Configuring LDAP Sync Client Settings
By default, all clients share the same configuration (default configuration according to Configuring LDAP Sync). The default configuration is stored in the defaults.xml
file (see configuration file defaults.xml) and is referenced from the LDAPSync.xml
file.
You can configure optional client settings for each client used in the AE (see configuration file client_[client number].xml).
Important! Synchronization with client 0 is not supported.
This page includes the following:
Configuration Files
defaults.xml
The default configuration is stored in the ./clients/defaults.xml
file. You can change the path and file name in the Clients element of the LDAPSync.xml
file.
client_[client number].xml
You can define client-specific mappings between LDAP and AE/CDA user groups, which must be stored in a separate file. For example, client_10.xml
Note: If you do not use client setting configuration files, you must specify the clients when calling LDAP Sync. All settings are retrieved from the defaults.xml
file.
The structure is the same as for defaults.xml
, but all settings are optional.
Configuration Elements and their Attributes
You can use all elements and their attributes in all configuration files (defaults.xml
and client_[client number].xml
).
Elements
Important! In the defaults.xml
file all elements are required, whereas in the client configuration (client_[client number].xml
), all elements are optional.
-
Schema
Basic LDAP schema settings to restrict the LDAP tree
-
UserSchema
User-specific LDAP schema settings
-
GroupSchema
Group specific LDAP schema settings
-
AE
AE settings for the client synchronization (for example: client number)
-
GroupMappings
Mappings between AE and LDAP groups
-
ARA
ARA settings, if necessary
Important! Elements are not merged. If you use client settings, the setting in the client_[client number].xml
file overwrites all attributes for that element from defaults.xml
.
Example
Diverging Configuration of a Single Element
defaults.xml
contains the following mapping:
<GroupMappings> <map ae="QA" ldap="g1" /> </GroupMappings>
client_10.xml
contains the following mapping:
<GroupMappings> <map ae="DEV" ldap="g2" /> </GroupMappings>
As a result, only the GroupMapping setting from client_10.xml
file is used for synchronization.
Schema Attributes
You can configure a Distinguished Name (DN) to be used when searching for user or groups in LDAP.
-
baseDN
The root Distinguished Name (DN) used for searches against LDAP.
Example:
- o=example,c=com
- cn=users,dc=ad,dc=example,dc=com
Type: String
Mandatory: Yes
-
userDN
Used when searching for users. Restricts the LDAP user search to a single Ou (OrganizationalUnit) in addition to baseDN.
Example: ou=Users
Type: String
Mandatory: No
-
groupDN
Used when searching for groups in addition to the baseDN. Restricts the LDAP group search to a single Ou (OrganizationalUnit) in addition to baseDN.
Example: ou=Groups
Type: String
Mandatory: No
-
updateDn
Whether or not the DN is updated:
- Attribute value is
true
: DN of the user is updated - Attribute value is not
true
(it isfalse
or empty or any other value): DN of the user is not updated - Attribute is not present: DN of the user is not updated
Type: Boolean
Mandatory: No
- Attribute value is
Example
<Schema baseDN="DC=QA,DC=spoc,DC=global" userDN="" groupDN="" updateDn="true" />
UserSchema Attributes
UserSchema provides the following settings:
- An additional filter option (LDAP filter string) when searching for users
- Attribute mapping settings for users
Default values are set for working with AD.
-
userFilter
Filter used when searching for a user object.
Example: (&(objectCategory=Person)(objectClass=user)(sAMAccountName=*))
Type: String
Mandatory: Yes
Default (AD): (&(objectCategory=person)(objectClass=user)(sAMAccountName=*))
-
userNameAttribute
Attribute field used for loading the username.
Example: cn
Type: String
Mandatory: Yes
Default (AD): sAMAccountName
-
userFirstNameAttribute
The attribute field used for loading the user's first name.
Type: String
Mandatory: Yes
Default (AD): givenName
-
userLastNameAttribute
The attribute field used for loading the user's last name.
Type: String
Mandatory: Yes
Default (AD): sn
-
userEmailAttribute
The attribute field used for loading the user's email
Type: String
Mandatory: Yes
Default (AD): mail
Example
<UserSchema userFilter="(&(objectCategory=person)
(objectClass=user)(sAMAccountName=*))" userNameAttribute="sAMAccountName" userFirstNameAttribute="givenName" userLastNameAttribute="sn" userEmailAttribute="mail" />
GroupSchema Attributes
GroupSchema provides the following settings:
- An additional filter option (LDAP filter string) when searching for groups
- Attribute mapping settings for groups
Attributes:
-
groupFilter
The filter to used for searching group objects.
Example: (objectClass=group)
Type: String
Mandatory: Yes
Default (AD): (objectClass=group)
-
groupNameAttribute
The attribute field used for loading of or searching for the group's name.
Type: String
Mandatory: Yes
Default (AD): cn
Example
<GroupSchema groupFilter="(objectClass=group)" groupNameAttribute="cn" />
AE Attributes
-
userDomain
The domain (LDAP) / department (AE) for the user - only AE /LDAP users with this department / domain are synchronized.
