tighter integration with LDAP/AD?

[Kalin]

Going through the 2.2.2 Administrator manual, I've been thinking: Can Connect use LDAP/AD for authorization or only for authentication?

In other words, is there a (sane) way to map some attributes in an external directory to the permissions used in Connect? Anybody doing that?

https://www.vound-software.com/docs/connect/2.2.2/admin/04_01_user_management.html#permission-types

I can probably see a helpful "one-liner" script that queries AD and nudges the Connect setup, although that will be a hack I wouldn't be proud of.

 

The use case I am thinking is a large organisation (say 100 departments), each manager can create cases and each user within the department can by default view cases only in their department.

Can this be achieved so that when a user switches departments, s/he looses access to the cases in hte old department and gains access to the ones in the new department automagically (without messing with Connect settings)?

BTW, is CLI in Connect or coming (saw it in recent Pro/Team)?

[ŁukaszBachman]

Hi Kalin,

LDAP is currently only being used for Authentication, not Authorization. We decided to keep our Authorization configuration on the Connect side, so that the integration with AD/LDAP wouldn't be overly complicated. The level of automation you are seeking is not something that can be achieved in the current version of our software. I would love to hear from other users too if this is something they would like to see being added, though.

CLI/CMD support is currently a PRO/Team specific feature. We are planning to add more automation to Connect in next few release cycles, but we are more leaning towards developing some sort of RESTful API. Again, any feedback from the community about this would be appreciated.

[Kalin]

Some kind of API (RESTful is fine) would be great, to any "non-viewer" product of Vound!

BTW, it is getting a bit messy (marketing-wise so to say) on what is what, I am suspecting code-wise there are few components that get packaged in various combinations. For my own sake I call them:

• front-end (allows shared access to case): Connect/Connect+, TeamManager
• back-end (processes/indexes new data and makes a case): Node, Pro/250/100/10, TeamManager
• viewer (allows searching, tagging, comments, export when connected to a front-end or directly opening (single-user) a case on disk): Viewer, WebUI_for_conect

So, API for the front-/back-end may greatly simplify complex usage and repetitive (i.e. compliance-solid and auditable workflows). And I am sure there is already API, since viewers communicate with back-ends, it is just not exposed 😄

 

I thought a few times over the authorization with AD/LDAP and I think (maybe) it would not be that complicated to add it as it stands now. All that is needed is to define the LDAP query per case (and save that in case template). I am referring to https://www.vound-software.com/docs/connect/2.2.2/admin/04_03_02_ldap_guide.html#customized-ldap-queries

So, say for department_A cases, something along the lines of:

Query base DN: OU=ConnectUsers,OU=Users,OU=MyBusiness,DC=site,DC=local

Query filter: (&(&&USERNAME_ATTRIBUTE&&=&&USERNAME_VALUE&&)(memberOf=CN=department_A,CN=Builtin,DC=site,DC=local))

In a way, demoting some of the LDAP config (or all if it's easier) from global to per-case-local and using the default global, if not overridden.

 

I'd be interested to know how other users deal with this (mapping Connect users to OUs) currently.