You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
At this moment LDAP Sync has some limitations. It can easily import any user account that matches criteria (like baseDN and LDAP Filter), but when account is changed in a way that it fails to satisfy search requirements - SnipeIT will not update it anymore.
Let's imagine simple scenario:
We have existing LDAP directory with some former users not enabled
Filter is placed to exclude them from import/sync
Sync is performed
Imported user account is disabled in LDAP
In that case import filter cuts off account visibility and user will never be deactivated.
Another scenario:
User account is created with typo in its username
Sync creates user
Mistake in LDAP is spotted and fixed
In that case SnipeIT will create another user account. This also occurs, when user changes name (due to some life decissions)
Describe the solution you'd like
For LDAP users create field with uniqueID, defaulting to ObjectSID in case of AD. Then make it possible to sync all LDAP-enabled users with option like --sync-existing
Describe alternatives you've considered
Alternatively, to avoid changing user model at all - make it possible to exclude disabled accounts from being imported by making use of already present logic related to Activated flag of user account. This would require one checkbox ("exclude disabled user accounts from import") and one more condition around line 250 of LdapSync.php, which in turn would make it possible to drop part of import filter.
This approach would not make it possible to track username changes tho.
Additional context
It is mostly question "what would be better" as I could just think around both scenarios and probably write both solutions myself
The text was updated successfully, but these errors were encountered:
👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.
Is your feature request related to a problem? Please describe.
At this moment LDAP Sync has some limitations. It can easily import any user account that matches criteria (like baseDN and LDAP Filter), but when account is changed in a way that it fails to satisfy search requirements - SnipeIT will not update it anymore.
Let's imagine simple scenario:
In that case import filter cuts off account visibility and user will never be deactivated.
Another scenario:
In that case SnipeIT will create another user account. This also occurs, when user changes name (due to some life decissions)
Describe the solution you'd like
For LDAP users create field with uniqueID, defaulting to ObjectSID in case of AD. Then make it possible to sync all LDAP-enabled users with option like --sync-existing
Describe alternatives you've considered
Alternatively, to avoid changing user model at all - make it possible to exclude disabled accounts from being imported by making use of already present logic related to Activated flag of user account. This would require one checkbox ("exclude disabled user accounts from import") and one more condition around line 250 of LdapSync.php, which in turn would make it possible to drop part of import filter.
This approach would not make it possible to track username changes tho.
Additional context
It is mostly question "what would be better" as I could just think around both scenarios and probably write both solutions myself
The text was updated successfully, but these errors were encountered: