let me know if that helps at all. I realize it can be a bit confusing.
4 Posted by cpayan on 06 Apr, 2015 06:15 PM
I'm working with IT to set something like that up.
I have a question about something that's unclear to me from the knowledge
base. When we run an LDAP sync, if there are no filtering attributes *just
for Cascade* then it'll add everyone in the organizational unit to Cascade?
Support Staff 5 Posted by Tim on 06 Apr, 2015 06:23 PM
Correct. It will basically bring in every user under your container identifier.
6 Posted by cpayan on 06 Apr, 2015 06:35 PM
Would all those people be able to log into Cascade?
Also, was it always like this?
As I recall, we would add someone to Cascade, then sync with LDAP and only
those users who were in Cascade and had a username that matched with LDAP
were synced.
Support Staff 7 Posted by Tim on 06 Apr, 2015 06:55 PM
Yes. All of those users would then have the ability to log into Cascade Server using their standard LDAP credentials. This behavior hasn't changed. Perhaps you are thinking about custom authentication? In the case of someone using Shibboleth or CAS, for example, a user would first have to exist in Cascade Server in order to be able to log in. Otherwise, they would simply receive an error upon attempting to log in.
Let me know if you have any additional questions and I'll be happy to answer them.
Thanks
8 Posted by cpayan on 06 Apr, 2015 07:01 PM
Yea, I'm mostly catching up on LDAP. Our previous experience with LDAP was
(I believe) the 6.x Cascade series, so apparently it's changed pretty
significantly since then.
Thank you very much, I think you've answered everything.
Support Staff 9 Posted by Tim on 06 Apr, 2015 07:05 PM
No problem! I'll go ahead and close out the discussion for now, but don't hesitate to comment back if something else comes up related to this. We'll be happy to help out further.
Have a good one!
Tim closed this discussion on 06 Apr, 2015 07:05 PM.