LDAP Integration: Limit sync to groups selected in cloudron

im-fabian

Hi,

the auto provisioning of the LDAP-Sync of Freescout works like a charm. Nevertheless I would suggest that ldap sync is limited to the elegible groups which are selected within Cloudron.

This would require the field DNs and Filters within Freescout to be set to a value like the following instead of the default:

ou=users,dc=cloudron(memberof=cn=GROUPNAME,ou=groups,dc=cloudron)
ou=users,dc=cloudron(memberof=cn=GROUPNAME,ou=groups,dc=cloudron)

At this point it comes in handy that freescout accepts multiple lines of filters, so there can be one line for each group selected within the Cloudron backend.

This change is needed for the following reasons:

• Cloudron overwrites this setting from time to time – so it cant' be changes manually.
• Reduction of attack surface – if only a small part of an organization needs the ticket system not everybody should have an account. Mind authenticated exploits.
• Order: Many unneeded Users within Freescout make it confusing.

I would be happy if one feels like implementing this

girish

@im-fabian said in LDAP Integration: Limit sync to groups selected in cloudron:

Nevertheless I would suggest that ldap sync is limited to the elegible groups which are selected within Cloudron.

This should already be the case.

instead of the default:

ou=users,dc=cloudron(memberof=cn=GROUPNAME,ou=groups,dc=cloudron)

Cloudron doesn't configure group sync in any package. Could this be something that you set up on your own?

im-fabian

@girish said in LDAP Integration: Limit sync to groups selected in cloudron:

@im-fabian said in LDAP Integration: Limit sync to groups selected in cloudron:

Nevertheless I would suggest that ldap sync is limited to the elegible groups which are selected within Cloudron.

This should already be the case.

Thanks, I can confirm this behaviour!

I see that this is not a cloudron issue but a freescout one: Users which have been deleted within LDAP are not locked or deleted within freescout but just remain in the status of their latest sync.

girish

@im-fabian I think that behavior is fairly common in all apps. When users get removed from a directory, they don't get removed in the app itself on a sync. This is because there may be data specific to the user and (for the app) it's not clear what needs to be done . For example, maybe freescout has some tickets assigned to a delete user. What should it do? Assign to someone else/orphan them etc.