Is there anything I can do to smooth future LDAP Integration?

loomi · November 24, 2017, 11:35am

Heyhey,

I know the LDAP Integration is on the Road-Map. Unfortunately it was pushed a Q in the back. But as everywhere we understand there is only such amount of time available.

Anyhow, we like to start using passbolt at our University.

We like to know if you can give already some tips, which would make a later switch to a LDAP based accounting smoothly possible?

Cheers,
Michael

remy · November 27, 2017, 10:19am

Hi @loomi,

There are a few things you can do, which is basically in a nutshell “keep the two in sync” manually:

Make sure the name of people in LDAP and passbolt are the same
Make sure the name of groups in LDAP and passbolt are the same
Make sure you delete the groups/people that are not in LDAP anymore.

Feel free also to comment on the thread discussing the LDAP integration feature. The more detailed the requirements and the clearer the user worflow the easier it is for us to define and implement a solution.

Thank you for your patience,

loomi · November 27, 2017, 12:17pm

Great, we will try to do this.

Not easy to push through as the users will subscribe them selfs. Is it already possible to restrict to a domain name for the email addresses or similar?

We are happy to help with requiring engineering and similar tasks.

remy · November 27, 2017, 12:30pm

Not easy to push through as the users will subscribe them selfs.

You should consider turning public registration off and adding them manually yourself in the user workspace.
Otherwise if you have scripting skills you can use the ‘RegisterUser’ console task to import all your users. For example:

 ./app/Console/cake passbolt register_user --username=ada@passbolt.com --first-name=ada --last-name=lovelace --role=user

Is it already possible to restrict to a domain name for the email addresses or similar?

Not at the moment, that’s been on the back of our mind. I created an issue there:

loomi · November 27, 2017, 12:55pm

Thank you for the pointers!

Importing all users is not a good idea in our case, we have +6000 users in our organisation, from which only a small part will use the service.

Okay voted for the issue (-:

Another way to do this properly is if the user can actually himself switch the user to “ldap” finally. The idea would be that the user has a possibility to add a “authentication method” which would be LDAP of the institution. (Others might be SAML/Oauth of lets say GitHub, Twitter, …)