Script for synchronizing/creating users with LDAP

LDAP is a good way to store data about users / company employees. can be synchronized with Metric Insights using the following script:

mi-ldap-usersync

Script logic:

  • New users are copied from LDAP: If a user has not been previously created in MI, this user's data is going to be copied from LDAP
  • Default user settings for new users: A user created in MI while running mi-ldap-usersync is a regular user with no default settings (just email, firstname, lastname from Active Directory)
  • User Group: User is added to any corresponding MI group that was created as part of the sync. (For example, if you're trying to sync all users from the Active Directory group called 'MyADGroup', mi-ldap-usersync will create an MI group called 'MyADGroup' in Metric Insights, then for each Active Directory user in the AD group mi-ldap-usersync will create/update the corresponding MI user and make sure the MI user is in the MI group called 'MyADGroup'.

Provision vs Deprovision

The 'mi-ldap-usersync' script is governed by 2 basic commands: provision and deprovision, which create or disable / remove users from the directory, respectively.

Add user accounts to the directory: 'Provision'

Example:

mi-ldap-usersync provision CN=ORG-TOP,OU=Exchange_Objects,DC=myorgnet,DC=global,DC=myorg,DC=com --verbose --ldap-host="ldaps://ldap.internal.myorg.com"  --ldap-user="cn=miadmin,cn=users,dc=myorgnet,dc=global,dc=myorg,dc=com" --ldap-pass="secret-pass"`

Where CN (Common Name), OU (Organizational Unit), DC (Domain Component) are Naming Attribute of LDAP names and other parameters that may be used in a query are defined in the table below:

Positional Parameter (required)
group_dns The group directories to synchronize with.
Optional parameters
--ldap-host LDAP_HOST, -H LDAP_HOST Define DNS name or IP address of LDAP server to connect to.
--ldap-user LDAP_USER, -U LDAP_USER The LDAP directory for the bind user to use if your directory requires authentication.
--ldap-pass [LDAP_PASS], -P [LDAP_PASS] Bind password for LDAP directories that require authentication.
--verbose, -v Use this parameter to run the query in verbose mode with diagnostics written in contrast to standard output.
--dry-run, -n Use this parameter to perform a test run of a given query.
--user-type {regular,administrator,power_user}, -t {regular,administrator,power_user} Specify the type of users to be added to Metric Insights. (Available options: regular, administrator, power_user)
--member-attr MEMBER_ATTR Specify whether a new user (or multiple users) should become a member of some user group(s).
--username-attr USERNAME_ATTR Define the user attribute name to be used as a Username.
--first-name-attr FIRST_NAME_ATTR Define the user attribute name to be used as user's First Name.
--last-name-attr LAST_NAME_ATTR Define the user attribute name to be used as user's Last Name.
--email-attr EMAIL_ATTR Specify user's email.
--email-domain EMAIL_DOMAIN If the email is not stored in the user's LDAP record, automatically create the email address using the following pattern: username@EMAIL_DOMAIN.
--auto-create, -a Automatically create a Metric Insights group for the group directory (if it doesn't already exist)

Disable / Delete user accounts from the directory: 'Deprovision'

By default, deprovision command only disables user accounts rather than deleting them. To remove user accounts from the database completely, make sure to add the --delete parameter to the query.

Example:

mi-ldap-usersync deprovision CN=ORG-TOP,OU=Exchange_Objects,DC=myorgnet,DC=global,DC=myorg,DC=com objectClass=person --verbose --ldap-host="ldaps://ldap.internal.myorg.com" --ldap-user="cn=miadmin,cn=users,dc=myorgnet,dc=global,dc=myorg,dc=com" --ldap-pass="secret-pass" --delete-orphan-groups --delete-empty-groups --delete
Positional Parameters (required)
base_dn The default base directory used for searching required users.
user_filter Seed out users that do not match the defined filter.
Optional parameters
--ldap-host LDAP_HOST, -H LDAP_HOST Define DNS name or IP address of LDAP server to connect to.
--ldap-user LDAP_USER, -U LDAP_USER The LDAP directory for the bind user to use if your directory requires authentication.
--ldap-pass [LDAP_PASS], -P [LDAP_PASS] Bind password for LDAP directories that require authentication.
--verbose, -v Run in verbose mode with many diagnostics written in contrast to standard output.
--dry-run, -n Use this parameter to perform a test run of a given query.
--delete-orphan-groups Remove any MI group that corresponds to a non-existing LDAP group.
--delete-empty-groups Remove any MI group that is bound to LDAP group but doesn't have any LDAP users associated with it.
--delete DELETE Delete users, not just make their accounts disabled.
--username-attr USERNAME_ATTR The user attribute name to be used as a Username.
--email-attr EMAIL_ATTR The user attribute to be used as for the user's email address.
--email-domain EMAIL_DOMAIN If the email is not stored in the user's LDAP record, automatically create the email address using the following pattern: username@EMAIL_DOMAIN.

Filtering users / groups

If you want to manually exclude certain groups from being able to log in, you can create a special LDAP account filter that must match in order for the user to log in.

  • Default filter: (&(objectClass=user)(sAMAccountName=%s)) , where %s should be replaced with the username on login
  • Filter that verifies the user is NOT in a specific group: (&(objectClass=user)(sAMAccountName=%s)(!memberOf=cn=ExcludeGroup,...))
  • If you want to allow only certain groups to login, you can do that as well by removing the logical NOT operation.

For more information, refer to the LDAP query basics.

0 Comments

Add your comment

E-Mail me when someone replies to this comment