We feel the LDAP Import tool currently available needs some significant enhancements to be more useful.
For our implementation of CM1, we have thousands of users. Our organization uses Active Directory (LDAP) for users to log into computers in our network. As such, we need to have CM1 be able to import our users’ LDAP user accounts. Unfortunately, the CM1 LDAP import tool currently available is extremely lacking in terms of usability to import more than just single users. It does allow multiple selection of users to be imported, but this is only available if one happens to search for a username term (i.e. ASmith), in which the search results in multiple users who have usernames starting with “ASmith”. This is just not a very logical usage one would have for needing to add multiple users at once.
Below is a list of requests I feel are extremely necessary for allowing a more robust LDAP import tool:
Ability to import LDAP (Active Directory) Groups, and assign them to CM1 Roles. (i.e. if we have an LDAP group named “Staff” then I could search for “Staff” within the CM1 Import tool, and assign it to a specific CM1 Role (i.e. Contributors). Hopefully this would also make it able to manage users with in the LDAP Group outside of CM1, without having to re-import the LDAPGroup to CM1. In other words, CM1 would simply be checking the user logging in to be sure 1) their username/password is authenticated with LDAP, and 2) that the user is in the imported LDAP Group.
And/or similar to the above, be able to search for LDAP Groups, select one, and have it show me all users who are directly (and indirectly through nested groups) members of the selected LDAP Group. And then be able to select multiple and/or all users that are listed to import into CM1.
Extend the Search capability in general, beyond simply “Name starts with:” input entry box. I.e. allow search by LDAP groups, Active Directory Organization Units (OUs), or by user first / user last name, and other LDAP user attributes.
Extend the LDAP attributes for the search results to more than just the single attribute (which is just username for us). Since our organization has so many users, many have similar usernames, so it makes it hard to be sure we have the right one or not, when the results only show username. Additional attributes would better help distinguish one user from another in the results list
Also, you may want to consider adding a paging system that allows one to view more than the 200 results it’s currently limited to. i.e. “next 200 results”, “prev 200 results”. I understand needing to limit the # of results returned for performance reasons, but if you’re going to do so, there needs to be a way for the user to see the rest of the results.
I am also aware of being able to configure the LDAP Configuration file to start at a specific Organization Unit (OU), however, our organization has hundreds of OU’s. Our users are placed in appropriate OU’s based on what their physical location / where they work. So the only way I could use this feature of the LDAP configuration file would be to manually go in and change the OU setting within the config file about 80+ times. We’ve got over 80+ locations that we have users needing CM1 access under. Not to mention that any changes to the config file requires a server reboot.
So using this method to pull our users in is just not feasible for our environment.
Whereas if we could just add LDAP Groups to CM1, it would mean we would only need to add a handful or less LDAP Groups and be done.
These are all great suggestions coupled with really clear examples outlining how you (and other customers) would put such enhancements to use.
Thanks for sharing!
Thanks. Hopefully other CM1 users will chime in with support and/or comments.
Doesn’t Percussion have any “larger” organizations as clients? It’s just that I’m fairly surprised other customers have not made any requests previously to enhance your LDAP import tool.
It would also be nice if they added support for multiple LDAP/AD hosts. I’m in one of those “larger” organizations and we are essentially a holding company with a lot of sub companies, each with their own AD host.
With the current LDAP/AD support in CM1 we’re forced to at best have one sub company authenticate with their AD account while the remaining companies must use accounts locally defined in CM1.
I think it would be helpful when importing an ldap account that it would at least display some other items so that I know who I imported. For instance all our logins are by samaccountname but the account names are an ID instead of a name. All you can see when importing is that ID which is extremely hard to identify the person by.
Not only would I like to see more controls in place but better user handling/display as well.
Incidentally, CM System had support for multiple LDAP/AD hosts. It is very disappointing that CM1 does not support this.