LDAP Data synchronisation problem #58
Comments
|
Do you have ideas about this? |
|
for the whitelist problem: is it possible to add the fields (invitedBoards,language, initials and starredBoards) in the whitelist? |
This option i think is a relict from the origin of this module. Because in wekan there are no roles that you can sync with any ldap groups the usage of this option causes a server side error. |
No, its not that easy, then you have successfully synced information from ldap to MongoDB and no other part of wekan is able to use this information. Maybe the customField option in addition to the Accounts_CustomFields option do what you want but i have not really understand yet how this is exactly working. |
|
Wekan will have Teams/Groups etc so it would be good to have option to assign LDAP group to Team/Department/other group wekan/wekan#802 (comment) |
|
if we synchronize these fields to add in mongodb, why can not we use? these fields are well used
|
|
Re, The PR (Add support for admin status sync #40) is it included in the SNAP package of version 2.38 of wekan? that would correct my problem : the admin role is also not applied to the new user |
|
Yes it's included in snap: I don't currently have LDAP server, so I'm unable to test it. Actually snap is already at v2.40. |
|
Hello, For the differents points:
|
|
Well depends what all custom fields you need. Profile is just table that is visible at Admin Panel / People. Currently there is Full Name, Email Address, etc. Those are mapped in LDAP and OIDC OAuth2 mapping like any other field currently. So adding new ones would be to just add new column to that table for telephone number, location, services etc. For example, I will add new column for HTTP header to implement wekan/wekan#2019. I have not added yet to be editable columns initials and verified. Can you write list about what fields you need? |
|
What fields you need visible somewhere else than at Admin Panel? For example, do you need them in viewable or editable user profile, or visible when clicking board member avatar? |
|
I can confirm that ldap-sync-admin-groups (#40) is NOT working in 2.48 too. |
|
Has it worked in any Wekan version? For any Wekan user? |
|
In general, if it's known in what Wekan version some feature works and in what Wekan version it does not work, it's easier to fix. |
|
Never tried before. |
|
Can you fix this? |
|
i can't reproduce the problem. |
|
@JulianJacobi I'm using following config: The LDAP is Microsoft Active Directory. Questions: |
I also vote for having the possibility to sync "initials" from LDAP. They are often used in enterprises to identify employees and currently this is the only field of a wekan user profile that can't be synced. |
|
Now I understand your problems I think. The admin status sync is based on the groups found by group search of the group filter. So you neet to configure the Group filter options to. UPDATE: I'm not shure if you need to enable the group filter but I think so. |
|
Hm, I though the group filter is used to limit the people that are allowed to login within the given basedn? I did not find any useful documentation or examples (?) regarding group filters, therefore I tried following: When I set "snap set wekan ldap-group-filter-enable=true", I can no longer login via LDAP. But: Even after adding the goup filter still no luck with assigning admin rights! It would really be very helpfull if someone could share a working configuration for LDAP with MS AD including assignment of admin rights and may aslo answer the questiins above (nested groups, member vs. memberof, group format), This is my current setup: Thanks! |
|
It looks like #40 (which adds the admin sync feature) was closed instead of merged, so the code never made it into the repository. |
|
Hi,
Config: br, |
|
Just for additional info, if all users are admin now, see this new setting: |
|
Doh, I think I'll need to make that default setting in next Wekan release. |
|
Hi, The current configuration: This config works sofar, that all found AD Users are able to login. The Problem is, that all Users are getting ADMIN Privileges in cause of > ldap-sync-admin-groups ='grp.app.admin.wekan' <;; even they are not part of the group in the LDAP; What i can see in the logfiles is, that all users will be queried, the all groups will als be queried but it seams to be that they are not get stick togehter. To see at the login which user has which role assigned.. for example in jasperreports it is a similar case. I'vh combined it by the group search filter: br, |
|
Can you look at this? |
|
According to one Wekan user, if you set LDAP_SYNC_ADMIN_STATUS to "true" then you also need to specify LDAP_SYNC_ADMIN_GROUPS for which groups are admin. That way it should work as expected, also the mapping of mail/fullname/username etc. Please test. Thanks! |
|
Hi xet7!
The behavior is, that the function ldap-sync-admin-groups will work well. So on login the user will get the admin rights. This has also been reduced by "ldap-sync-admin-groups". If i read the debug logs correctly the login will check up the groups are available unter the basedn. Thats ok for me sofar. The problem seams to be, that ALL groups will also be passed to the admin filter, without checkup if the login user is part of the group. Logsnip: In the LDAP the user IS NOT part of the grp.app.admin.wekan group... I dont know how to match the groups which are the user is memberof, for the admin group. This results in: All Users get admin, because in the matching all users have all groups ... br |
|
Ivh also checked, that the group filter will also not work . The group is total empty. May 25 11:12:04 vsvwekan01 wekan.wekan[19357]: [DEBUG] Group filter LDAP: "(&(objectclass=group)(cn=dbc.app.wekan))" But i dont think that the group is matched to the user in any way. |
|
Hi, Kind Rgds, |
|
Group filter issue is at wekan/wekan#2356 Please someone add to Wekan GitHub wiki docs how I could install some LDAP server to some cloud or bare metal server, so that I could test Wekan with it. Problem is, I have never figured out how to install LDAP server, what all the options are, where are docs, how they work, etc. LDAP has been developed by other Wekan contributors, not me. So I'm at the mercy of those Wekan LDAP contributors. |
Running on Univention LDAP No longer works, can only login with password option., Just when I got a dept to start using it, they cant login. Can you fix this. It was working now it isnt. No new LDAP members can login even though they are authorized in USERS in Univention. Nothing changed. New users showing in Univention USERS and Active Directory but they still cant use this program. Even listed in admin panel under People, LDAP as authentication method can only login with password option. |
|
At Wekan Admin Panel / Setting / Layout / Default Authentication Method, is there LDAP selected? In Wekan v3.56 for Univention, that will be released in near future, I have made all Wekan LDAP etc settings configurable in Univention App settings, so that it is possible to change those if something is not configured correctly. |
|
Do it mean that email won't never be updated ? with this whitelist
In my case i've entered a wrong email, it's impossible to update it
And even after deletion from ldap the user, wekan re import the user, because it still the collection in mongo then the email is wrong. I had to setup mongo sock available in the host to delete the collection, but it's not simple and to recover a wekan fully fonctionnal it tooks me times... |
|
What steps you did to recover Wekan fully? I'll think how to make it easier. |
|
I have added some tasks from this issue to first comment of Teams/Organizations feature. If there is something missing, please comment at Teams/Organizations issue. |
Server Setup Information:
Problem description:
I have the following configuration:
snap set wekan ldap-sync-user-data='true'
snap set wekan ldap-sync-user-data-fieldmap='{"cn":"name", "mail":"email", "initials":"initials"}'
snap set wekan ldap-sync-admin-status='true'
snap set wekan ldap-sync-admin-groups='SG_ACCES_WEKAN_ADMIN'
but the field "initials" is not updated with AD info. Error Message :
[DEBUG] user attribute not whitelisted: initials
the admin role is also not applied to the new user
best regards
The text was updated successfully, but these errors were encountered: