Snipe-it: Request for LDAP Functionality

👍

+1

it would also be great to import "manager" field it's especially important when manager has huge team.. it would greatly lessen manual work in Snipe

@rozowykubek so the reason we haven't implemented manager import is because LDAP imports, depending on size, can be very slow and potentially memory intense. Adding managers basically doubles the amount of lifting the database has to do, while still processing all the LDAP stuff, since it has to check to see if the manager-user exists (if not, create them). What I can tell you is that in v4, we have a bulk user edit option now that lets you select lots of people and update their groups and managers, which may be a good stopgap for now.

How about location? We have a bunch of users who are hired and some people leave weekly, so in order to keep things up to date, I must import from LDAP frequently. Thus after doing so, it will modify the "Location" field back to the whatever you imported it as.

@snipe
thanks for explanation !
indeed, v4 bulk user edit looks promising ;)

I would agree with @dwestonjr. In multinational companies where people's roles are constantly changing (promotions, demotions, relocations, etc.) IT will typically rely on AD/LDAP as the authoritative database of information about employees. It would be a huge plus to have as much information from the directory be synchronized down.

Hello, is there any updates regarding this request? Fields like Location, Phone Number, Department, Title synced via the LDAP Sync function would be a fantastic option. Considering the fields exist in LDAP and you can not use a CSV file to update accounts that where created via LDAP Sync you end up having to manually edit. Even with bulk update this is tedious not scalable past a few dozen people.

Hi @kennethhadley when there is an update, this thread will be updated accordingly.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions!

Just adding my voice to the chorus of people who'd love to import more from LDAP

Department & Location would be a fantastic start, but really just department :)

Same as above. I don't want another database of users to maintain. If I can get Department to sync through, it would save a lot of work. Manager and Company would also be neat, but I'll take what I can get. Thanks for your efforts.

+1, plus phone if possible 😀.
Thanks for all of your hard work.

+1
But i think no solution in near future)!

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions!

+1 to keep Department sync dream alive!

1+ would be amazing

This has the potential to be handy, but it would definitely need to be optional. Alternatively I have an idea below that should be more flexible to hopefully better match the wide variety of different users' needs. The way our AD OU is structured during an LDAP sync could break a lot of things if it started pulling from OUs and trying to match locations or departments. Simply put, our AD OU doesn't correlate with physical locations as we have Snipe organized.

Presently in the LDAP filter, we have &(objectCategory=person)(objectClass=user)(!(|(extensionAttribute2=option1)(extensionAttribute2=option2)) This allows us to control who gets imported basically, but not what we do with them after they are in.

Brainstorming:

I think it would be pretty neat if during, or at some stage, of the LDAP sync I could tick options that look for custom Attributes. Optionally, this could be done afterwards where I just target my LDAP synced users so that it doesn't over burden the process as @snipe mentioned in the Apr 7, 2017 comment. I have no idea if you're able to pull Attributes during the LDAP sync and store them Snipe-side so that you don't have to re-query LDAP to make changes. But if you can split the process (just grab attributes during LDAP sync as current process. Updating/manipulating user data in Snipe as a separate process) that would be great.

If it's a problem to pull over _all_ AD Attributes, then maybe if you want "Advanced LDAP features" in Snipe, you have to add custom attributes like "SnipeExt1, SnipeExt2, etc." in your Active Directory and only those are duplicated from LDAP onto the Snipe-IT user database.

If I could tell Snipe-IT to say: OK everyone of my LDAP users that have X Attribute with Value Y, do the following BULK ACTION.
X= whatever I type in. (or SnipeExt1, etc.)
Y= whatever I type in.
BULK ACTION= things like move to a new location or update department information. Basically things you might do on the /users page for People.

Anyone's who SnipeExt1 = "MiddleSchoolTeacher" then, pick two options (drop down) of Snipe-IT options such as "Department" then another dropdown of existing Departments that you want to update matching users to. Spits out a report saying "75 users were updated successfully" or "0 users were updated, no attributes for SnipeExt1 had the value "MiddleSchoolTeachers"

This would let me edit users in bulk at a near-automation level, but still allowing it to be completely customized and flexible for different environments.

Another addition why OU <-> Location syncing would destroy our setup. Right now I have 184 locations (and counting) entered into Snipe-IT. We have teachers in OU by campus and students in OU by graduation year. That's what, approx. 21~ OUs vs. 184 locations?

