LDAP Sync disabled login by default

[FG-Lars]

Debug mode

• I have enabled debug mode
• I have read checked the Common Issues page

Describe the bug

If I understand the documentation at https://snipe-it.readme.io/docs/ldap-sync-login correctly, I should be able to import AD users without giving them the ability to login to Snipe-IT using the LDAP Active Flag.

The only example value given to this field in the documentation is "active".

I have tried "inactive" but this had no effect.

Reproduction steps

1. Set up LDAP sync with Microsoft Active Directory
2. Sync users
3. Go to People panel
4. Check imported users
5. Login Enabled = Yes (unwanted)

Expected behavior

LDAP imported users should be:
Login Enabled = No

Screenshots

No response

Snipe-IT Version

5.3.7 build 6587 (gcf14a0222)

Operating System

Debian 11

Web Server

Apache2

PHP Version

7.4.25

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

No response

[snipe]

That sounds like a filter issue perhaps. active does mean "able to login"

[FG-Lars]

@snipe

No filter issue. I'm importing only the users I want to import, and they are all active in AD.

But even if they are active in AD, I still do not want them to be able to login to Snipe-IT as we only want the IT-dep to be able to login to Snipe-IT.

Please help me as to how I get the desired effect.

...

My only other option is to mass-edit users and disable login after each LDAP sync. Which one day (in the heat of things) will be forgotten, and the users will then be able to log in.

[snipe]

Again, the active flag in your Snipe-IT LDAP settings should do what you're asking for. Without introspection into your AD/LDAP settings, this normally just works as advertised.

That said, if login/not-login is an issue, uncheck the "sync LDAP passwords" settings and/or (un)check the option in settings to link back to the Snipe-IT install. The active flag should handle this already, but if accounts get made via sync and no one knows urls, it usually doesn't matter.

[FG-Lars]

@snipe

If I enter value "active" into the field LDAP Active Flag, all imported users are able to login (Login Enabled = Yes).
If I enter value "inactive" into the field LDAP Active Flag, all imported users are able to login (Login Enabled = Yes).

I do not know what I should put in the field LDAP Active Flag to disable Snipe-IT login for imported users, and I do not have the time to guess the right value.

Is there any values other than "active" which the field LDAP Active Flag accepts? It is the only value described in the documentation.

Unchecking the "sync LDAP passwords" will not solve anything, as LDAP will query AD directly if the passwords are not synced.

We are security aware, which means that not disclosing the URL will not be sufficient.

[FG-Lars]

@snipe

Do you have anything on the above? (other accepted values for the field)

Any and all help is much appreciated =)

[avielc]

Following up on this.
I'm exactly hitting that spot too.
Snipe IT is used for the IT, so basically all users shouldn't be able to login by default.
How can we do that? (seems like the flag doesn't work) - according to the documentation it simply syncs disabled users (and not disable login to the users synced. )

[snipe]

This is one for @uberbrady, since he was the last to meddle with that LDAP code. He's afk for now, but I'm sure he'll look into it soon.

[avielc]

@snipe - thanks mate
FYI, I did more testing now,
disabling a user doesn't remove them from snipe (upon ldap sync)
adding the flag and syncing will create a user and allow it to login.
ldap sync will turn all accounts active for login even though I specifically disabled login to all accounts.
So it's a becoming a major concern more than just mildly uncomfortable issue.
If there's a cron job for ldap sync it'll automatically allow access to all accounts.

[snipe]

@avielc thanks for the additional debugging info - we're looking into this

[avielc]

just for the meantime, are there any workaround you are aware of perhaps ? a way to permanently disable login to users?

Thanks again!

[uberbrady]

If you delete the active flag from your ldap settings, then manuall ydisable login for users, then sync again, do they still get toggled to “login enabled”?

…

On Wed, Feb 2, 2022 at 2:28 PM avielc ***@***.***> wrote: just for the meantime, are there any workaround you are aware of perhaps ? a way to permanently disable login to users? Thanks again! — Reply to this email directly, view it on GitHub <#10563 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAI333JFNIBIZHSDSXGR23UZGVXTANCNFSM5M2PPAQQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[avielc]

I'll repeat what you said, to make sure we are on the same page @uberbrady

• I've removed the "inactive" flag I added on the ldap settings.
• edited some users and disabled their login to snipeit (active directory users)
• pressed ldap sync
• All those users are marked that they are able to login.

[uberbrady]

Dammit :( Well another workaround is to set up SAML SSO, enable the app for your it staff only, and check “require SAML as primary login” and maybe even enable the `.env` var that forces no local login override.

…

On Wed, Feb 2, 2022 at 2:39 PM avielc ***@***.***> wrote: I'll repeat what you said, to make sure we are on the same page @uberbrady <https://github.com/uberbrady> - I've removed the "inactive" flag I added on the ldap settings. - edited some users and disabled their login to snipeit (active directory users) - pressed ldap sync - All those users are marked that they are able to login. — Reply to this email directly, view it on GitHub <#10563 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAI3325ZCB5W6YILI7GZR3UZGXB7ANCNFSM5M2PPAQQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[avielc]

I'll have to look into it, but it sounds good (didn't mess with SAML much, so it'll probably take some time for me to figure it out)
Thanks for the workaround, hoping this can be an easy fix for you guys!

[snipe]

I feel like this issue is always haunted. Every time we fix it for one set of users, it breaks something else for another set. It's always tricky to try to accommodate the differences in LDAP, AD, and all of the new cloud-hosted solutions out there.

We'll get to the bottom of it for once and for all though. I'd love to put this issue to bed forever.

[avielc]

I feel like this issue is always haunted. Every time we fix it for one set of users, it breaks something else for another set. It's always tricky to try to accommodate the differences in LDAP, AD, and all of the new cloud-hosted solutions out there.

We'll get to the bottom of it for once and for all though. I'd love to put this issue to bed forever.

or to the grave :)
I've seen the other post from 2019-2018 related to the person who wanted all users enabled by default instead.
I think that if the flag function will be working correctly (and well documented on the wiki - because it just doesn't make sense, nor can you figure out what are the flags available)
that would definitely end this issue for good.
anyone that wants ldap to login all users by defaults = enable\true
all others = disable\false
very straight forward :)
Thanks again for everything guys! this is a massive tool with so many functions
keep it up!

[snipe]

Where it gets tricky is that people are absolutely going to ask for some groups of people to be able to login, but others not.

Hm. Maybe we set that as a group permission instead of on the user itself.... I'd have to think through the implications of that, but that could be a nice "have your cake and eat it too" solution, on top of fixing the active flag issue.

🤔🧐

One doesn't depend on the other though - the flag fix needs to happen first, but the group thing could be something useful to add for v6.

[avielc]

Sounds awesome man! I see what you mean with implications here,
I think group permissions sounds like a really good alternative here and very simple to manage too.
Of course, @uberbrady's idea of using SAML SSO and managing it through the AD would be a better "all-in-one" management place for that.
But that's a different topic :)

[nghia-dang]

Just an alternative viewpoint here:

Fundamentally, if all users are allowed by default, wouldn't the simplest solution be to set the default permission as deny action for everything for standard users, and have a separate group for the IT admins with the relevant permissions needed to do their tasks ?

[snipe]

@nghia-dang Not everyone uses the system the same way though. Some people DO definitely want their users to be able to login and see what they have assigned to them, some definitely do not.

Users being able to login or not in some ways isn’t that important, since an unprivileged user would only be able to see what has been checked out to them and nothing else, but we certainly understand people not wanting them to login at all if that’s what’s require for their setup.

To further complicate things, some people don’t use permission groups at all, so this becomes tricky to make sure the solutions we come up with don’t change behavior in ways we’re not expecting for each different use case.

[snipe]

Okay, so @uberbrady and I have chatted a bit…

This is the current plan:

• In v5 and v6, if you have no active flag defined, LDAP syncs do not modify whether or not the user can login
• New users would still be able to login by default

In v6, we will find an LDAP filter or attribute that maps to a permission group (and/or set a default permission group in case users do not have any LDAP attributes for what group they should be in). This will hopefully handle the existing use cases, without breaking anything for v6 users.

