LDAP logon: allow manual assignment of LDAP - to local contact groups

Hi tribe29
atm i find it uncomfortable that the assignment of LDAP to local contact groups only allows this automatic assingment if both groups are the same.
This has 2 disadvantages:

  1. first logon syncs the user. logon works but user cannot see anything (2empty") & an additional activation (by hand) is needed, then user sees the hosts and services of his/her contact group
  2. it is not possible to assign an LDAP user to more than one contact group or switch it. We sync > 3000 users and since we have no handle how the AD groups are named (this comes from Identity center), the current situation is, that we have to have separate rules for separate contact groups which show the same hosts/services in the end. I hope i could explain it so it is understandable :slight_smile:

Please add a function to assign AD groups to local groups manually

I think it is more important to sync users to roles and not contact groups at the start.
One other thing is that i strongly not recommend to sync 3000 users to your CMK system. This brings big problems.

My LDAP setup looks most times like this.

Inside the User section of your LDAP connection define a good Search Filter.
Like

(&(objectclass=user)(objectcategory=person)(memberOf=CN=groupname,...))

or if you have nested groups

(&(objectclass=user)(objectcategory=person)(memberOf:1.2.840.113556.1.4.1941:=CN=groupname,...))

Inside this group are only users members who you want to have inside CMK.
Set a working Group Base DN
Next step is to setup the Attribute Sync Plugins - here I would use the Contactgroup Membership and Roles.

With the Roles plugin you can assign different roles to different groups. And if you have some modified roles you can also assign all users from one or more groups to a roles what can see all but cannot change anything like the “guest role”.

In all sync plugins you have to pay attention to the correct spelling for your groups. If this is ok then i works like a charm and you have not to modify anything regarding users and groups inside CMK.

1 Like