Migrate local Cloudron User to AD
-
Hi,
we implemented a test installation of Cloudron and were so excited that we are already using it with a bunch of useres as a live enviroment. Unfortunatly we missed to activate the AD sync in the beginning. Now are looking for a way to migrate the local Cloudron users and connect them with there AD pendants. Is there any chance for doing so?
Best,
SvenPS: Do you have plans for the nearer future to automate the AD/LDAP snyc?
-
@manngobaum currently there is no script or feature available to map those users in hindsight. Depending on how many you have there, it might be possible to fix those up in the database manually. But that is a bit involved and I guess should be done by us, I don't really know from the top of my head what all is required even.
Maybe if there is more interest around that feature, we can just add it properly?
-
@manngobaum ok, I can look into this. Please send us a mail to support@cloudron.io with your dashboard domain and enable remote SSH for us, so i can take a direct look at the situation and can start working on a script which we may be then able to include in a later release to perform such tasks.
-
I have played with this scenario a while ago and came to the conclusion that as long as the usernames are the same only a single value in the Cloudron database needs to be updated. I documented this at https://forum.cloudron.io/topic/2189/ldap-ad-server/49?_=1630386173323
-
@fbartels thanks for sharing this, I must have overlooked your post there. I am just checking any side-effects, but it very much looks like what your investigation revealed about setting the
source
only and ignoring previously set password and such in the database. From that point on any display name and email changes should be synced as well.Since you invested some time on this already, do you think it is worth it to build some tool for such initial migration sync, which may allow selective changes, just so users don't have to tinker with the db itself?
-
@nebulon no problem at all. The topic itself is quite large so individual bits are easy to miss.
A script could be a nice idea as most users will probably not be comfortable with doing sql updates manually. But such a script can probably turn into something complicated quite easily. The flow that immediately comes to mind would be doing in ldap server on the ldap backend and comparing it with the users that Cloudron already knows. Followed by the possibility to switch auth for any users that are primarily managed on Cloudron, but exist on the ldap side as well. Probably easier to do it in javascript than it would be in e.g. bash.