I believe the above suggestion of mine accommodates organizations like ours that do not have a 1:1 relationship between OU and Snipe locations/departments, and people that do. You could simply have your scripts add a custom attribute value that mirrors the OU (Floor 1, QA, Accounting, etc. Whatever you have your OU and locations set to) and then follow the process above to update all users that have "Attribute1 = Floor 1" to Snipe-IT location "Floor 1".

Accomplishes the same thing, yeah?

Also another option is to just export the active directory list of users, add and modify the departments in some bulk fashion on the CSV, and import with override existing to add to departments and/or locations.

Never mind, I should have checked first. Got active directory exporting, went to test and discovered you cannot update "Departments" during the import phase. Will make a separate feature request for it.

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

nostale!

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

+1 - Could these values be queried from AD in real-time? This might be a workable solution. Since it was commented that this would be very intensive on the database.

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

+1

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

I am currently spinning up a Snipe IT box and it would certainly be convenient to be able to import Department as opposed to typing it all in by hand.

Would be a great feature. +1
Most wanted fields: Title, Phone, Department as what could be easier to implement and Manager and Location for the harder ones.

The department import would be very useful.

The ability to sync attributes from LDAP would be extremely useful, especially for department and location.

Would love to be able to sync the Company field as well. We're working with different companies and admins do not have access to all companies. We can add people to the right company manually but these fields are already configured in AD so would be great to sync this along.

+1

@snipe is there an update on this? I read your comment above. I mean database size / memory is not really an issue for us right now, and enough power in the appropriate system is also available to import such information

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

Still relevant :)

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

Please don't mark this as stale as apparently there are still users (like myself) which like to see this being available.

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

Please don't mark this as stale as apparently there are still users (like myself) which like to see this being available.

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

Yep. Still relevant.

On Mon, Oct 7, 2019 at 3:53 AM stale[bot] notifications@github.com wrote:

Is this still relevant? We haven't heard from anyone in a bit. If so,
please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed if no further activity occurs. Don't
take it personally, we just need to keep a handle on things. Thank you for
your contributions!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/snipe/snipe-it/issues/3486?email_source=notifications&email_token=AD2SHAAA62O6KYYWQE6U2ELQNLTHLA5CNFSM4DGYJYC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAPKYQQ#issuecomment-538881090,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AD2SHADJPSZYYTR2EVG5J5DQNLTHLANCNFSM4DGYJYCQ
.

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

+1

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

+1 with all my fancy suggestions above (I'm not bias, you're bias. They _are_ fancy!)

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

The only updates for this are to ask if it's still relevant :)

It would have been very nice, but we've moved on at this point. Snipe-IT is
working great for us as it currently is but full LDAP sync would have been
great to have.

On Fri, Dec 13, 2019 at 11:15 PM stale[bot] notifications@github.com
wrote:

Is this still relevant? We haven't heard from anyone in a bit. If so,
please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed if no further activity occurs. Don't
take it personally, we just need to keep a handle on things. Thank you for
your contributions!

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/snipe/snipe-it/issues/3486?email_source=notifications&email_token=AI4S5C3OSHXNH43EP2ZHLBTQYRMVVA5CNFSM4DGYJYC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG3ZVQI#issuecomment-565680833,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AI4S5CZSYI6Y45HGI76BYRDQYRMVVANCNFSM4DGYJYCQ
.

--

This e-mail, including attachments, is covered by the Electronic
Communications Privacy Act, 18 U.S.C. 2515 and may contain confidential
information that might include personally identifiable student information.
Such information is intended for the designated recipient(s) only. If you
are not the intended recipient(s), you are hereby notified that any
disclosure, copying, printing, distribution, or the taking of any action in
reliance on the contents of the information contained herein is strictly
prohibited. If you have received this email in error, please notify the
sender, via return e-mail, then immediately and permanently delete the
original. This email and any response to it may be archived for later
retrieval and may constitute a public record and therefore may be made
available upon request in accordance with Ohio Public Records law (ORC
149.43). Thank you.

+1

Any update on this? It would be great to sync the department attribute over from AD/LDAP.

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

still relevant.

