groups from active directory

By: mj mer user 29 Apr 2020 at 3:50 a.m. CDT

2 Responses
mj mer gravatar
Hi, We have just discovered gluu, and are evaluating it. Seems very nice so far! We have sucessfully connected it to our AD, following the instructions here https://gluu.org/docs/gluu-server/user-management/ldap-sync/ and https://support.gluu.org/single-sign-on/2953/configuring-gluu-with-active-directory/ The thing: Users are imported, but groups are not. Is this by design? We would like to administrate everything in one place: our ldap, and understand from staff posts here that gluu is really a 'pull' method only. Therefore we would like it to also pull groups from AD, rather than creating local groups in gluu. Are we missing something? Can this be done, or not? Or is Cache Refresh not the right path for this? And a second question: is authentication always done directly on the AD LDAPs, or are passwords also 'cached' in gluu? Can we configure that somewhere, and preferably turn password caching off?
Debian 10.0
closed

Answers

By mj mer user 29 Apr 2020 at 6:18 a.m. CDT

Copy
mj mer gravatar
I have seen a response from gluu staff here on the support pages, where they say that gluu does not save the password in it's own ldap, so the second question is answered. However, it also seems that gluu does not enable an end-user to change his/her ldap password. In MSAD this should be possible, without requiring special permissions. (the first method on https://support.microsoft.com/en-us/help/269190/how-to-change-a-windows-active-directory-and-lds-user-password-through)

By Michael Schwartz Account Admin 29 Apr 2020 at 10:19 a.m. CDT

Copy
Michael Schwartz gravatar
Yes, we don't sync groups--very much by design. I'd recommend syncing the `memberOf` user attribute. In the Cache Refresh interceptions script, I would replace the DN of the group with the CN of the group (or something more meaningful). In federated identity protocols like SAML and OpenID, the only way you can pass info is as a user claim. If you really want to sync groups, perhaps write a cron job to do it. The Gluu SCIM interface support Group operations. Closing this issue. Comment if you have any add'l questions.

Post an answer