Note: Typically the last dc= part of the base DN, but not always for AD.
Type: String
Mandatory: Yes
Default: -
-
autoDeactivateUsers
Enables/disables deactivation of AE user objects as follows:
- true:LDAP Sync deactivates AE user objects that cannot be found in the directory within the specified domain and search filter
- false: LDAP Sync does not change the active state of the user object in the AE. Removing a user from LDAP will not delete or deactivate the user object in the AE, but the user cannot login to the AE anymore as authentication is done against LDAP.
Type: Boolean
Mandatory: Yes
Default: false
GroupMappings Attributes
GroupMappings define the mapping between LDAP groups and AE user groups. You have two options:
- Option 1
By setting a static VARA object such as UC_LDAP_MAPPING_1000 in the AE client 0 (for all clients) which holds the group mappings. You define the AE user group in the Key field of this VARA object, and the LDAP user group(s) in the Value 1 field.Important!
- You can map one AE user group to one or more LDAP groups. If you specify more than one LDAP user group, separate them with a comma symbol (,).
- The VARA object contents cannot exceed 1023 characters, therefore you cannot map groups with long names or a lot of groups.
- Option 2
By using the XML configuration files for default and client settings.Tip: If your client.xml file is stored on several servers and/or if the group mapping must be adopted very often, consider using a VARA object as it does not require access to the AE server.
Attribute:
-
readFromVaraObject
For option 1 state the VARA object name stored in AE client 0.
For option 2 (if you do not specify a VARA object) leave the field empty or do not use the GroupMappings element.
Important! If you do not specify a VARA object, you must specify one child element of type "map" at least.
Type: String
Mandatory: No
Example
<GroupMappings readFromVaraObject="UC_LDAP_MAPPING_1000" />
AE object VARA.STATIC:
VARA.STATIC used to store and manage the AE to LDAP group mappings.
Map Element
In the map element, you define the mapping between AE user groups and LDAP groups.
-
AE
Name of the AE user group
Type: String
Mandatory: Yes
-
ldap
Names of the LDAP groups that are mapped to the AE group.
Note: Multiple LDAP group names are separated by a comma.
Example: Admin, SuperAdmin
Type: String
Mandatory: Yes
Example (XML configuration)
<GroupMappings > <map AE="Administrator" ldap="AUTOMIC.offerings.admin" /> <map AE="User" ldap="AUTOMIC.offerings.user" /> </GroupMappings>
CDA Attributes
You can enable the CDA synchronization and then configure the connection to the CDA instance that must be synchronized.
-
enabled
Values:
- true: CDA synchronization is enabled
- false: CDA synchronization is disabled
Type: Boolean
Mandatory: Yes
-
url
URL for the CDA instance which is connected to the AE client.
Type: String
Mandatory: Yes, if CDA is enabled
-
username
User name of the CDA user with permissions to create and edit users in CDA.
Type: String
Mandatory: Yes, if CDA is enabled
-
password
Password for the CDA user used to manage users in CDA.
Note: You enter or modify the password as plain text. It will be encrypted during the next synchronization run and stored in the configuration file as encrypted password.
Type: String
Mandatory: Yes, if CDA is enabled
Example: CDA Disabled
<ARA enabled="false" />
Example: CDA Enabled
<ARA enabled="true"
url="http://localhost:5555"
username="AE/1000/AUTOMIC/AUTOMIC"
password="automic"
/>
Example 1: defaults.xml
<?xml version="1.0" encoding="UTF-8"?> <Configuration> <Schema baseDN="DC=sbb01,DC=spoc,DC=global" userDN="" groupDN="" /> <UserSchema userFilter="(&(objectCategory=person)
(objectClass=user)(sAMAccountName=*))" userNameAttribute="sAMAccountName" userFirstNameAttribute="givenName" userLastNameAttribute="sn" userEmailAttribute="mail" /> <GroupSchema groupFilter="(objectClass=group)" groupNameAttribute="cn" /> <AE userDomain="sbb01" autoDeactivateUsers="false" /> <GroupMappings > <map AE="Administrator" ldap="AUTOMIC.offerings.admin" /> <map AE="User" ldap="AUTOMIC.offerings.user" /> </GroupMappings> <ARA enabled="false"/> </Configuration>
Example 2: Minimal client_[client number].xml to Enable the Sync with Default Values
<?xml version="1.0" encoding="UTF-8"?> <Configuration> <!-- This just enables the sync for this client
with defaults from ./defaults.xml --> </Configuration>
Example 3: client_[client number].xml to Enable the Sync with Domain AUTOMIC
<?xml version="1.0" encoding="UTF-8"?> <Configuration> <!-- This just enables the sync for this client
with defaults from ./defaults.xml --> <!-- Here we switch the domain for this client
to AUTOMIC, all other settings stay the same--> <Schema baseDN="DC=AUTOMIC,DC=spoc,DC=global" userDN="" groupDN="" /> <AE userDomain="AUTOMIC" autoDeactivateUsers="false" /> </Configuration>