Integrate Snipe-IT with AzureAD

Snipe-IT is a fantastic, little, open source, asset management tool.

One of the pinpoints when you have new employees coming onboard is you have to manually provision their account. As such it’s helpful to have Snipe-IT integrated with a directory service. Ideally, this would be achieved via SAML but until that feature is available, the method below will help to get your user base into the system.

Requirements

This guide assumes your Snipe-IT instance has a public IP address but can easily be adapted to work with a private IP.

We’ll be setting up LDAP sync with Azure Active Directory Domain Services (AADDS). The project does provide documentation on LDAP configuration but I’ve found it requires some nuance in order to get it working with AzureAD. Before continuing ensure:

  • You have Azure AD Domain Services Configured.
  • You know your Snipe-IT instances public IP address. If using the hosted version, support can provide this to you.
  • You have configured the network security group used by ADDS to allow TCP port 636 (LDAP) traffic from your Snipe-IT IP address.
  • You have created a service account to handle the LDAP querying. ADDS can take some time to sync a new account. Allow time for a new account to be created.

Syncing Methods

The LDAP integration in Snipe-IT can work in two ways:
1. User syncing.
2. LDAP login.

With user syncing, Snipe-IT simply does an an import of users (without their password) from your directory.

With LDAP login, Snipe-IT users can log into the Snipe-IT dashboard using credentials that have been synchronized from the directory.

In my org, we don’t allow non-IT staff to login to the dashboard. Additionally, synchronizing passwords doesn’t sit well for me from a security perspective as I prefer Azure services to be the main authentication point. As such, I’ll be configuring LDAP in user syncing mode only. Note: this method requires IT staff to be manually provisioned with a username/password from the Snipe-IT dashboard.

Implementation

Start by going to https://COMPANY.snipe-it.io/ > Settings > LDAP

LDAP Integration: Enabled
Active Directory: This is an Active Directory server (Checked)
LDAP Password Sync: No (Unchecked) 
Active Directory domain: COMPANY.com
LDAP Serverldaps://sldap.COMPANY.com:636 (Note port 636 used for LDAPS over SSL)
Use TLS: No (Unchecked)
LDAP SSL certificate validation: No (Unchecked)
LDAP Bind Username: SERVICEACCOUNT@COMPANY.com
LDAP Bind Password: YOUR SERVICE ACCOUNT PASSWORD
Base Bind DN: DC=COMPANY,DC=com
LDAP Filter: &(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
Username Field: samaccountname
Last Name: sn
LDAP First Name: givenname
LDAP Authentication query: samaccountname=
LDAP Version: 3
LDAP Active Flag: LEAVE BLANK
LDAP Employee Number: LEAVE BLANK
LDAP Email: userprincipalname
Custom Password Reset URL: ANY URL YOU WOULD LIKE

Once configured, go to your Snipe-IT users page and you’ll see a new option to import users.

Next setup a Cron job to frequently run LDAP sync e.g. every night. If you are used the hosted version, contact support and they’ll set this up for you.
For self-hosted instances, follow the instructions here.

Leave a Reply

Your email address will not be published.