Chicken and egg problem - Scope and syncing

[acharseth]

I have set up syncing and mapping of groups to local roles and a scope including only the relevant access groups to only include users with access in syncing.
The challenge with this is that when all access groups are removed for a user then the scope makes the syncing ignore this user. This results in the user keeping the access rights prior to the removal. This happens when I run php artisan ldap:import ....
Potentially the --delete-missing options could have solved this be deleting these users but this does not happen.

Have I configured something wrong when --delete-missing is not working or is this a defcience in LdapRecord?
Potentially ldap:import should first do syncing of all users in the database, ignoring the scope, before running import with scope?

[stevebauman]

I have set up syncing and mapping of groups to local roles and a scope including only the relevant access groups to only include users with access in syncing.

I wouldn't set up a scope to prevent users from logging into your application that must have certain groups/roles. I would use an authentication rule for that:

https://ldaprecord.com/docs/laravel/v3/auth/database/configuration/#rules

This way you can keep users in sync, and when the relevant groups/roles are added, they can immediately be allowed to authenticate.

Potentially the --delete-missing options could have solved this be deleting these users but this does not happen.

The delete missing flag requires that your Eloquent user model has SoftDeletes enabled. Does your Eloquent model have the SoftDeletes trait on it?

[acharseth]

I wouldn't set up a scope to prevent users from logging into your application that must have certain groups/roles. I would use an authentication rule for that...
This way you can keep users in sync, and when the relevant groups/roles are added, they can immediately be allowed to authenticate.

I don't think I agree with this in general. For a widely available application, yes, it could make sense to have all (relevant) users synced in. For an application with restricted availability however I belive only users with correct group membership should be synced (reducing slightly the attack surface).

I have set up a rule for specific groups but I also want the synchronization to limit synchronizing to members of the same groups for this restricted application.

The delete missing flag requires that your Eloquent user model has SoftDeletes enabled. Does your Eloquent model have the SoftDeletes trait on it?

No, I had not. The reason for this is that soft deleting is bad practice in terms of privacy. It is not considered sufficient to have privacy information soft deleted, it must be physically deleted. In this case however, with user information being synchronize, for security reasons (reducing effect of mistakes) it makes sense. In this case I could use soft deletes and then have a job which physically deletes the user after a specific time. May be you could add an option for this?

I have now enables soft delete and it works fine with the --delete-missing option. However, as described, the roles are kept due to the scope. So I still think it would be nice if the syncing took place in 2 steps, the first step synchronizing the attributes for existing users (without using the scope) and the nest step performing the activities on the user object itself (adding new users and deleting deleted users in AD).

...

[stevebauman]

I don't think I agree with this in general. For a widely available application, yes, it could make sense to have all (relevant) users synced in. For an application with restricted availability however I belive only users with correct group membership should be synced (reducing slightly the attack surface).

Ok, then the --delete-missing option is what you're looking for.

In this case I could use soft deletes and then have a job which physically deletes the user after a specific time. May be you could add an option for this?

Use Laravel's model pruning feature to take care of this -- it doesn't need to be baked into LdapRecord-Laravel:

https://laravel.com/docs/10.x/eloquent#pruning-models

use Illuminate\Database\Eloquent\Model;

class User extends Model
{
    public function prunable()
    {
        return static::onlyTrashed()->forceDelete();
    }
}

protected function schedule(Schedule $schedule): void
{
    $schedule->command('model:prune')->daily();
}