My organization use a specific LDAP branch to feed Passbolt groups and users. This works fine
But…
Users and groups are finely synch in Passbolt when there’s no secrets shared, but when 1 share 1 secret to a group, the synch script send email to group manager, asking a manual operation. It says :
A request to add user laurence[xxxx].fr in group equipe-xxx was sent to the group manager.
Is it possible to allow group filling w/o this ? I browsed ldap.php file but didn’t find option to.
The reason why the ldap connector behaves this way is due to the end-to-end nature of Passbolt. The connector doesn’t have a private key, nor can access to the secrets stored in the database. Consequently, since it cannot decrypt the secrets it cannot re-encrypt them for users that are added to a group with passwords shared with it, and needs to send a notification to the group manager to do it manually.
We have plans to improve this in a near future by managing user accesses to the secrets in a more asynchronous way.
