[Feature Request]: LDAP Sync improvements #14696
Comments
|
👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
At this moment LDAP Sync has some limitations. It can easily import any user account that matches criteria (like baseDN and LDAP Filter), but when account is changed in a way that it fails to satisfy search requirements - SnipeIT will not update it anymore.
Let's imagine simple scenario:
In that case import filter cuts off account visibility and user will never be deactivated.
Another scenario:
In that case SnipeIT will create another user account. This also occurs, when user changes name (due to some life decissions)
Describe the solution you'd like
For LDAP users create field with uniqueID, defaulting to ObjectSID in case of AD. Then make it possible to sync all LDAP-enabled users with option like --sync-existing
Describe alternatives you've considered
Alternatively, to avoid changing user model at all - make it possible to exclude disabled accounts from being imported by making use of already present logic related to Activated flag of user account. This would require one checkbox ("exclude disabled user accounts from import") and one more condition around line 250 of LdapSync.php, which in turn would make it possible to drop part of import filter.
This approach would not make it possible to track username changes tho.
Additional context
It is mostly question "what would be better" as I could just think around both scenarios and probably write both solutions myself
The text was updated successfully, but these errors were encountered: