Configuring Client Settings
By default, all clients share the same configuration (default configuration according to Configuring LDAP Sync). The default configuration is stored in the defaults.xml file (see configuration file defaults.xml) and is referenced from the LDAPSync.xml file.
You can configure optional client settings for each client used in the AE (see configuration file client_[client number].xml).
Important! Synchronization with client 0 is not supported.
This page includes the following:
Configuration Files
The default configuration is stored in the ./clients/defaults.xml file. You can change the path and file name in the Clients element of the LDAPSync.xml file.
You can define client-specific mappings between LDAP and AE/CDA user groups, which must be stored in a separate file. For example, client_10.xml
Note: If you do not use client setting configuration files, you must specify the clients when calling LDAP Sync. All settings are retrieved from the defaults.xml file.
The structure is the same as for defaults.xml, but all settings are optional.
Configuration Elements and their Attributes
You can use all elements and their attributes in all configuration files (defaults.xml and client_[client number].xml).
Elements
Important! In the defaults.xml file all elements are required, whereas in the client configuration (client_[client number].xml), all elements are optional.
- 
                    Schema Basic LDAP schema settings to restrict the LDAP tree 
- 
                    UserSchema User-specific LDAP schema settings 
- 
                    GroupSchema Group specific LDAP schema settings 
- 
                    AE AE settings for the client synchronization (for example: client number) 
- 
                    GroupMappings Mappings between AE and LDAP groups 
- 
                    ARA ARA settings, if necessary 
Important! Elements are not merged. If you use client settings, the setting in the client_[client number].xml file overwrites all attributes for that element from defaults.xml.
Example
Diverging Configuration of a Single Element
defaults.xml contains the following mapping:
<GroupMappings> <map ae="QA" ldap="g1" /> </GroupMappings>
client_10.xml contains the following mapping:
<GroupMappings> <map ae="DEV" ldap="g2" /> </GroupMappings>
As a result, only the GroupMapping setting from client_10.xml file is used for synchronization.
Schema Attributes
You can configure a Distinguished Name (DN) to be used when searching for user or groups in LDAP.
- 
                    baseDN The root Distinguished Name (DN) used for searches against LDAP. Example: - o=example,c=com
- cn=users,dc=ad,dc=example,dc=com
 Type: String Mandatory: Yes 
- 
                    userDN Used when searching for users. Restricts the LDAP user search to a single Ou (OrganizationalUnit) in addition to baseDN. Example: ou=Users Type: String Mandatory: No 
- 
                    groupDN Used when searching for groups in addition to the baseDN. Restricts the LDAP group search to a single Ou (OrganizationalUnit) in addition to baseDN. Example: ou=Groups Type: String Mandatory: No 
- 
                    updateDn Whether or not the DN is updated: - Attribute value is true: DN of the user is updated
- Attribute value is not true(it isfalseor empty or any other value): DN of the user is not updated
- Attribute is not present: DN of the user is not updated
 Type: Boolean Mandatory: No 
- Attribute value is 
Example
<Schema baseDN="DC=QA,DC=spoc,DC=global"
        userDN=""
        groupDN="" 
        updateDn="true"
/>
            UserSchema Attributes
UserSchema provides the following settings:
- An additional filter option (LDAP filter string) when searching for users
- Attribute mapping settings for users
Default values are set for working with AD.
- 
                    userFilter Filter used when searching for a user object. Example: (&(objectCategory=Person)(objectClass=user)(sAMAccountName=*)) Type: String Mandatory: Yes Default (AD): (&(objectCategory=person)(objectClass=user)(sAMAccountName=*)) 
- 
                    userNameAttribute Attribute field used for loading the username. Example: cn Type: String Mandatory: Yes Default (AD): sAMAccountName 
- 
                    userFirstNameAttribute The attribute field used for loading the user's first name. Type: String Mandatory: Yes Default (AD): givenName 
- 
                    userLastNameAttribute The attribute field used for loading the user's last name. Type: String Mandatory: Yes Default (AD): sn 
- 
                    userEmailAttribute The attribute field used for loading the user's email Type: String Mandatory: Yes Default (AD): mail 
Example
<UserSchema userFilter="(&(objectCategory=person)
(objectClass=user)(sAMAccountName=*))" userNameAttribute="sAMAccountName" userFirstNameAttribute="givenName" userLastNameAttribute="sn" userEmailAttribute="mail" />
GroupSchema Attributes
GroupSchema provides the following settings:
- An additional filter option (LDAP filter string) when searching for groups
- Attribute mapping settings for groups
Attributes:
- 
                    groupFilter The filter to used for searching group objects. Example: (objectClass=group) Type: String Mandatory: Yes Default (AD): (objectClass=group) 
- 
                    groupNameAttribute The attribute field used for loading of or searching for the group's name. Type: String Mandatory: Yes Default (AD): cn 
Example
<GroupSchema groupFilter="(objectClass=group)"
             groupNameAttribute="cn"
/>
            AE Attributes
- 
                    userDomain The domain (LDAP) / department (AE) for the user - only AE /LDAP users with this department / domain are synchronized. Note: Typically the last dc= part of the base DN, but not always for AD. Type: String Mandatory: Yes Default: - 
- 
                    autoDeactivateUsers Enables/disables deactivation of AE user objects as follows: - true:LDAP Sync deactivates AE user objects that cannot be found in the directory within the specified domain and search filter
- false: LDAP Sync does not change the active state of the user object in the AE. Removing a user from LDAP will not delete or deactivate the user object in the AE, but the user cannot login to the AE anymore as authentication is done against LDAP.
 Type: Boolean Mandatory: Yes Default: false 
GroupMappings Attributes
GroupMappings define the mapping between LDAP groups and AE user groups. You have two options:
- Option 1
 By setting a static VARA object such as UC_LDAP_MAPPING_1000 in the AE client 0 (for all clients) which holds the group mappings. You define the AE user group in the Key field of this VARA object, and the LDAP user group(s) in the Value 1 field.Important! - You can map one AE user group to one or more LDAP groups. If you specify more than one LDAP user group, separate them with a comma symbol (,).
- The VARA object contents cannot exceed 1023 characters, therefore you cannot map groups with long names or a lot of groups.
 
