Right, you will need to create the user before you can customize the role. If you do not create the user account, the first time the user logs in, they will get:
- their group memberships picked up automatically
- the default role
You would then need to follow up later to "correct" the role. If you want the "first time they login" to have the appropriate role, then you will need to be sure that you either (1) align that with the default or (2) pre-provision the user account on Connect.
It's worth noting that users do not take up a license seat on Connect (even if you create them) until they log in.
The user creation process for LDAP is spelled out here:
Further, it is shown explicitly in the Connect API cookbook:
However, I just realized that we do not support group member search for LDAP groups:
So that means in order to do the group lookup, you would need to run an
ldapsearch or call directly against LDAP. Is that something that you are familiar with?
ldapsearch is a command line utility that allows searching for group members, making arbitrary LDAP queries, etc.