Hopefully. :D

[snipe]

@avielc Can you confirm that you actually have an active attribute on your LDAP directory? The existing code is looking for an attribute called active With a truthy value (true, 1, etc). It should be defaulting to false if that condition isn’t met, so I’m still trying to figure out how you’re getting the result you’re getting. :-/

[snipe]

Actually, I'm a liar-faced liar. It is looking for whatever field you've set as ldap_active_flag_field in your LDAP settings.

snipe-it/app/Console/Commands/LdapSync.php

Line 52 in 8add477

$ldap_result_active_flag = Setting::getSettings()->ldap_active_flag_field;

But it looks like it's looking for a value specifically of TRUE in whatever field that is:

snipe-it/app/Console/Commands/LdapSync.php

Line 173 in 8add477

if (empty($ldap_result_active_flag) || $results[$i][$ldap_result_active_flag][0] == "TRUE") {

It also seems weird and maybe a bug. We're checking it out now.

[snipe]

I've got what might be a fix up in a PR right now, but @uberbrady and I are afk at the moment, so we can't test it against our LDAP-enabled test setup right this second. We'll make sure it gets tested first thing tomorrow though.

[FG-Lars]

Wow, this issue gained a lot of traction overnight (Europe time). This is great news!

I'll just pitch in and say that I can confirm the results @avielc is getting, for our environment as well.

Now this is not suprising if I understand you correctly and the LDAP Active Flag Field is actually looking for a value of TRUE on the AD user object, where you (we) are supposed to define what field on the AD user object Snipe-IT should look in to find said TRUE value.

While I beleive AD has fileds toggling TRUE and FALSE based on the user-state and even some fields called "extension attributes" that could be used to enter the value manually, I don't think either is the way to go. And as you said, the current situation may be a bug.

Might I suggest adding users based on AD User Group membership, instead of Base Bind DN? One group for users who should be disabled in Snipe-IT, and another for users who should be enabled in Snipe-IT. Users who are not member of either group will not be synced to Snipe-IT.

You could extend this even further in coming versions, by linking AD User Groups to Snipe-IT permission sets.

[avielc]

Yea
so just to reply back to Snipe - Thank you so much for dedicating yourselves to this, it's epic!

Actually, I'm a liar-faced liar. It is looking for whatever field you've set as ldap_active_flag_field in your LDAP settings.

snipe-it/app/Console/Commands/LdapSync.php

Line 52 in 8add477

$ldap_result_active_flag = Setting::getSettings()->ldap_active_flag_field;

But it looks like it's looking for a value specifically of TRUE in whatever field that is:

snipe-it/app/Console/Commands/LdapSync.php

Line 173 in 8add477

if (empty($ldap_result_active_flag) || $results[$i][$ldap_result_active_flag][0] == "TRUE") {

It also seems weird and maybe a bug. We're checking it out now.

Regarding this big of info, this looks like a great spot to be able and change that default flag from TRUE to FALSE - which if I understand logically means I can simply decide if the sync will disable login by default or enable it. (basically a solution if you can add the ability to choose that in the UI.
Also if possible to not update "user login function" on "ldap sync if the user already exists" - this would make it easier to manage too.

let me know what you think of this idea too :)
Also, I don't have any kind of field of that sort FG-Lars mentioned, so it wouldn't work well for me.
but maybe making a default "disable login", and then any member of certain group gains "enabled login" Might also work out.
(I'm just spit balling here)

[uberbrady]

Okay, now I'm testing the PR, and I had to make a few fixes (which I'll of course push up).

Our test AD Server is, obviously, Active Directory. So one seriously janky thing I had to do (and I apologize in advance for this) is jam in a condition to force the code to not take the AD branch - when it does that, the active flag is completely ignored. But this means that if someone did want to use a custom LDAP flag in AD to determine whether or not someone can log in, they can't. I will obviously pull my force condition out before pushing up my changes. We can discuss whether or not we want to do this going forward, of course (and I do do that below).

So now, I did my test again - and now all of my AD users can no longer log in, except for syncuser123, who can. So it works!

But there is a caveat (there's always a caveat) -

Every single customer instance or self-hosted instance I have seen that has this flag set, has it set wrong. If we push this fix out, as-is, it's going to suddenly start respecting that wrongly-set flag, and Github and Discord and every single other place on the planet is going to light up like a Christmas tree, because LDAP users suddently won't be able to log in.

So, there are a few proposed fixes to that problem I can think of:

1. Blank out the flag in a migration. We're not really 'destroying' data here, because the flag has never actually worked before, so it's not going to hurt anyone, I'd argue. Everything works as before and we get less of a nightmare for our community. Of course, plenty of our users forget to run migrations, so there will still be an uptick, but not as bad, hopefully.
2. Basically deprecate the flag entirely (pulling it out of settings), and just full-on flat-out ignore it everywhere. Build instead a better can-log-in-mapping system, maybe hooking it into group permissions? That would probably fit best in v6.

