Configuring LDAP Sync Client Settings

By default, all clients share the same configuration (default configuration according to Configuring LDAP Sync). The default configuration is stored in the defaults.xml file (see configuration file defaults.xml) and is referenced from the LDAPSync.xml file.

You can configure optional client settings for each client used in the AE (see configuration file client_[client number].xml).

Important! Synchronization with client 0 is not supported.

This page includes the following:

Configuration Files

defaults.xml

The default configuration is stored in the ./clients/defaults.xml file. You can change the path and file name in the Clients element of the LDAPSync.xml file.

client_[client number].xml

You can define client-specific mappings between LDAP and AE/CDA user groups, which must be stored in a separate file. For example, client_10.xml

Note: If you do not use client setting configuration files, you must specify the clients when calling LDAP Sync. All settings are retrieved from the defaults.xml file.

The structure is the same as for defaults.xml, but all settings are optional.

Configuration Elements and their Attributes

You can use all elements and their attributes in all configuration files (defaults.xml and client_[client number].xml).

Elements

Important! In the defaults.xml file all elements are required, whereas in the client configuration (client_[client number].xml), all elements are optional.

  • Schema

    Basic LDAP schema settings to restrict the LDAP tree

  • UserSchema

    User-specific LDAP schema settings

  • GroupSchema

    Group specific LDAP schema settings

  • AE

    AE settings for the client synchronization (for example: client number)

  • GroupMappings

    Mappings between AE and LDAP groups

  • ARA

    ARA settings, if necessary

Important! Elements are not merged. If you use client settings, the setting in the client_[client number].xml file overwrites all attributes for that element from defaults.xml.

Example

Diverging Configuration of a Single Element

defaults.xml contains the following mapping:

<GroupMappings>
   <map ae="QA" ldap="g1" />
</GroupMappings>

client_10.xml contains the following mapping:

<GroupMappings>
   <map ae="DEV" ldap="g2" />
</GroupMappings>

As a result, only the GroupMapping setting from client_10.xml file is used for synchronization.

Schema Attributes

You can configure a Distinguished Name (DN) to be used when searching for user or groups in LDAP.

  • baseDN

    The root Distinguished Name (DN) used for searches against LDAP.

    Example:

    • o=example,c=com
    • cn=users,dc=ad,dc=example,dc=com

    Type: String

    Mandatory: Yes

  • userDN

    Used when searching for users. Restricts the LDAP user search to a single Ou (OrganizationalUnit) in addition to baseDN.

    Example: ou=Users

    Type: String

    Mandatory: No

  • groupDN

    Used when searching for groups in addition to the baseDN. Restricts the LDAP group search to a single Ou (OrganizationalUnit) in addition to baseDN.

    Example: ou=Groups

    Type: String

    Mandatory: No

  • updateDn

    Whether or not the DN is updated:

    • Attribute value is true: DN of the user is updated
    • Attribute value is not true (it is false or empty or any other value): DN of the user is not updated
    • Attribute is not present: DN of the user is not updated

    Type: Boolean

    Mandatory: No

Example

<Schema baseDN="DC=QA,DC=spoc,DC=global"
        userDN=""
        groupDN="" 
        updateDn="true"
/>

UserSchema Attributes

UserSchema provides the following settings:

  • An additional filter option (LDAP filter string) when searching for users
  • Attribute mapping settings for users

Default values are set for working with AD.

  • userFilter

    Filter used when searching for a user object.

    Example: (&(objectCategory=Person)(objectClass=user)(sAMAccountName=*))

    Type: String

    Mandatory: Yes

    Default (AD): (&(objectCategory=person)(objectClass=user)(sAMAccountName=*))

  • userNameAttribute

    Attribute field used for loading the username.

    Example: cn

    Type: String

    Mandatory: Yes

    Default (AD): sAMAccountName

  • userFirstNameAttribute

    The attribute field used for loading the user's first name.

    Type: String

    Mandatory: Yes

    Default (AD): givenName

  • userLastNameAttribute

    The attribute field used for loading the user's last name.

    Type: String

    Mandatory: Yes

    Default (AD): sn

  • userEmailAttribute

    The attribute field used for loading the user's email

    Type: String

    Mandatory: Yes

    Default (AD): mail

Example

<UserSchema userFilter="(&(objectCategory=person)
                        (objectClass=user)(sAMAccountName=*))" userNameAttribute="sAMAccountName" userFirstNameAttribute="givenName" userLastNameAttribute="sn" userEmailAttribute="mail" />

GroupSchema Attributes

GroupSchema provides the following settings:

  • An additional filter option (LDAP filter string) when searching for groups
  • Attribute mapping settings for groups

Attributes:

  • groupFilter

    The filter to used for searching group objects.

    Example: (objectClass=group)

    Type: String

    Mandatory: Yes

    Default (AD): (objectClass=group)

  • groupNameAttribute

    The attribute field used for loading of or searching for the group's name.

    Type: String

    Mandatory: Yes

    Default (AD): cn

Example

<GroupSchema groupFilter="(objectClass=group)"
             groupNameAttribute="cn"
/>

AE Attributes

  • userDomain

    The domain (LDAP) / department (AE) for the user - only AE /LDAP users with this department / domain are synchronized.

