Active Directory Synchronisation
-
Hallo,
we would like to use the Group&User Synchronisations Feature over LDAP/Active Directory.
But it looks like it is not allowed to Synchronise Groups where some Charakters are not allowed for Example
AD_GROUP_NAME -> Underline
Looks like "_" is not allowed is there a reason or can we have a quick fix for that? since we only have Groups witch containes in there names several underlines. -
Since we have to deal with a large variety of apps with their own LDAP quirks, we try to follow https://ldapwiki.com/wiki/Best Practices For LDAP Naming Attributes to be most compliant. This goes to the point where we even only allow lowercase usernames for example as we have to stay compliant with apps as well.
-
Since we have to deal with a large variety of apps with their own LDAP quirks, we try to follow https://ldapwiki.com/wiki/Best Practices For LDAP Naming Attributes to be most compliant. This goes to the point where we even only allow lowercase usernames for example as we have to stay compliant with apps as well.
@nebulon Ok i mean i understand thers a RFC Standard but lets say i sync the Groups without underscore, witch works.
But what does not work is the users beeing added to Cloudron.Aug 10 14:20:49 box:externalldap ldapGetByDN: Get object at USER
Aug 10 14:20:49 box:externalldap syncGroupUsers: Found member object at USER adding to group rgappcloudronlogin
Aug 10 14:20:49 box:externalldap syncGroupUsers: Failed to get user by username USERNAME User not found -
@nebulon Yeah so i get the Groups Synchronised but not the member of the Groups to Cloudron may i provide you this directly? the LDAP Configuration?
-
@savity for a start can you validate the username and other attributes matching your user directory? It sounds a bit like maybe some usernames do not match?
@nebulon What do you mean by Matching, i did not understand that.
My LDAP Filter provides me the Groups that i need and for my understanding the AD Synchronisation, is Adding the users from the Groups that i defined to Cloudron.So this is happening.
But i do not get the users witch are memeber of those groups.
In the Logs the sAMAccountName is visible but not added with the "error"Aug 10 14:33:15 box:externalldap syncGroupUsers: Failed to get user by username "MYSAMACCOUNTNAMEUSER" User not found
-
@nebulon What do you mean by Matching, i did not understand that.
My LDAP Filter provides me the Groups that i need and for my understanding the AD Synchronisation, is Adding the users from the Groups that i defined to Cloudron.So this is happening.
But i do not get the users witch are memeber of those groups.
In the Logs the sAMAccountName is visible but not added with the "error"Aug 10 14:33:15 box:externalldap syncGroupUsers: Failed to get user by username "MYSAMACCOUNTNAMEUSER" User not found
@savity hm is it possible that the username as such is not lowercase and thus the mapping fails? As mentioned earlier for compat reasons with some apps, we also can only allow lowercase usernames. Also just to confirm, the user in question is correctly synced as a user to the userdirectory?
-
@savity hm is it possible that the username as such is not lowercase and thus the mapping fails? As mentioned earlier for compat reasons with some apps, we also can only allow lowercase usernames. Also just to confirm, the user in question is correctly synced as a user to the userdirectory?
@nebulon So do i understand this correctly
When i have in my Active directory users with following namings in the samaccountname following scenario happens.
cloudronuser -> Can be synced
cloudronuser1 -> Can be synced
Cloudronuser -> not possible
CloudronUser -> not possible
cloudron-user -> not possible -
@nebulon So do i understand this correctly
When i have in my Active directory users with following namings in the samaccountname following scenario happens.
cloudronuser -> Can be synced
cloudronuser1 -> Can be synced
Cloudronuser -> not possible
CloudronUser -> not possible
cloudron-user -> not possible -
@savity this is correct, while we of course could enable the support of such usernames, since our code could easily deal even with utf-8, various apps can't which is why we have to put that limitation to not run into issues in the long run.
@nebulon Well this is an issue in the Enterprise enviroment.
When we are talking about 45.000 users and around 12.000 groups
Is it not possible to parse or convert for example atleast
Cloudronuser to cloudronuser since in the windows world it dosent matter Uppercase lower etc....So i have to find an attribute that i can sync witch mets the criteria, i have to take a look because if this dosent work witch is a key feature idk if we can use the Product.
Nobody wannts to add tausends of groups and users by hand even the Groups issue with underscore
-
@nebulon Well this is an issue in the Enterprise enviroment.
When we are talking about 45.000 users and around 12.000 groups
Is it not possible to parse or convert for example atleast
Cloudronuser to cloudronuser since in the windows world it dosent matter Uppercase lower etc....So i have to find an attribute that i can sync witch mets the criteria, i have to take a look because if this dosent work witch is a key feature idk if we can use the Product.
Nobody wannts to add tausends of groups and users by hand even the Groups issue with underscore
-
So given that I cannot reproduce the syncing failure as you describe on my test Cloudron, this is very hard to guess what goes wrong or debug this. Not sure if this helps, but the corresponding code section is https://git.cloudron.io/cloudron/box/-/blob/master/src/externalldap.js#L464 with the following few lines. So for some reason the user is not found by that username (which is lowercased here in code). But you mentioned that the user is indeed created in your Cloudron, so I would really need to be able to see this failing for debugging.
If you want you can enable remote SSH support for us and send us a mail with your Cloudron ID and dashboard domain to support@cloudron.io to get this sorted faster.
-
N nebulon marked this topic as a question on
-
So given that I cannot reproduce the syncing failure as you describe on my test Cloudron, this is very hard to guess what goes wrong or debug this. Not sure if this helps, but the corresponding code section is https://git.cloudron.io/cloudron/box/-/blob/master/src/externalldap.js#L464 with the following few lines. So for some reason the user is not found by that username (which is lowercased here in code). But you mentioned that the user is indeed created in your Cloudron, so I would really need to be able to see this failing for debugging.
If you want you can enable remote SSH support for us and send us a mail with your Cloudron ID and dashboard domain to support@cloudron.io to get this sorted faster.
@nebulon said in Active Directory Synchronisation:
So given that I cannot reproduce the syncing failure as you describe on my test Cloudron, this is very hard to guess what goes wrong or debug this. Not sure if this helps, but the corresponding code section is https://git.cloudron.io/cloudron/box/-/blob/master/src/externalldap.js#L464 with the following few lines. So for some reason the user is not found by that username (which is lowercased here in code). But you mentioned that the user is indeed created in your Cloudron, so I would really need to be able to see this failing for debugging.
If you want you can enable remote SSH support for us and send us a mail with your Cloudron ID and dashboard domain to support@cloudron.io to get this sorted faster.I have sent an E-Mail
-
So given that I cannot reproduce the syncing failure as you describe on my test Cloudron, this is very hard to guess what goes wrong or debug this. Not sure if this helps, but the corresponding code section is https://git.cloudron.io/cloudron/box/-/blob/master/src/externalldap.js#L464 with the following few lines. So for some reason the user is not found by that username (which is lowercased here in code). But you mentioned that the user is indeed created in your Cloudron, so I would really need to be able to see this failing for debugging.
If you want you can enable remote SSH support for us and send us a mail with your Cloudron ID and dashboard domain to support@cloudron.io to get this sorted faster.
-
N nebulon has marked this topic as solved on
