LDAP Active Flag

[MrCaspan]

The way we use Snipe-IT is only the IT staff use the site and all the other users are created so assets can be checked out to them. When I do an LDAP Sync the users that are synced are set to Login enabled. I don't want to allow them to login. I know they don't have access to really anything even if they knew the site address and then they logged in, but I want to make sure they have no access. I see that there is an option on the LDAP Sync setting page for:

LDAP Active Flag : This flag is used to determine whether a user can login to Snipe-IT and does not affect the ability to check items in or out to them.

So is this a value that I can set for each user that gets synced to the system through LDAP (For instance I set it to FALSE or 0 or No) or is this a value that I need to read form the user I am syncing in? For instance if a user is disabled in my LDAP it will disable them in Snipe-IT

I have tried to set this flag to many different values 0, NULL, No, False and imported users are still have the Login Enabled

I would love to have a way to import all my LDAP users and have then marked as "Login disabled" any ideas?

[MrCaspan]

So I am trying to debug the problem and I am finding the following:

If I open the 'snipe-it/app/Console/Commands/LdapSync.php' and I look at line 51

'$ldap_result_active_flag = Setting::getSettings()->ldap_active_flag_field;'

I am assuming "Setting::getSettings()->ldap_active_flag_field" should be returning the 'ldap_active_flag' value form the setting table right? All I am getting is NULL and when I look at the settings.php page there is no placeholder for 'ldap_active_flag_field'

Is this a bug?

[jelockwood]

@MrCaspan
The following may or may not help but I believe it is relevant.

First, the active field flag is an LDAP field stored in your LDAP server per user assuming your LDAP server supports and uses such a feature. As an example Active Directory does and so does FreeIPA. It possible in theory in Snipe-IT to define the name of the LDAP field and then this information in theory is imported when an LDAP sync is performed. Snipe-IT cannot change this value. The field in your LDAP server reflects whether on the LDAP server an administrator has marked a user has having been deactivated or not. Since this is done at the LDAP directory server, marking a user as deactivated disables ALL their access to ALL systems. It therefore cannot be used purely for Snipe-IT.

Secondly, there was in the past a bug in Snipe-IT with the implementation of this feature. I myself raised an issue regarding this but I have moved jobs since and from personal experience do not know if it was fully resolved. See the ticket below.

#5054