Synchronization process with LDAP

This feature is compatible with Windows Active Directory and the LDAP v3 servers' directory. It includes passwords authentication.

Groups and users synchronization between UVMS and LDAP servers can be:

• Manually required by the user in Univiewer Console > Administration mode > Security > Groups > LDAP Synchronization > Trigger a new synchronization, or by the unisync LDAP command, which is described in section "unisync LDAP".

  The effective synchronization is managed in an asynchronous manner. The synchronization status is available in the Synchronization Log.

• Cyclical (according to the cycle defined by the "LDAP synchronization cycle" node setting. At the end of the synchronization, all synchronized groups (which selection is based on the groupsSearchBase value in the ldap.xml file) will contain the same users on both servers.

This synchronization process enables to:

• Gather all groups matching the filter or all groups which were defined manually.

• Check all the members of a group: a group can be another group member. Hence all the members of a sub-group are checked. The defined filter at the group level may not apply to a sub-group. However, even in that case, the sub-group will be checked.

• Compare the groups/users extracted from LDAP and those defined in UVMS. This may lead to:

  Add new groups to UVMS

  Add new users to UVMS

  Assign groups to users

  Remove users from UVMS which no longer exist in LDAP

  Remove users from UVMS which no longer belong to any group

  Remove groups from UVMS which no longer exist in LDAP and have no System User Patterns in UVMS

There is never any writing within LDAP.

Synchronization Log

During synchronization, the following errors can appear:

• Unavailability of LDAP
• Incomplete results
• Conflicts with existing objects (for instance : a group already exists in UVMS but it is defined as INTERNAL and not LDAP

They are inserted in a synchronization log file, defined by the U_LDAP_SYNC_FILE node setting detailed in the UVMS LDAP Node Settings section.

In a UVMS failover environment, the synchronization log file must be shared among all failover members.

Limits

The maximum number of links importable by the LDAP synchronization can be customized by the UVMS Node Setting LDAP_MAX_LINKS. By default, the maximum number of links is set to 10,000 (a link is defined by a pair user/group). This authorize for example up to 5000 users that have an average number of 2 groups each or 1000 users that have an average number of 10 groups each.

Increasing this value has a direct effect on the computation time of the objects to be extracted.