So we have an application where $vendor’s product hooks into ldap for authentication and authorization. This is a good thing as we can authorize people for different roles based on settings in ldap. However $vendor’s implementation leaves a bit to be desired as the way it works is that the first time a user logs into $application, it checks ldap and assigns the user their role in $application. For all logins after the first one, it does only checks for authentication and not for authorization (e.g. you change the ldap settings to change the authorization for the person and $application does not pick up the change). Ugh! So essentially, we have to manage all authorization in $application and not in ldap like they advertise. Double Ugh!
by