LDAP
-
Hi Guys,
We're looking at using LDAP to connect to an external customer system. Does FA remove users once they've been removed from LDAP? Is there anyway to sync this and sync the users without each user having to login?
Regards
David
-
Does FA remove users once they've been removed from LDAP?
If you use the LDAP as the source of truth, the users won't be able to login, but they won't be removed.
So, consider this scenario (no migration, just always going back to LDAP):
- User A logs in successfully through a tenant configured with an LDAP Connector. User A has an account in the LDAP server.
- FusionAuth checks with the LDAP connector, passing the credentials.
- The LDAP server says "yup, User A is okay."
- FusionAuth creates a user.
- Time passes.
- User A is removed from the LDAP server.
- User A tries to login.
- FusionAuth checks with the LDAP connector, passing the credentials.
- The LDAP server says "User A is not found"
- FusionAuth denies the login.
But the user still exists.
Is there anyway to sync this and sync the users without each user having to login?
You want to sync the users between LDAP and FusionAuth without the user having to login? Is this a one way sync?
You could do a bulk migration using the Import User API if you have access to the LDAP database and can provide the password hashes.
That is the only option that comes to mind.