[Pro] [Ldap] How to configure the Ldap connector to add users to groups without the group manager manual intervention?

Hi there.

My organization use a specific LDAP branch to feed Passbolt groups and users. This works fine :sunny:


Users and groups are finely synch in Passbolt when there’s no secrets shared, but when 1 share 1 secret to a group, the synch script send email to group manager, asking a manual operation. It says :

A request to add user laurence[xxxx].fr in group equipe-xxx was sent to the group manager.

Is it possible to allow group filling w/o this ? I browsed ldap.php file but didn’t find option to.

Thank for help

Hi @audebraf86r,

Welcome to the community.

The reason why the ldap connector behaves this way is due to the end-to-end nature of Passbolt. The connector doesn’t have a private key, nor can access to the secrets stored in the database. Consequently, since it cannot decrypt the secrets it cannot re-encrypt them for users that are added to a group with passwords shared with it, and needs to send a notification to the group manager to do it manually.

We have plans to improve this in a near future by managing user accesses to the secrets in a more asynchronous way.

Hope this answers your question.

Hi @kevin,

Thank you for this clear explanation.

I’ll notice users they should ensure maximum of users are synch before start populate Passbolt.

This topic can be closed :slight_smile:

Best regards