There's at least a slight bright spot here - if we do option 1, we can also make it so that AD people can get a better can-log-in mapping system. We can continue to do the useraccountcontrol thing (and we should!), and we can also make it so that AD people can further restrict log-in-ability with a flag of their choice (such as me using info/Notes), if they want. If they set no flag, they continue to get the UAC system they're used to. If they do set a flag, then we try and respect it (maybe skipping the UAC check entirely? Not sure).

[snipe]

My preference is for the first option. (I know we discussed it separately, but I just wanted to make it clear in public as well.)

[uberbrady]

And it sounds like you like the idea of letting AD people skip the UAC check by setting an active flag?

And another thing we can do here - we can make that flag a little more user-friendly by allowing it to be anything truth-ey? E.g. "true" "TRUE" "1" "active" "bblah blah" - (false-ey things being: blank, "", "0", "false", "0.0")

[snipe]

And another thing we can do here - we can make that flag a little more user-friendly by allowing it to be anything truth-ey? E.g. "true" "TRUE" "1" "active" "bblah blah" - (false-ey things being: blank, "", "0", "false", "0.0")

Perfect

[uberbrady]

One thing we haven't addressed here is 'leaving can-login flag alone' - e.g., if an administrator manually marks a Snipe-IT user account as "cannot-log-in", then does an LDAP sync, the flag will be toggled back. I think we prolly oughtta fix that too, eh @snipe ?

Unfortunately, that directly conflicts with our desire to leave the UAC control in-use for AD configs :(

[snipe]

Balls. Yeah, this is the tricksy part I mentioned earlier. Maybe an additional setting in the AD/LDAP settings page? "Override individual settings with Directory Settings" type of thing?

Ugh.

[avielc]

Not sure I completelyu followed up (read it over email)
Basically having to set a flag in AD , means going over all employees + remembering to set it up when a new user join.
Kinda hellish if you ask me.
I think being able to allow AD groups affect permissions + logins on snipeit to be best.
Maybe even mix up with locations where certain AD filter added to certain location will affect login or not.

OR.. or...(creativity strikes as you spit ball)
mix what you spoke about together:
add a simple flag where all synced accounts will automatically get login or not
add another flag where does sync affects existing users or not

(and then maybe adding similar flags to group permissions

[uberbrady]

@avielc I agree that this absolutely this needs an overhaul going forward, but I'm just trying to get this one little thing fixed for our current users right now.

[avielc]

Understood and completely agree with you here.
I see you also took into account this never worked for them at all, so if you change the field and start over, there would be no harm here, they (current users) will just need to bulk-edit it to the new field.

[uberbrady]

So here's my thinking - the only time I hear from AD users about user-login-ability is when we end up missing one of the UAC settings that we check to enable login. Other than that, I don't hear from them about this issue.

So my thinking is we do this:

1. For AD users, if you set no 'active' flag, you get the UAC check.
2. For AD users, if you set an 'active' flag, your custom active flag takes precedence.
3. For non-AD users, if you set no 'active' flag, new users are automatically marked as 'can-log-in', but we try to respect whatever log-in-able settings that administrators have toggled. So we don't re-enable login if the administrator disabled login.
4. For non-AD users, if you do set an 'active' flag, that flag will manage whether or not your users can log in. Any administrator changes to can-log-in will be overriden by the active flag.

This means that AD users who want to manually toggle can-log-in are left out in the cold. While this does suck, it's exactly the situation they are in, right now - so effectively, nothing changes for them.

@snipe how's that sound?

[avielc]

I'm missing out here on what UAC (UserAccessControl) relates here. Where and what UAC check do you have happening here?
Basically, (and sorry to barge in between your conversations, no disrespect is intended here)
I hope that as long as there's a way to disable by default any syncing
I would appreciate that (very selfish I know)
but on a broader set of view point - it would be great to have a more flexibility to the different workflow of different users.
if its not too much hassle and the logic isn't too complicated, I think it'll be worth it.
Add good documentation to it, and you're set!
Sorry to interrupt, I'll go back to be a fly on the wall now :)

[uberbrady]

@avielc It's totally fine, no disrespect taken! But to answer your question, for the solution that I'm proposing here, if you can find any LDAP attribute that you don't care about (I used 'Notes' which translates into LDAP as info), and set it to something 'truthy' for the users you want to be able to log in, you'll be good to go. Everyone else will be inactive. Would that work for you for now?

