LDAP Import - Associating Multiple Group to Hornbill User Accounts

[Steve Giller]

As in the wiki, we can Associate a group to Hornbill user accounts, but can we associate multiple groups?
For example, if we want to assign a service to IT Services, but another specifically to IT Infrastructure could we look at [department] for their department (IT Services) and [extensionAttribute11] for the team (IT Infrastructure) and have both assigned at import time?
If so, is it as simple as:

"OrgLookup":{
       "Action":"Both",
       "Enabled":false,
       "Attribute":"[department]",
       "Type":2,
       "Membership":"member",
       "TasksView":true,
       "TasksAction":true,
       "OnlyOneGroupAssignment":false

       "Action":"Both",
       "Enabled":false,
       "Attribute":"[extensionAttribute11]",
       "Type":1,
       "Membership":"member",
       "TasksView":true,
       "TasksAction":true,
       "OnlyOneGroupAssignment":false
   }

 

[TrevorKillick]

@DeadMeatGF

The import tool does not currently support multiple organisations, we are currently in the process of a large update to the tool, we will see if we can provide this functionality as part of the next major update (3.0).

Kind Regards

Trevor Killick

[Steve Giller]

Thanks @TrevorKillick, 

Is there (or are there plans to implement) a way to add to organisations based on AD group membership at all?
For example, all delivery staff have access to ProMonitor, but only some of them have access to ProGeneral - internally this is controlled by AD groups. It would be useful to have the ability to use the existing groups to add staff to Hornbill Organisations and be able to control access to Services that are specific to these groups.

[samwoo]

14 minutes ago, DeadMeatGF said:

Is there (or are there plans to implement) a way to add to organisations based on AD group membership at all?

+1 - would be great as we using AD Groups and Policies.

[TrevorKillick]

@DeadMeatGF

So would this be some form of additional filter on the Group Assignment so it would only assign if a user was in a particular AD Group? 

So something like 
 

"Condition":"[extensionAttribute11] == 'Some Group Name'"

Kind Regards

Trevor Killick

[Steve Giller]

Unfortunately it's probably not quite that easy - group memberships are in the memberOf attribute, which is a multi-value and a backlink attribute. I'm sure there's a way of pushing groups into other attribute for ease or reading, but we'd quickly run out of extensionAttribute## options (most of which we already use!) as a single member of staff could be in Delivery, Personal Coach, Health & Safety, Fire Marshall, and Budget Holder groups - and that's just off the top of my head. If we applied this technique to Facilities requirements as well we could easily run out of extensionAttributes even if we weren't already using some.

[TrevorKillick]

@DeadMeatGF

Got it, just looked up the memberOf Ad Attribute will have a look and see if there is anything we can come up with as a solution here. 

Something we could do is:

"MemberOf":"cn=IT Administrators,ou=groups,dc=example,dc=com",

And try and do a direct match to one of the Ad Groups like this.

Kind Regards

Trevor Killick

[Steve Giller]

Brilliant, I'll keep my fingers crossed.

[TrevorKillick]

@DeadMeatGF @samwoo

Just to confirm the ability to define multiple Group Assignments against a LDAP User Import will be part of the 3.0 release due in the next few weeks, along with the ability to set Member Of where a user must be a Member of the dfined group in AD before the Group Assignment Is made.



You may also notice from the screenshot that there will soon be a UI for configuing the Import...

Kind Regards

Trevor Killick

[Steve Giller]

Very nice, thank you.

I was thrown by the "3.0 release" at first - I thought I was back reading about Elite: Dangerous again! Their 3.0 release is out tomorrow

 

[Victor]

@DeadMeatGF if you like Elite Dangerous you should try Stellaris as well... although completely different genres, this one is a 4x strategy ... spent countless hours building my galactic empire... *sigh... and the missus does not seem to understand becoming the ruler of the universe takes time and patience...

[Dan Munns]

15 hours ago, Victor said:

adMeatGF if you like Elite Dangerous you should try Stellaris as well... although completely different genres, this one is a 4x strategy ... spent countless hours building my galactic empire... *sigh... and the missus does not seem to understand becoming the ruler of the universe takes time and patience...

This. Definitely this. 

[Steve Giller]

It has been recommended - but with approaching 5,000 hours in Elite I may struggle to give ruling the Universe the level of commitment it deserves!

[samwoo]

On ‎26‎/‎02‎/‎2018 at 3:28 PM, TrevorKillick said:

@DeadMeatGF @samwoo

Just to confirm the ability to define multiple Group Assignments against a LDAP User Import will be part of the 3.0 release due in the next few weeks, along with the ability to set Member Of where a user must be a Member of the dfined group in AD before the Group Assignment Is made.



You may also notice from the screenshot that there will soon be a UI for configuing the Import...

Kind Regards

Trevor Killick

Hi @TrevorKillick,

How's the progress with the 3.0 release and the Server Build?

Is there a way to assign multiple groups via the configs for the LDAP_Import we use currently? (i cannot find any details about this on Github or the Wiki)

Many thanks,

Samuel

[TrevorKillick]

@samwoo

So the Server Build that enables the UI "should" go out Thursday evening although that is as always subject to change if we find any issues during the testing phase. 

The LDAP User Import version 3.0 is already released to GitHub but required the new Admin UI so from Friday you should all be good to go. I am planning on pining a post detailing the migration from 2.* to 3.0 and there is a Harry Hornbill notice that will show in Admin once everything is released.

Kind Regards

Trevor Killick