LDAP Synchronization
Go Up to Notifications
How LDAP sync results affect existing users (concurrent or named), groups and licenses
Users
Contents
- Import
Adds user to concurrent/named list. If a user belongs to a group/groups, the group(s) can also be imported (with their users) by selecting them in the 'LDAP Groups' tab.
- Delete
Deletes user from concurrent/named users & removes from any groups (s)he may be a member of. If the user doesn't exist in ELC, then this action does nothing.
Groups
- Import
Assigns a number of license seats to the groups, and adds the group - along with it's users - to the ELC groups. The group hierarchy in LDAP is ignored and is not replicated in ELC (i.e. parent groups in the ldap server are not imported to ELC). If a group with same name (CN) already exists in ELC, the the license and user(s) of the imported user are merged with the existing user. If license seats are added to an imported group which already exists in ELC with the assigned license, then the seats are added.
- Delete
Deletes group with same name (CN) - along with member users - from ELC groups, and releases license seats. Users with personally assigned licenses in Concurrent/Named users page remain unaltered.
Filters
OpenLDAP
- User ObjectClass: used in OpenLDAP scheduler to verify that a deleted user retrieved from the accesslog has not been recreated
- Group ObjectClass: used in OpenLDAP scheduler to verify that a deleted group retrieved from the accesslog has not been recreated, and to retrieve group membership for users
- Group Member attribute: used to retrieve members of a groups. Values is typically member (for groupOfNames) or uniqueMember (for groupOfUniqueNames)
- User filter: used to retrieve users in manual sync
- Group filter: used to retrieve groups in manual sync
- Deleted user filter: used to retrieve deleted users in manual sync
- Deleted group filter: used to retrieve deleted groups in manual sync
- Account created since filter: Used to retrieve users by scheduler. Placeholder {0} must exists in the query, this is replaced by the scheduler by the schedule period start date.
- Account deleted since filter: Used to retrieve deleted users by scheduler. Placeholder {0} must exists in the query, this is replaced by the scheduler by the schedule period start date.
- Group deleted since filter: Used to retrieve deleted groups by scheduler. Placeholder {0} must exists in the query, this is replaced by the scheduler by the schedule period start date.
- Group created since filter: Used to retrieve groups by scheduler. Placeholder {0} must exists in the query, this is replaced by the scheduler by the schedule period start date.
Active Directory
- Group ObjectClass: used in Active Directory scheduler to retrieve group membership for users
- Group Member attribute: used to retrieve members of a groups.
- User filter: used to retrieve users in manual sync
- Group filter: used to retrieve groups in manual sync
- Deleted user filter: used to retrieve deleted users in manual sync
- Deleted group filter: used to retrieve deleted groups in manual sync
- Account created since filter: Used to retrieve users by scheduler. Placeholder {0} must exists in the query, this is replaced by the scheduler by the schedule period start date.
- Account deleted since filter: Used to retrieve deleted users by scheduler. Placeholder {0} must exists in the query, this is replaced by the scheduler by the schedule period start date.
- Group deleted since filter: Used to retrieve deleted groups by scheduler. Placeholder {0} must exists in the query, this is replaced by the scheduler by the schedule period start date.
- Group created since filter: Used to retrieve groups by scheduler. Placeholder {0} must exists in the query, this is replaced by the scheduler by the schedule period start date.
Notes
- The ldap import & scheduler facility currently only supports OpenLDAP (with default schema configuration) & Active Directory
- Users with OpenLDAP must have the Accesslog overlay enabled (cn=accesslog) in order to uses the scheduler feature. The 'Sync now' feature works without the Acceslog enabled, but will only retrieve existing users/groups, not deleted ones.
- The ldap scheduler retrieves users & groups created/deleted in the specified period. If a full import of all modifications in thepast is required, a manual 'sync now' should be done before the first scheduler run.
- The advanced properties (OpenLDAP & Active Directory filters) are saved in file <ELC_HOME>\conf\ldap.properties. If
the default values are modified in the LDAP Sync UI, they can be retrieved by deleting the file and restarting the ELC service - this will restore the default values, which can then be persisted via the 'Save' button in the Sync LDAP UI.