In the "Administration Console Help" Document it states:
"You cannot invite user accounts that are mastered in an LDAP-based user directory; these accounts are created automatically when you synchronize the LDAP directory."
Does this mean that after configuring a LDAP Realm, the users specified by the filter should be automatically pulled into OnTrack? I do not see ldap users when executing a blank search from the admin console. At this point, I also cannot log into OnTrack using a valid LDAP user. I was trying to see if OnTrack worked similar to UCM where the OnTrack user acct would be created once the user logs into the application.
What I can do is go to "Create User" and enter the email address for a valid ldap user. then I see that user in the full search. that user can also log in successfully.
I wanted to know what the expected behavior was: is there expected to be a required 'registry' of ldap users into ontrack before they can auth into the app? Is there some sync process that needs to be run to pull in the ldap users?
Also, is there any current best practice of user deletion? I see in the admin console that there is a note that states: "Note: User deletion is not supported."
As always, thanks for the info!
Ryan Sullivan | ECMconsultant
quick update... Found out that the users in my ldap dir were all purged... after creating a valid test user.. I was able to login (after allowing self-sign-in) without any additional administration.
After the user's first log-in, that user was appearing in the user search results.
So... that sounds like the answer to that question... :)
Anyone have any best practices for retiring/disabling/deleting an account? Follow-up: Is the login (e.g., email) associated with that disabled user able to be re-used for a new user or a new user in a different realm? I saw issues when we had multiple users created directly in the ontrack db, then tried to sync with an ldap dir with the same users. I saw that once I disabled a db user, that user was not included within a user search, but, when I created a new ldap user, it showed as successful. But, that user never showed again in the user search.
These might just be some growing/learning pains, but I wanted to kick the idea around :)
Ryan Sullivan | ECMconsultant
It sounds like you figured this out.
There is NOT an explicit sync of users from LDAP into On Track. The On Track user object is created when the LDAP user first logs in (or when added to a Conversation by another user). After that point, the user will be visible in the admin console. (Note, however, that from the client, you can search for an LDAP user and add them to a Conversation's membership even if that user has not yet logged in to On Track. It does this by searching for the user in the LDAP directory, as well as in On Track's known users. This is a great way to "invite" other people in the organization to participate in On Track.
As for your other questions:
- The recommended way to "delete" a user is to mark the user "Disabled" in On Track. This will prevent that user from logging in and from showing up as a valid user in the client.
- Once a user "email@example.com" exists, it should not be possible to create another "firstname.lastname@example.org" user, even if the first one is disabled, and regardless of which realm those users are in.