Regards,

Guy Baxter BSc (Hons) PgDip MBA
Head of IT
Blackpool and The Fylde College
T 01253 504136
M 07475 652561
E guy.[email protected]guy.baxter@blackpool.ac.uk

From: stale[bot] notifications@github.com
Sent: 19 April 2020 11:29 AM
To: snipe/snipe-it snipe-it@noreply.github.com
Cc: Guy Baxter Guy.Baxter@blackpool.ac.uk; Comment comment@noreply.github.com
Subject: Re: [snipe/snipe-it] Request for LDAP Functionality (#3486)

EXTERNAL EMAIL

This email is not from B&FC.

There is a chance it could be a phishing email. If it is asking you to click on a link or open an attachment, it could be malicious.

To minimise the risk of your PC or the wider B&FC network being compromised, review the warning signs and how to report a suspect email, please visit blackpool.ac.uk/phishing

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com/snipe/snipe-it/issues/3486#issuecomment-616097868, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIQUM2D4BFTW2JGMSTVLPYDRNLHBHANCNFSM4DGYJYCQ.

Please consider your environmental responsibility - think before you print.

This email and any attached files are confidential and may also be legally privileged. Every care has been taken to ensure that this email has been sent to the intended recipient. If you believe you are not the intended recipient please delete immediately.

Unless otherwise stated, any views expressed in this message are those of the author and do not necessarily reflect the views of Blackpool and The Fylde College. Nothing explicitly stated or implied in this email shall bind Blackpool and The Fylde College in any contract or obligation.

This email message has been scanned for the presence of computer viruses currently known to the Blackpool and The Fylde College however, the recipient is responsible for virus-checking this message and any attachment.

As a public body, the College may be required to disclose this email and/or any response under the Freedom of Information Act 2000 unless the information in the email and/or any response is covered by one of the exemptions in the Act. This email may be monitored by Blackpool and The Fylde College in accordance with current regulations.

We do not accept service of legal proceedings by email.

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

This is a much needed feature... glad it has been re-opened

I would like to sync at least Department name from AD.

Is this still relevant? We haven't heard from anyone in a bit. If so, please comment with any updates or additional detail.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Don't take it personally, we just need to keep a handle on things. Thank you for your contributions!

I beleive it is especially if we have over 1000 users... no wan you can import and work easily withouth this

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

Hi, could be very useful to have Departments, Locations and Manager (at least) synchronized from LDAP.

+1

Thanks.

am actually a little shocked this feature-set doesn't exist yet.

LDAP user sync should include:

department
company (match/create the snipe-it company record)
physicaldeliveryofficelocation (match/create the snipe-it location record)
title
manager (match/create the snipe-it people record)

We could use these parameters as the basis for several reports:

Breakdown of all consumabled by company and or department - showing cost-centres?
Assets assigned/lost by company/department/location
People and Assets beneath each Manager

so the reason we haven't implemented manager import is because LDAP imports, depending on size, can be very slow and potentially memory intense. Adding managers basically doubles the amount of lifting the database has to do, while still processing all the LDAP stuff, since it has to check to see if the manager-user exists (if not, create them). What I can tell you is that in v4, we have a bulk user edit option now that lets you select lots of people and update their groups and managers, which may be a good stopgap for now

Does this tool use both the LDAP:// protocol and the GC:// protocol? GC:// returns data held in memory, not data on disk! MUUUUCH faster when the AD data-set is large.

Why not insert the 'missing line manager' into a dictionary object during the import routine. Record 1> 1000, we won't have anywhere near 1000 managers.. more like 100. The dictionary object cannot hold more than 1x of each distinct name. Then select those records from the original data-set and create them, assuming the second-pass hasn't been performed. Finally identify each user in the original data-set with these line managers and assign them in the DB.

We're using SnipePS Module for powershell to easily connect to snipe. Its just a few lines of Code to write a Script that populates additional data in snipe.

oooh i didn't know about that... now am a bigger fan 👍

We regularly do LDAP syncs for customers and users alike of up to several thousand LDAP users, and permit LDAP login.

If there's new functionality that somebody wants for LDAP, that belongs in a different ticket. Also, it would help if you already knew what we do and don't do - we do much of the stuff that even _recently_ people are asking for. Check out v5. Play with the LDAP config. Sync a few times. If you see something missing, or that you want - feel free to open up a ticket. If you have fundamental issues with how our LDAP sync _works_ - chime in on the "LDAP Improvements" ticket (#8741)

Some small things we might try to sneak through in our current LDAP setup, and fit into a patch-release, or maybe a minor-release. Some we might have to fit into a major release.

But this issue is just a big giant scrolling stale mess, so I'm going to close it.