Dynamic LDAP lookups to assign users to roles
Currently, when a user is created (either on import, or when they log in), the role they have at that time is assigned to their account, even if the underlying database (e.g. Active Directory) changes. For example, say you've set up the K1000 so that all members of a particular AD security group are admins of the K1000, and all members of another AD security group are K1000 users. If you change a user's AD security group so that they're not in the admin group any longer, that change won't ever take effect on the K1000 and thus the user will never be 'demoted'. You have to manually change the role for that user on the K1000, for as many users as that applies to.
This has security implications, especially if K1000 admins don't realise that an AD security group change doesn't change the role on the K1000. It also makes it unnecessarily difficult to change user roles en-masse.
My suggestion is to implement dynamic lookups of the LDAP server on login to the K1000. So, if the user is no longer a member of the relevant security group, the K1000 database is updated to reflect this.
The LDAP implementation in the K1000 is not the simplest I've ever seen, but this seems to be a quite basic feature which is often taken for granted that is lacking.
Kim Cary commented
You enable authentication and authorization from LDAP. Authentication continues to consult the LDAP on login, but authorization does not. In fact the scheduled LDAP syncs update everything except the user role. REALLY? Its not like people change roles within an organization or anything.
This is not even a bug, its just inexperience with enterprise directory use in the real world. It pains me that a product I really find useful and believe in has such a reprehensible design oversight (and that it hasn't been fixed since 2011). AT LEAST let the LDAP sync change the role! That's weak, but at least not horrible as it is now.
I fell in this boat. I thought that was what Authentication Settings section had a sort order for, but it's not actually checking access role on authentication at all. It's only setting access on account creation (first login or an import). After that it is up to you to manually change in a user account.
This seems like a bug to me.
This is sorely needed as most customers will manage admins using LDAP groups, as that is how it's done with most other products.
Kind of sad that this request has been around since 2011, as Daniel said feature seems taken for granted. There should at least be a Note made in the documentation stating that roles are only set at time of account creation in the system. That in order to change it must be done manually.
Daniel Lengert commented
It would make management magnitudes of degrees easier if i could demote or promote users using AD and LDAP instead of manuely doing it on the K1000!