Hi,
We are trying out Stash, and we'd love to use our openLDAP (posix schema) for managing accounts. Connecting to LDAP and importing / syncing accounts works, but now we want to limit the imported users that are members a certain posixgroup.
We have tried changing the "Group Object Filter" to limit importing one group. This imports only the selected group, but unfortunately, still imports all the users from LDAP.
The current hypothesis is that we need to do something with the "User Object Filter". However, since there is no "memberOf" property, we need to select users on the basis of the groups "memberUID" property. As far as we know, that is currently not possible.
The LDAP schema is "rfc2307" (storing member names in the memberuid attribute), we specifically do not use "rfc2307bis".
Is there a way that we can limit the users stash imports to a specific group?
Kind regards,
Jean-Paul van Oosten
Hi Charles,
Thank you for your answer. Indeed we found that only users with the "stash user" permission count towards the license limit. We wanted to limit the set of imported users for a better overview.
Thanks for the suggestion of adding the crowd-tag.
Regards,
Jean-Paul
Hi Jean-Paul,
My LDAP is a little rusty, but I think you're probably correct that you would really need the memberOf on your users to do the filter you want.
That said, I have to wonder if you're asking because you want to reduce the number of users counted towards your license? If that is your reason then my, slightly odd, suggestion is to just remove the stash-users group from the global permissions, and only assign permissions to the group you care about. Stash only calculates licenses for groups/users that at least have one permission.
If you want to remove the users completely from Stash, either for performance or for visibility reasons then I'm afraid I don't know the answer. I might then suggest adding the 'crowd' tag to this question as we just defer to the embedded crowd library, and Stash has very little to do with the actual LDAP integration.
I hope that helps in some way.
Charles
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.