Match local groups against AD or allow User Sync against AD
phpipam open-source IP address management
Brought to you by:
myha
Menu
▾
▴
#174 Match local groups against AD or allow User Sync against AD
open
1
2016-09-05
2013-11-20
No
I have a larger user base which I trust with adding/managing IPs themselves. But it is a huge pain to constantly keep the two sides (local user list & AD) in sync.
While it may be a lot of work to implement user sync, maybe a step in between could be to assign permissions based on AD group membership. Like this:
- Local users are empty except for local admin.
- I create a local group in phpIPAM and assign permissions
- I configure the group to have an LDAP search string that points to an AD group and returns it's users
- When a user tries to login, his/her credentials are matched against group definitions if no local users are found.
- If a group returns a match through it's LDAP search string, the user is permitted login/given permissions.
Granted, there could be design flaws in this (missing user attributes like email, unless those are pulled from AD, too)
Discussion
Anonymous
Until something gets put into a release, here's the solution I found to this problem:
For any successful AD login, this will create a local user if none exists, and add them to the Guests group. Tested on v0.9
1) Replace functions/functions-install.php with the one from this repo (credits to them):
https://github.com/enovance/phpipam/
2) Change line 437 from $email = $username."@enovance.com"; to $email = $username."@".$settings['siteDomain'];
3) I also changed the role to User and made the default group Guest -- change this to suit
Replace line 439 (the $query line) with:
//default group. # = groupId.
$defaultGroup = '{"3":"3"}';
$query = "INSERT INTO users (username, role, real_name, email, domainUser, lang, groups) VALUES ('$username', 'User', '$real_name', '$email', 1, 1, '$defaultGroup');";
Hope this helps
Any improvements here?
I vote for this feature.
Can this be added on the next release?
View and moderate all "feature-requests Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Feature Requests"
There is a great emptiness in my heart that only this feature can fill.
View and moderate all "feature-requests Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Feature Requests"
I vote for this. This is the only feature that is preventing my company from using this software. Adding individual users from domain isn't scalable for a large company with lots of Engineers consuming IP's.