Script for synchronizing/creating users with LDAP
LDAP is a good way to store data about users/company employees. LDAP can be synchronized with Metric Insights using the following script:
- New users are copied from LDAP: If a user has not been previously created in MI, this user's data is going to be copied from LDAP
- Default user settings for new users: A user created in MI while running mi-ldap-usersync is a regular user with no default settings (just email, firstname, lastname from Active Directory)
- User Group: User is added to any corresponding MI group that was created as part of the sync. (For example, if you're trying to sync all users from the Active Directory group called 'MyADGroup', mi-ldap-usersync will create an MI group called 'MyADGroup' in Metric Insights, then for each Active Directory user in the AD group mi-ldap-usersync will create/update the corresponding MI user and make sure the MI user is in the MI group called 'MyADGroup'.
Provision vs Deprovision
The 'mi-ldap-usersync' script is governed by 2 basic commands: provision and deprovision, which create or disable / remove users from the directory, respectively.
Add user accounts to the directory: 'Provision'
mi-ldap-usersync provision CN=ORG-TOP,OU=Exchange_Objects,DC=myorgnet,DC=global,DC=myorg,DC=com --verbose --ldap-host="ldaps://ldap.internal.myorg.com" --ldap-user="cn=miadmin,cn=users,dc=myorgnet,dc=global,dc=myorg,dc=com" --ldap-pass="secret-pass"`
Where CN (Common Name), OU (Organizational Unit), DC (Domain Component) are Naming Attribute of LDAP names and other parameters that may be used in a query are defined in the table below:
Disable / Delete user accounts from the directory: 'Deprovision'
By default, the deprovision command only disables user accounts rather than deleting them. To remove user accounts from the database completely, make sure to add the --delete parameter to the query.
mi-ldap-usersync deprovision CN=ORG-TOP,OU=Exchange_Objects,DC=myorgnet,DC=global,DC=myorg,DC=com objectClass=person --verbose --ldap-host="ldaps://ldap.internal.myorg.com" --ldap-user="cn=miadmin,cn=users,dc=myorgnet,dc=global,dc=myorg,dc=com" --ldap-pass="secret-pass" --delete-orphan-groups --delete-empty-groups --delete
Filtering users / groups
If you want to manually exclude certain groups from being able to log in, you can create a special LDAP account filter that must match in order for the user to log in.
- Default filter: (&(objectClass=user)(sAMAccountName=%s)) , where %s should be replaced with the username on login
- Filter that verifies the user is NOT in a specific group: (&(objectClass=user)(sAMAccountName=%s)(!memberOf=cn=ExcludeGroup,...))
- If you want to allow only certain groups to login, you can do that as well by removing the logical NOT operation.
For more information, refer to the LDAP query basics.