Jump to content


groups sync'd from LDAP - membership exceptions

ldapsync groups members exceptions

  • Please log in to reply
5 replies to this topic

#1 Miles O'Neal

Miles O'Neal

    Advanced Member

  • Members
  • PipPipPip
  • 152 posts

Posted 19 April 2018 - 07:36 PM

Is there any way to sync Helix groups to LDAP but with exceptions? Ideally I'd like to be able to designate users that are not allowed from the LDAP group *and* designate users as members of the Helix group even though they are not in the LDAP group.
I am guessing the answer is no, but this would be really useful for us. I'm open to convolutions in the LDAP query. (I'm not an LDAP expert, so have no idea what is possible there.)

#2 Miles O'Neal

Miles O'Neal

    Advanced Member

  • Members
  • PipPipPip
  • 152 posts

Posted 19 April 2018 - 09:03 PM

I'm sure we could do this with a trigger or a broker filter, but am hoping for something more elegant.

#3 P4Nick

P4Nick

    Advanced Member

  • Staff
  • 50 posts
  • LocationReading, UK

Posted 20 April 2018 - 03:33 PM

Hi Miles,

I'm not totally sure I understand what you mean by "designate users that are not allowed from the LDAP group".

My normal recommendation for mixing LDAP sync'ed groups with additional users is to use 2 groups and make one a subgroup of the other: this should solve the users from 2 sources issue.

Excluding particular LDAP users is probably best achieved in the LDAP query, or in the LDAP server itself depending on the scale of the problem.
If you're excluding half the users in an LDAP group,should there be a separate LDAP group?
If there's just a couple of specific users you need to exclude, then modifying the query might be better.

This IBM documentation for LDAP filtering has an example of a similar search exclusion:
https://www.ibm.com/...pfltrxprns.html

#4 Matt Janulewicz

Matt Janulewicz

    Advanced Member

  • Members
  • PipPipPip
  • 197 posts
  • LocationSan Francisco, CA

Posted 23 April 2018 - 06:29 PM

I'm not sure if this answers your question either, as 'not allowed' can be interpreted in a few ways. If it means 'not allowed to log in', then you want to look at the GroupSearchFilter setting on the LDAP configuration. Setting this to an LDAP group would disallow login by anyone not in that group. Then, the actual LDAP groups you put in the protections table won't be affected by any extra users that are not in the GroupSearchFilter group, they'll just be benign entries of users that can't log in in the first place.

We're not quite yet switched to LDAP, because reasons, but this is how we plan on managing the master user list. Adding and deleting users would then be an LDAP function and we won't have to do that manually within Perforce. Beyond that we can import any LDAP groups we want and not have to worry about people in, say, an 'all' group suddenly gaining access to Perforce.
-Matt Janulewicz
Staff SCM Engineer, Perforce Administrator
Dolby Laboratories, Inc.
1275 Market St.
San Francisco, CA 94103, USA
majanu@dolby.com

#5 Miles O'Neal

Miles O'Neal

    Advanced Member

  • Members
  • PipPipPip
  • 152 posts

Posted 24 April 2018 - 08:51 PM

In many of the groups we would be syncing from LDAP, there are one or two users we do not want in the Perforce group, and there is a user that does not exist in LDAP we need to add. That IBM doc should handle the exclusions. I'll test that shortly.

Now I just need a way to add the missing user. The subgroup could work but we would need one per group (hundreds). Ugh.

This only refers to group authorization. Authentication (login) is a separate issue, and we have that covered.
Thanks!

#6 Miles O'Neal

Miles O'Neal

    Advanced Member

  • Members
  • PipPipPip
  • 152 posts

Posted 24 April 2018 - 10:17 PM

The exclusion portion is managed per Nick's suggestion. It's not pretty, but it works.

Matt, thanks for your ideas as well. We only set up Helix accounts for those who can access it (no automatic account creation), so we're covered there. We determine depot path access in most cases by group, and that's what I'm looking at.

Now looking into adding the extra Helix user...





Also tagged with one or more of these keywords: ldapsync, groups, members, exceptions

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users