ma1sd icon indicating copy to clipboard operation
ma1sd copied to clipboard

Published 20 hours ago verified publisher icon ma1uta

LDAP Groups

Open dennis-ledergerber opened this issue 5 years ago • 7 comments

hi Is it somehow possible to link LDAP Groups with ma1sd and synapse? e.g.

  • to create Communities and their members based on LDAP Groups
  • create Rooms with Members based on LDAP Groups.
  • Using LDAP Groups as roles in ma1sd

Is it planned to implement such features?

kind regards, dennis

dennis-ledergerber avatar Feb 20 '20 13:02 dennis-ledergerber

I would like to create Rooms with Members based on AD(Microsoft Active Directory) Groups:

  1. create room by AD group with all group users as room members;
  2. add/remove users to room by AD group member names.

the functionality in question:

  1. delete a room if the AD group has been deleted?

In my opinion, groups are the main active directory feature. In our company these groups has been used for almost all internal applications access rights.

As with other organizations, we have regular staff changes, the AD Groups solution would ensure that employees are automatically added to specific matrix rooms that are used to exchange information between projects, departments, etc. This functionality should not only add users to specific rooms, but also remove users from the room if they have changed departments or the like.

I assume the solution should be based on some major AD group, e.g. RIOT, and if we wanted the Matrix to create rooms based on AD groups then the AD groups would have to be associated with this main RIOT AD group. Because it is clear that we would not want all the AD groups in our Matrix as rooms.

for example, it might look like this (&(objectclass=*)(|(memberof=CN=RIOT,OU=Groups,DC=somedomain,DC=eu)))

MarisOnPremises avatar Feb 21 '20 12:02 MarisOnPremises

I think that'd be a great idea!

eutampieri avatar Feb 21 '20 23:02 eutampieri

I think matrix-corporal can do that. I use both ma1sd and matrix-corporal together.

sents avatar Mar 10 '20 14:03 sents

How? Could you elaborate a little further? Thanks @sents !

eutampieri avatar Mar 10 '20 15:03 eutampieri

Matrix corporal uses a json (called policy) to determine the rights, room-, and group membership of users. You can generate such a policy from ldap via a script. Because I needed it, I wrote such a script this weekend https://github.com/sents/matrix-corporal-policy-ldap. If you have any suggestions to make it work for your case, feel free to open an issue. matrix-corporal cannot create rooms and communities, so the script takes care of that too.

sents avatar Mar 16 '20 18:03 sents

Ok, thanks

eutampieri avatar Mar 16 '20 21:03 eutampieri

I think matrix-corporal can do that.

Thanks for this useful hint! In general I am a bit confused how ma1sd handles the LDAP groups. Are they not mapped to roles? At least when I looked into the code it seems the getRoles() function is returning an empty list by default for LDAP.

piezza avatar Apr 13 '20 14:04 piezza