Use LDAP for User Provisioning Only

bigbrovar · August 5, 2020, 9:47am

Hi guys,

I was wondering if it is possible to configure Metabase LDAP support to only sync and create users from an ldap server it binds to but those users would not be able to authenticate via ldap (i.e ldap authentication would be disabled)

In this type of setup authentication would be via Google Sign in. I don’t know if such a setup is possible with Metabase.

flamber · August 5, 2020, 9:53am

Hi @bigbrovar
Not quite sure what you’re asking for, but if you’re already using Google Auth, then why not just use that in Metabase?
https://www.metabase.com/docs/latest/administration-guide/10-single-sign-on.html

bigbrovar · August 5, 2020, 9:55am

@flamber Thanks for your response. Google Auth would not support automatic user provisioning (or does it), From what I read, it would also authenticate users whose account have already been created (already exist) in metabase.

Having ldap handle provisioning while google handle authentication seems a perfect fit for me.

flamber · August 5, 2020, 10:01am

@bigbrovar I still don’t understand what you mean about provisioning. The users are created in Metabase (in the table core_user) at login (if using SSO and that is enabled).
If you want all users to be pre-created before login, then you need to do the user sync manually - ideally through the API:
https://github.com/metabase/metabase/wiki/Using-the-REST-API
https://github.com/metabase/metabase/blob/master/docs/api-documentation.md
The best way to learn the API, is to just use Metabase while having your browser developer network-tab open and looking at the request, and what data is being send/received.

bigbrovar · August 5, 2020, 10:22am

@flamber thanks a lot for this. Just to be clear (I am new at metabase) a user account is created in metabase when I user logs in through google auth for the first time… what I actually want is just users with metabase access to be able to login.,. is there is a way to restrict this to users in certain google groups that would be perfect… My understanding of oauth (which is not much) is that you can restrict authentication to certain users.

It would have been possible to implement all this with ldap but we use okta with MFA. their ldap mfa implementation just not work with us. And the company does not have the financial resources to go on metabase enterprise where would would have SAML support.

flamber · August 5, 2020, 10:37am

@bigbrovar Google sign-in groups - upvote by clicking on the first post of each issue:
https://github.com/metabase/metabase/issues/9028
https://github.com/metabase/metabase/issues/3288