Add users to multiple groups via import/sync?

Dragonpark · January 15, 2021, 4:53pm

Is it possible to add a single user imported from AD to multiple groups? I currently have two import sources setup for two different AD groups. Both are setup as below, but the only change is the ‘LDAP Filter’:

The sync rule is setup to sync these users and merge the data:

Then I have the group membership field set via the sync properties:

When running the sync, it is completely overwriting the group membership instead of merging it. I would guess this is expected behavior, but is there a way to add users to two different groups via a sync or will I need to do something else to get this to work? I would like to avoid settings groups in two different places as much as possible.

Thanks

dgoetz · January 15, 2021, 5:20pm

The group attribute of the user is an array, so passing an array to it would be one option, the other is having assign rules at the group based on attributes of the user.

In most environments I take the attribute memberOf from the user, use a filter array modifier and a regex modifier to adjust the groups. Logic can change a bit based on the environment and the number of groups. The regex could be complicated so I post mine from one environment, but the other strings are to specific.

Regex pattern: /^CN=([^,]*),.*$/
Replacement: \1

This will take the cn of the group and remove everything else from the name.

Dragonpark · January 19, 2021, 4:26pm

I’ve got this figured out. My issue was that I was doing multiple Imports with multiple sync rules. This was causing the ‘group’ attribute to be overwritten completely instead of just merged. I was able to fix it with the help of this post, which I apparently couldn’t find before:

I had to modify the ldap filter used as we have a very large domain and only 1000 results were being returned.