    Note: Typically the last dc= part of the base DN, but not always for AD.

    Type: String

    Mandatory: Yes

    Default: -

  • autoDeactivateUsers

    Enables/disables deactivation of AE user objects as follows:

    • true:LDAP Sync deactivates AE user objects that cannot be found in the directory within the specified domain and search filter
    • false: LDAP Sync does not change the active state of the user object in the AE. Removing a user from LDAP will not delete or deactivate the user object in the AE, but the user cannot login to the AE anymore as authentication is done against LDAP.

    Type: Boolean

    Mandatory: Yes

    Default: false

GroupMappings Attributes

GroupMappings define the mapping between LDAP groups and AE user groups. You have two options:

  • Option 1
    By setting a static VARA object such as UC_LDAP_MAPPING_1000 in the AE client 0 (for all clients) which holds the group mappings. You define the AE user group in the Key field of this VARA object, and the LDAP user group(s) in the Value 1 field.

    Important!

    • You can map one AE user group to one or more LDAP groups. If you specify more than one LDAP user group, separate them with a comma symbol (,).
    • The VARA object contents cannot exceed 1023 characters, therefore you cannot map groups with long names or a lot of groups.
  • Option 2
    By using the XML configuration files for default and client settings.

    Tip: If your client.xml file is stored on several servers and/or if the group mapping must be adopted very often, consider using a VARA object as it does not require access to the AE server.

Attribute:

  • readFromVaraObject

    For option 1 state the VARA object name stored in AE client 0.

    For option 2 (if you do not specify a VARA object) leave the field empty or do not use the GroupMappings element.

    Important! If you do not specify a VARA object, you must specify one child element of type "map" at least.

    Type: String

    Mandatory: No

Example

<GroupMappings readFromVaraObject="UC_LDAP_MAPPING_1000" />

AE object VARA.STATIC:

VARA.STATIC used to store and manage the AE to LDAP group mappings.

Map Element

In the map element, you define the mapping between AE user groups and LDAP groups.

  • AE

    Name of the AE user group

    Type: String

    Mandatory: Yes

  • ldap

    Names of the LDAP groups that are mapped to the AE group.

    Note: Multiple LDAP group names are separated by a comma.

    Example: Admin, SuperAdmin

    Type: String

    Mandatory: Yes

Example (XML configuration)

<GroupMappings >
    <map AE="Administrator" ldap="AUTOMIC.offerings.admin" />
    <map AE="User" ldap="AUTOMIC.offerings.user" />
</GroupMappings>

CDA Attributes

You can enable the CDA synchronization and then configure the connection to the CDA instance that must be synchronized.

  • enabled

    Values:

    • true: CDA synchronization is enabled
    • falseCDA synchronization is disabled

    Type: Boolean

    Mandatory: Yes

  • url

    URL for the CDA instance which is connected to the AE client.

    Type: String

    Mandatory: Yes, if CDA is enabled

  • username

    User name of the CDA user with permissions to create and edit users in CDA.

    Type: String

    Mandatory: Yes, if CDA is enabled

  • password

    Password for the CDA user used to manage users in CDA.

    Note: You enter or modify the password as plain text. It will be encrypted during the next synchronization run and stored in the configuration file as encrypted password.

    Type: String

    Mandatory: Yes, if CDA is enabled

Example: CDA Disabled

<ARA enabled="false" />

Example: CDA Enabled

<ARA enabled="true"
     url="http://localhost:5555"
     username="AE/1000/AUTOMIC/AUTOMIC"
     password="automic"
/>

Example 1: defaults.xml

<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
			
    <Schema baseDN="DC=sbb01,DC=spoc,DC=global"
            userDN=""
            groupDN="" />
 
    <UserSchema userFilter="(&(objectCategory=person)
                            (objectClass=user)(sAMAccountName=*))" userNameAttribute="sAMAccountName" userFirstNameAttribute="givenName" userLastNameAttribute="sn" userEmailAttribute="mail" /> <GroupSchema groupFilter="(objectClass=group)" groupNameAttribute="cn" /> <AE userDomain="sbb01" autoDeactivateUsers="false" /> <GroupMappings > <map AE="Administrator" ldap="AUTOMIC.offerings.admin" /> <map AE="User" ldap="AUTOMIC.offerings.user" /> </GroupMappings> <ARA enabled="false"/> </Configuration>

Example 2: Minimal client_[client number].xml to Enable the Sync with Default Values

<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
			
    <!-- This just enables the sync for this client 
         with defaults from ./defaults.xml --> </Configuration>

Example 3: client_[client number].xml to Enable the Sync with Domain AUTOMIC

<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
			
    <!-- This just enables the sync for this client 
         with defaults from ./defaults.xml --> <!-- Here we switch the domain for this client
         to AUTOMIC, all other settings stay the same--> <Schema baseDN="DC=AUTOMIC,DC=spoc,DC=global" userDN="" groupDN="" /> <AE userDomain="AUTOMIC" autoDeactivateUsers="false" /> </Configuration>