Remove LDAP Users from TDV
Removing a user from a domain and group configured for use in TDV only removes the user locally from TDV Server while the user can still exist in the LDAP server and possess implicit rights and privileges given by membership in the LDAP domain and group. Removing a user who is derived from an LDAP domain or group does not prevent the user from logging into the system again.
To remove an LDAP user and prevent that user from accessing resources defined by TDV, do one of these three things:
• Redefine the LDAP group membership at the source directory to exclude the user.
• Restrict rights and privileges for the entire LDAP group, and then explicitly assign rights and privileges to other members of that LDAP group, or make them members of a TDV group that gives them the needed rights and privileges.
• Remove the entire LDAP group from those included in the TDV external groups list.
TDV services are not normally used as interfaces to manage LDAP users directly. Typically, users and group memberships are managed using Active Directory interfaces. For example, if an individual LDAP Active Directory user needs to be refused TDV access, a management task must be performed directly on the LDAP server to change the column values for memberOf.
TDV users can be removed in Manager, but LDAP users selected for removal are only removed temporarily, because LDAP group membership continues to give implicit rights and privileges. Removing an LDAP user resets rights and privileges to those inherited through group membership. The user’s Studio workspace is also deleted, but it is recreated when the user next logs into Studio.
Ways to work around this issue include:
• You can initially grant no rights and privileges to the group, and then add selected members to other groups with the desired set of rights and privileges.