[snipe]

@snipe how's that sound?

I hate it, but I kinda can't think of a better solution :(

[uberbrady]

Yay! Another compromise solution that is terrible, except for every other way of doing the thing in the first place. Whee!

[avielc]

@avielc It's totally fine, no disrespect taken! But to answer your question, for the solution that I'm proposing here, if you can find any LDAP attribute that you don't care about (I used 'Notes' which translates into LDAP as info), and set it to something 'truthy' for the users you want to be able to log in, you'll be good to go. Everyone else will be inactive. Would that work for you for now?

Thanks for explaining (Though I'm not sure I follow UAC term here still...)
I tried looking into it, but I couldn't find any attribute of that sort. (the other day)
the only attribute that differs who should have access and is very straight forward is group permission.
Either a dedicated Snipe group or Domain Admins.
I just think it'll be really messy to do the antwork of going one user at the time to set certain attribute.

If i could just specify specific OU that will be where the users there can login
IF there are some users there I don't want to login, then by deactivating them in Snipe it will remain persistant and not change during sync - then its a win for me!

[snipe]

I think specifying the OU -> permission group connection would be for v6. Right now, we're just trying to make it unbroken.

[FG-Lars]

I'll have to agree with @avielc here. Setting, maintaining and keeping up with a true/false flag for each user object is a lot of work in large AD environments. Forget to set that flag on a new user, and you have yourself an issue. Copy a user where you forgot to take this flag into consideration, same issue.

"Right now, we're just trying to make it unbroken." Excellent, but might I suggest that you make it the way that I and presumably many others (mis)read the documentation (Wiki)?

In the Snipe-IT LDAP settings page, have a field/toggle-switch/dropdown-menu that decides the login ability for ALL synced users (Admin users should be local users in Snipe-IT, for now).

I really thought this was how the LDAP Active Flag Field in the settings page worked. That if I wrote "active" or left it blank then all synced users would be login enabled. And if I wrote "inactive" in that same field, all synced users would be login disabled.

If you have the time/means then yes, you should also create a flag to determine if the synced user login ability has been manually modified. If yes, then ignore whatever the next sync says. Or even better, give us 3 choices in the edit-user page 1:Login-enabled, 2:Login-disabled, 3:Respect LDAP.

[avielc]

Well said @FG-Lars .
You summerized my suggestions in the perfect way.
3 choices sounds aboslutely perfect! (in my opinion)
If it can be a checkbox it would be best, that way there's no room for misunderstanding.

[adagioajanes]

Everyone here has already stated what I have wanted to state. So, this isn't to throw another opinion in the ring or trying to change anyone's mind about anything. But, for the sake of everyone's best possible understanding...

Thanks for explaining (Though I'm not sure I follow UAC term here still...)

UAC does indeed stand for User Account Control. Microsoft, and the marketing geniuses that they are, have named this after multiple things...

There's UAC which most people are familiar with as the Control Panel setting, and that security popup for running things as administrator.

Then, there is the UserAccountControl flag in Active Directory. This is what controls account enabled or disabled, whether it is currently password locked out, whether the account requires a smart card, etc. If you change this flag in Active Directory to a certain hex value, it will disable the account. This is the 'modern' way of disabling an account.

It get's even more fun when you start to add the values together to set multiple flags. Microsoft does a better job of explaining this flag and how it works in their documentation.

UserAccountControl property flags - Windows Server

Describes information about using the UserAccountControl attribute to manipulate user account properties.

Don't feel bad for misunderstanding. Things like this are just Microsoft being Microsoft. :)

EDIT: Also, to comment on what I just wrote...

This is the 'modern' way of disabling an account.

Modern is in quotes because, if you were to ask Microsoft what a modern authentication system is, they would point to Azure AD. But in terms of pure Active Directory Domain Services, UserAccountControl is modern.

[jolegape]

I had this issue when I setup my SnipeIT instance at the school I work at several years ago. I only wanted all AD users in there for the purpose of assigning assets. Only myself and a select few would be able to login.

