Hi Graham,
We have a similar (ish) setup at City.
All our users (staff members for our intranet and staff who are also editors) are LDAP users (although in our case they're LDAP Backend User).
We have two main groups in our AD, one for staff members and one for editors. We import both in Matrix, and new link those groups under various native Matrix groups. These native groups are then used to set permissions.
We've also recently started new linking individual LDAP users under native Matrix group to create more targeted admin groups for various section of our intranet.
This seems to work well for us. We've been running this config for about 4 years. For info, we have around 2-3k staff users and about 250 editors.
1. never had that issue before I don't think. I'm not sure I understand exactly but it sounds like the issue could just how things are organised? Is the issue when users move AD groups? Sounds like organising (ie creating more groups...) in Matrix could help?
2. that we've run into a bit. If users are removed from AD for example (staff leaving etc.), Matrix doesn't know who they are anymore and displays a "LDAP user unknown" message in logs. It's never caused us that much headache though. Unless you need very detailed logs of who does what (which you can get using the general system logs, but that's another story)
3. that we have. We're about to set up single sign on as well, which means our editors will always see the "dev" version of the entire website, as soon as they have logged in elsewhere. We're solving this by making sure we tell our editors this will happen and reminding them frequently that that's how it works. We usually recommend using an incognito window or another browser they're not logged in to view the "non-dev" site. It does mean having a good relationship with your editors and communicate with them. But it's never really been an issue. Once in a while we get a panic call because the page they're working on is live and shouldn't be, but that's about it!
Regarding Dan's comment, I think he meant "in an ideal world scenario". I agree with him that if you use a AD as your single source of data, all your groups "should" be there, at the source. And creating further groups in Matrix is in principle not ideal (those groups will only exist there and not for your other systems for example). It's just not as elegant :)
In practice though, at least here, we'll have issues with this, as the dev team looking after the CMS doesn't have easy access to create groups and move users around in AD. So we go with moving around our LDAP users directly in Matrix.
We never apply permissions on LDAP users directly though, we always use native Matrix group as proxies.
I'm not sure if there are further technical issues with this but we've never come across any. Maybe a Squiz tech can comment on this.
Hope this helps!
Gilles
