cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Importing LDAP Groups to CSS, Access After Removal from Group

anton_laurila
Advisor

At a customer we are working to determine if we should start using LDAP groups for granting user access instead of importing individual users.

A question came up: If a user is removed from the LDAP group does the account still have access if the user has authenticated previously and the user account exists on CSS, referring to this part "When a user from the group logs in with their network ID and password, a user account is created automatically. Once that user account is created, you can assign that user a role, local user group (that has a different role) or reports." on the page Importing LDAP Groups. Can anyone confirm this?

Edit: Additional question: Does the CSS check the group membership as well in the Active Directory? And what happens if the user is moved to another group after already having an account created on the CSS?

Kind regards

Anton

3 REPLIES 3

Hello @Anton Laurila,

If the user is removed from the LDAP group, the CSS reloads the cache of users, and will remove users that are no longer part of the LDAP group. Since CSS does not store passwords, and has to authenticate against the LDAP server,
the user will not be able to authenticate.

Thank you @Jose Colella for confirming this!

Hello @Anton Laurila,

The CSS will check group membership in LDAP, so even
if a user has moved, there should not be any problems with validating the user. Remember to import the group that the user has moved to in the CSS. The CSS
will always use LDAP to verify the user, and the group membership.