I ended up writing a quick and dirty python script to poll two AD groups. One for all users, and one for all users who should be able to login to snipe. This is then compared to existing snipe users via the API. Users that don't exist in snipe are created. Those that exist in snipe, but no longer in AD are moved to a different group with a note added to their account stating disabled on x date.

Any config changes IMHO should be on the snipeIT end. AD for me is locked down as it is shared as part of the larger school district. I do not have the ability to add/edit attributes for any users, whereas I can create groups galore. Having the ability in Snipe to select whether users are created with login enabled or not, and then a separate admin group setting that would always enable login regardless would be the perfect config options in my eyes.

[uberbrady]

Yeah, this solution that I've cobbled together (above) is probably not what we want going forward, and probably wouldn't have helped you much. LDAP is a major pain point for customers, so getting some fixes in there is a high priority for me.

Another option of course is if you have an 'unused' LDAP field that you can set only for your administrators (assuming there's a small enough handful of them), then you could at least set that - if you're allowed to simply update a user, which you might not have been.

[gproy96]

Glad to see this thread. Ideally I would just want LDAP to sync/merge users. Then I would go into snipeit to set who could login and assign them to a group with higher privileges' and enable login. If there is a LDAP value to set then great, but by default it should return false if not set.

I would also expect that any manually created user that matched a LDAP sync'd user to merge and not create a second user.

[snipe]

I would also expect that any manually created user that matched a LDAP sync'd user to merge and not create a second user.

That is already the case.

[joaopepe78]

I had the same problem. All my users where getting "LOGIN ENABLED" upon LDAP sync, except for 2 of them. I found that the diference on them to the rest was on the AD, in the "userAccountControl" field. Both had the value "524832" (0x80220=( PASSWD_NOTREQD | NORMAL_ACCOUNT... ) instead of the value "512" ( NORMAL_ACCOUNT ).

So it might also be a workaround for some people, changing that value on the AD.

ps: I also thing that a flag stating "disable login" upon LDAP SYNC would be heaven! :)

[AmandaGreen32]

Hello new here,

Is there any way to add new users without giving an email or password ?
When I did a LDAP sync is has synced all old users and I am sure has missed out other users from the AD.

Thanks

Amanda

[xyzzy-plugh]

My situation ... to throw this into the mix ... (I have it working but it isn't as clean as I would wish):

• LDAP sync is working fine, it pulls all the users into Snipe-IT.
• "Login is enabled" via LDAP for all users after the sync.
• on the LDAP server I have denied login authentication. I only want to pull the users into Snipe-IT so that the IT team can checkout/in assets to the users, plus also have the ability to send emails to the users (e.g. inventory) ... this part works too.
• login attempts using LDAP username/PW fail (which is what I want for the majority of users)

Ideally, "login enabled" wouldn't be shown as true in Snipe-IT, but it works out OK because the LDAP server denies all authentication attempts

"LDAP Password sync" is unchecked now, although it was initially set for the first sync.
Subsequent LDAP syncs fail, unless I go back to admin->LDAP and enter the bind PW again & save - doesn't seem to store that.

It would be nice to enable a few logins for IT people via LDAP ... but it seems the easiest way (given the way it works) is to set local passwords. These need to be separate accounts (e.g. username_local instead of [email protected]) in SnipeIT so that they don't get overwritten by future LDAP syncs and turned into LDAP users.

[FillmoreB0]

Man, I hate resurrecting old threads, but I cannot find this issue anywhere else...

We are new to Snipe-IT and have installed Version v6.3.0 - build 12490 on Windows Server 2019 with IIS.
Fussing with the LDAP sync (Windows on-prem AD servers) and scheduling thereof, and finally got everything working from bits and clues scattered about the internet. We too want only Admins to login to Snipe-IT but want all of our AD users in the system for equipment assignments and inventory only. Per the discussion above, it looked like the devs were going to revamp the LDAP sync and sign in-ability of users in V6, but we see the same behavior described in this discussion. Setting the "LDAP Active Flag" to anything but "false" sets all sync'd users to "Able to login". Setting it to "false" sets everyone to not be able to login, including our IT techs and admins. Having the login permission/toggle on the group would be a way better solution for on-prem AD LDAP sync, especially since the LDAP sync can assign new users to a default group.

Thanks!