- Option 2
 By using the XML configuration files for default and client settings.Tip: If your client.xml file is stored on several servers and/or if the group mapping must be adopted very often, consider using a VARA object as it does not require access to the AE server. 
Attribute:
- 
                    readFromVaraObject For option 1 state the VARA object name stored in AE client 0. For option 2 (if you do not specify a VARA object) leave the field empty or do not use the GroupMappings element. Important! If you do not specify a VARA object, you must specify one child element of type "map" at least. Type: String Mandatory: No 
Example
<GroupMappings readFromVaraObject="UC_LDAP_MAPPING_1000" />
AE object VARA.STATIC:
VARA.STATIC used to store and manage the AE to LDAP group mappings.
Map Element
In the map element, you define the mapping between AE user groups and LDAP groups.
- 
                    AE Name of the AE user group Type: String Mandatory: Yes 
- 
                    ldap Names of the LDAP groups that are mapped to the AE group. Note: Multiple LDAP group names are separated by a comma. Example: Admin, SuperAdmin Type: String Mandatory: Yes 
Example (XML configuration)
<GroupMappings >
    <map AE="Administrator" ldap="AUTOMIC.offerings.admin" />
    <map AE="User" ldap="AUTOMIC.offerings.user" />
</GroupMappings>
            CDA Attributes
You can enable the CDA synchronization and then configure the connection to the CDA instance that must be synchronized.
- 
                    enabled Values: - true: CDA synchronization is enabled
- false: CDA synchronization is disabled
 Type: Boolean Mandatory: Yes 
- 
                    url URL for the CDA instance which is connected to the AE client. Type: String Mandatory: Yes, if CDA is enabled 
- 
                    username User name of the CDA user with permissions to create and edit users in CDA. Type: String Mandatory: Yes, if CDA is enabled 
- 
                    password Password for the CDA user used to manage users in CDA. Note: You enter or modify the password as plain text. It will be encrypted during the next synchronization run and stored in the configuration file as encrypted password. Type: String Mandatory: Yes, if CDA is enabled 
Example: CDA Disabled
<ARA enabled="false" />
Example: CDA Enabled
<ARA enabled="true"
     url="http://localhost:5555"
     username="AE/1000/AUTOMIC/AUTOMIC"
     password="automic"
/>
            Example 1: defaults.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
			
    <Schema baseDN="DC=sbb01,DC=spoc,DC=global"
            userDN=""
            groupDN="" />
 
    <UserSchema userFilter="(&(objectCategory=person)
                            (objectClass=user)(sAMAccountName=*))"
                userNameAttribute="sAMAccountName"
                userFirstNameAttribute="givenName"
                userLastNameAttribute="sn"
                userEmailAttribute="mail" />
 
    <GroupSchema groupFilter="(objectClass=group)"
                 groupNameAttribute="cn" />
 
    <AE userDomain="sbb01"
        autoDeactivateUsers="false" />
 
    <GroupMappings >
        <map AE="Administrator" ldap="AUTOMIC.offerings.admin" />
        <map AE="User" ldap="AUTOMIC.offerings.user" />
    </GroupMappings>
 
    <ARA enabled="false"/>
			
</Configuration>
            Example 2: Minimal client_[client number].xml to Enable the Sync with Default Values
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
			
    <!-- This just enables the sync for this client 
         with defaults from ./defaults.xml -->
			
</Configuration>
            Example 3: client_[client number].xml to Enable the Sync with Domain AUTOMIC
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
			
    <!-- This just enables the sync for this client 
         with defaults from ./defaults.xml -->
    <!-- Here we switch the domain for this client 
         to AUTOMIC, all other settings stay the same-->
			
    <Schema baseDN="DC=AUTOMIC,DC=spoc,DC=global"
        userDN=""
        groupDN="" />
			
    <AE userDomain="AUTOMIC"
        autoDeactivateUsers="false" />
			
</Configuration>