LDAP synchronization logic

Hi there,

We’re trying to setup LDAP in metabase and have limited success so far. However, it’s also not completely clear to me how things are even supposed to work, so perhaps I’m just misunderstanding. Hopefully someone here can clarify some things :slight_smile:

We’ve setup LDAP connection and enabled group mapping for three groups, default users, admins, and one group with access to a specific data source. After adding someone to the users group in LDAP, this user could login with his LDAP credentials. However, after then removing said user from this group, he could still login to metabase.

Is this how LDAP ‘synchronization’ is supposed to work? So once the user is in metabase, it is not verified that he or she is still in the LDAP group?

Any help appreciated!

1 Like

I’m using LDAP but not with sync of groups. Id speculate it’s possible not many others use it like you do, so it might be a bug you’re the first to spot.

Ah, wait! Just remembered the group section in the :blue_book: Admin Guide states:

The All Users group is another special one. Every Metabase user is always a member of this group, though they can also be a member of as many other groups as you want

Maybe you can work around (or with) it by not just removing the user from users but disabling the user. The other option I see is to define your own group - not governed by the default thing if you want the manage the group completely by LDAP.

Please share your findings! :slight_smile:

Actually, it looks like we’re running into this issue: https://github.com/metabase/metabase/issues/4936. Since that’s scheduled for milestone 0.30 we’ll probably wait with integration for now.

1 Like