NetXMS Support Forum

Please login or register.

Login with username, password and session length

Author Topic: LDAP user groups?  (Read 631 times)

Millenium7

  • Newbie
  • *
  • Posts: 23
    • View Profile
LDAP user groups?
« on: August 28, 2018, 11:14:30 am »

I've finally got LDAP (Active Directory) sync working

Question I have now which I can't find an answer to, is can NetXMS also sync the user groups? or have another way to give users permissions?
Right now it syncs the users but they have no permissions, so I have to go in later and assign them. I don't mind doing this once off but if we add/remove staff i'll have to adjust permissions in NetXMS as well and this I don't want to do

I'd rather just assign them into a group in Active Directory that controls permissions, i.e. 'low clearance' or 'high clearance' user groups. And thus low clearance users can log into NetXMS, view information but not change it. High clearance become admins etc
Logged

Tatjana Dubrovica

  • Global Moderator
  • Full Member
  • *****
  • Posts: 225
    • View Profile
Re: LDAP user groups?
« Reply #1 on: August 28, 2018, 01:31:53 pm »

Yes you can synchronize also groups from LDAP (just use correct LdapSearchFilter and LdapGroupClass). In case of Windows AD LdapGroupClass should be "group". You also can create groups in NetXMS and add LDAP users under NetXMS groups. If as LdapUserUniqueId and LdapGroupUniqueId   "objectGUID" will be used, then even if you will move users or groups in LDAP they will be considered as the same users even though they have different DN.
Logged

Millenium7

  • Newbie
  • *
  • Posts: 23
    • View Profile
Re: LDAP user groups?
« Reply #2 on: August 29, 2018, 05:16:09 am »

Ok, I'm still quite new to LDAP so can you provide a bit more information on getting the user groups to import?

The structure at the moment is quite simple. I created 2 other Organisational Groups just to clear the clutter and see only the users/groups I create and none of the built in ones

Domain
--CompanyUsers
--CompanyGroups

At the moment the config looks like this


I understand I would have to change the LdapSearchBase up 1 level (or maybe just move the groups OU into CompanyUsers) but just to try it out I simply moved all the user groups into the 'CompanyUsers' OU and they didn't show up when doing an ldapsync. So is there something else wrong with my syntax?
« Last Edit: August 29, 2018, 05:18:05 am by Millenium7 »
Logged

Tatjana Dubrovica

  • Global Moderator
  • Full Member
  • *****
  • Posts: 225
    • View Profile
Re: LDAP user groups?
« Reply #3 on: September 04, 2018, 05:28:33 pm »

Multiple search bases can be used separated by semicolon (;) symbol.
Configuration looks OK. You can check server log on 4 lvl.
Logged