Thanks @Lafriks, we’ve been discussing the priority of different ways to update the Mattermost auth tokens once a user has permissions removed via LDAP service.
Which do you feel is higher priority:
a) Check LDAP authorization during Mattermost login authentication
When a Mattermost user with a valid Mattermost token logs in, check for LDAP authorization before allowing the user to enter Mattermost?
Pro: Permissions always in sync with LDAP server
Con: Delays user login
Our thinking is to recommend this solution only if total roundtrip times from LDAP server are less than some performance benchmark.
b) Sync authorization with LDAP daily
Use the “Daily Sync Time” setting to efficiently synchronize account validity between LDAP server and Mattermost instance.
Pro: Permissions up to date with in 24 hours of changes in LDAP
Con: Up to 24 hours lag in sync status
c) Check LDAP authorization after Mattermost authentication
Allowing Mattermost users to login with tokens before polling the LDAP server for confirmation of an active account, then if the account is not active in the LDAP server rejecting the Mattermost user and invalidating the Mattermost token.
Pro: No delay in user login (vs. option A) and user accounts would be disabled on next login rather waiting for up to 24 hours for server to sync (vs. option B).
Con: For a brief period of time (round trip of LDAP auth request) user with deactivated account would have read and write access to Mattermost team.
Early thinking is perhaps b) and c) together as a final solution.
These features would be implemented in phases. We’d highly appreciate feedback on these initial thoughts, other approaches and relative priorities.