User Permission Synchronization

Some IT shops prefer to manage permission & group membership in Active Directory instead of in the CloudBolt UI. This page explains how to set up and customize that synchronization.

How It Works

Whenever an “external user” (one who is authenticating with credentials in an external source), logs into CloudBolt, CloudBolt runs all enabled actions for the “External User Sync” trigger point. These actions can run arbitrary code to fetch that user’s permissions in an external system (like AD) and then add/remove the user to the appropriate groups and roles in CloudBolt. This happens synchronously, meaning that the user will not be logged in and be able to use the UI until these CB actions complete.

Using the “User Permission Sync From LDAP” Action

CloudBolt comes with a sync action enabled by default that can automatically grant CloudBolt permissions to a user based on their LDAP permissions. For each LDAP utility you create in CloudBolt, you will need to map its OUs and groups to their equivalent CloudBolt Groups and Roles.

To set up the user permission sync, you’ll need to create some mappings:

  1. Go to AdminLDAP Authentication Settings → your LDAP utility.
  2. Click the New LDAP Mapping button on the Mappings tab. The first dialog lets you select the LDAP OU and group that the user must match in order to receive CloudBolt roles. You’ll need the full LDAP distinguished name, which can be found in the object’s properties in AD.
  3. Next, click the Add Roles link on your newly created mapping. This dialog lets you select a CloudBolt group and the roles that should be granted in that group.
  4. Repeat step 3 as necessary if you want this mapping to grant roles in multiple groups.
  5. To test your mapping, click the play button in the Actions column. You’ll be able to select a user and see if they would be affected by this mapping. This test is a dry run and will not grant any permissions.

Roles granted by mappings are additive: if a user is be impacted by more than one mapping, they will receive all the roles in each mapping.

If using Active Directory, note that the user’s primary group is not used when applying mappings.

Creating Custom Actions

To manage the external user sync actions, navigate in the UI to AdminOrchestration ActionsOtherExternal Users Sync. You can use the default CloudBolt action as a sample when developing your own action. If you modify it, we recommend first duplicating it, and then modifying the new one you created.

You can also look in the CloudBolt Forge for additional examples.

Testing It

You could test your newly enabled external user sync action by logging out and logging in, but that takes some time, and, if your plugin has significant problems, it could prevent login.

A faster, safer way to test is to navigate to AdminUsers, click on an external user you can test with, and click the Sync External User button. We recommended using a user account that is not the one you are logged in as, because a problematic sync could remove your admin permissions and prevent you from testing further.