Up to Discussions in Clearspace

This Question is Answered

1 "helpful" answer available (2 pts)
6 Replies Last post: May 14, 2008 5:52 PM by Long  
Click to view Dominic Lepiane's profile Novice
Dominic Lepiane
23 posts since
Jan 29, 2008

May 6, 2008 2:54 PM

User management from LDAP (AD)

Hi,

 

We have just purchased and installed Clearspace. We had a demo running 1.10 and upgraded to 2.0.1. We have Clearspace integrated with our Active Directory domain and a couple of things are not working as expected and a couple other things would be nice to have. I'm just going to throw everything in one thread here rather then open up six different threads, so sorry for the confusion.

 

Just to clarify a bit about our situation, we have licensed a specific number of staff (30), but not all our staff (70). After configuring the AD integration, I found that not only were all staff listed as "active users", but also staff that no longer work here as well as various computer accounts, groups, and other system accounts. So in order to get below our licensed number of accounts, I went through the list and just de-activated any accounts that weren't being used.

 

The first problem I have is that although that worked okay for me the first time, I can no longer page through all the users. The user summary page says "You have x users" where x is the number of Clearspace active accounts and far less then the total number of accounts, and then it shows me only enough pages to see x users even though many of the users are not active. So when x was 83 and I had results per page as 100, I was given 1 page and so I could only see 100 accounts ... Of which only 6 happened to be active users. Likewise, if I change results per page to 50, it showed me two pages with the exact same problem.

 

The other problem is that Clearspace is not expanding nested groups. So for example, we typically have the group of "Directors" nested in many other groups like "Software", "Sales", etc. So in Clearspace, the nested members are not counted as part of that group.

 

The first "feature request" would be for better management of users from the directory side. Disabled accounts in AD, like staff who don't work here any more, should be disabled in Clearspace and thus not count against the license limit. Or, more simply, it would be far easier to have a group in the directory like "Clearspace Users" which is taken to be the list of active clearspace users. This would avoid the problem of having computer accounts showing up as Clearspace users (yes, I know, this is partially because AD is insane).

 

Actually, I think that's the only feature request on this topic I have.

 

Thanks in advance for any help on the above problems!

 

- JDL

Tags: active_directory, 2.0, users, groups
Click to view Dominic Lepiane's profile Novice
Dominic Lepiane
23 posts since
Jan 29, 2008
May 7, 2008 2:28 PM in response to: Dominic Lepiane
Re: User management from LDAP (AD)

After talking to Long.TonThat in support, we were able to resolve the issue with the users being displayed in the user summary. This is a bug and I was told it is scheduled to be fixed in 2.0.3.

 

Nested groups do not appear to be getting expanded. This appears to be a bug (though whether it is a defect or a feature request, I'm sure we could quibble).

 

As for managing which accounts are active through AD, I have seen others suggest that adjusting the ldap.searchFilter is the way to resolve this.

Click to view Long's profile Expert
Long
767 posts since
Apr 1, 2008
May 7, 2008 4:55 PM in response to: Dominic Lepiane
Re: User management from LDAP (AD)

Hello Dominic,

 

Currently Clearspace currently doesn't support Nested AD groups, however there's a chance this will get added in 2.1. And I'm still looking into the propogation of disabled AD users to Clearspace.

 

---

 

For other users that are having issues with the User Summary display of users, there is an issue with the total number of users displayed only counting Enabled users... where as the actual users displayed includes both Enabled and Disabled users. So if you have 150 users, with 75 disabled, Clearspace thinks you only have 75 total users... but the entire User Summary displays 150 users (capped at 100 per page).

 

This will be resolved in 2.0.3, but for the time being, changing Line 86 of /admin/users-main.jsp from ".getApplicationUserCount()" to ".getTotalUserCount()" should work for now.

Click to view Long's profile Expert
Long
767 posts since
Apr 1, 2008
May 8, 2008 3:20 PM in response to: Dominic Lepiane
Re: User management from LDAP (AD)

Dominic,

 

I found a disable feature in the sync process: Admin Console -> People -> Settings -> User Data Synchronization -> Disable non-remote, non-administrative user accounts on synchronization.

 

I verified that this works disabling users, but I haven't been able to map it to the disabled user attribute in Active Directory yet. You might want to try playing around with this, perhaps you'l have better luck:-)

~Long

Click to view Dominic Lepiane's profile Novice
Dominic Lepiane
23 posts since
Jan 29, 2008
May 8, 2008 3:55 PM in response to: Long
Re: User management from LDAP (AD)

That partially helps. It would allow me to specify memberOf contains "clearspace users" and then users that are removed would be locked overnight. There should be a corresponding way to enable users based on an LDAP attribute. That would allow me to completely manage Clearspace accounts from the domain.

 

The accounting locking can happen several different ways. There's an accountExpires attribute which I think is a unix timestamp for when the account is expired. There's also some stuff with shadow attributes, but I'm not too sure the specifics of those. I'm not too sure what, if any, easy way there is to check everything. There's account lockouts, the account can be disabled, they can be expired, there can be "business hours", lots of cases, probably too many to all be handled.

Click to view Chris Voisey's profile Novice
Chris Voisey
18 posts since
Mar 4, 2008
May 14, 2008 4:53 PM in response to: Dominic Lepiane
Re: User management from LDAP (AD)

I have also discovered that if you use LDAP and you disable users, they still can log into Clearspace. Not good from a user control feature, also not good from a licensing perspective for Jive.

Click to view Long's profile Expert
Long
767 posts since
Apr 1, 2008
May 20, 2008 3:04 PM in response to: Chris Voisey
Re: User management from LDAP (AD)

I was definitely able to reproduce this, and you bring up a good point about this being a loophole for licensing. I'll log this issue and make sure it gets resolved (CS-4928). Thanks for catching this Chris,
~Long

More Like This

  • Retrieving data ...

Incoming Links