The AE user group to which the user belongs is not mapped to an LDAP user group.
The AE user is not tagged as LDAP user (the "LDAP connection" checkbox is unchecked).
This topic provides details on how the user synchronization via LDAP Sync works.
You must administer AE user groups manually in the Administration perspective.
Note when using ARA: In addition to synchronization to AE, LDAP Sync also manages ARA User entities.
For managing users and user groups, the following rules apply for the synchronization from the LDAP directory to AE:
Scenarios where no synchronization occurs
If at least one of the following cases is true, no synchronization occurs:
The AE user group to which the user belongs is not mapped to an LDAP user group.
The AE user is not tagged as LDAP user (the "LDAP connection" checkbox is unchecked).
Manual update of users and user groups is required.
Scenario I: One AE User Group is mapped to One LDAP User Group
The AE user group "GrpAE" is mapped to the LDAP group "GrpLDAP" and the user is tagged as an LDAP user (the "LDAP connection" checkbox is checked).
Rules:
| Condition | Action | Graphic description |
|---|---|---|
| The user exists in both groups (GrpAE and GrpLDAP) | The AE user data (e.g: first name, last name, e-mail, etc.) is updated. |
|
|
The user exists in the GrpAE and is tagged as LDAP user in another LDAP group (e.g., GrpLDAP_B). |
The user is removed from the AE group GrpAE. If the user does not exist in the LDAP at all and the "autoDeactivateUsers" parameter is set to "true", the user will be deactivated in the AE. AE user data is never updated, even when different. |
|
| The user exists in the AE and in the GrpLDAP but is not assigned to the GrpAE. | The AE user is added to the GrpAE and the AE user data (e.g: first name, last name, e-mail, etc.) is updated. |
|
| The user does not exist in the AE at all but is assigned to the GrpLDAP. | The corresponding AE user is created and assigned to the GrpAE. Additionally, the user data is taken from the LDAP user and the user is tagged as LDAP user (in the AE). |
|
| In all other cases, no synchronization takes place. | - | - |
Scenario II: Two user groups in AE and LDAP: Both AE User Groups are mapped to the corresponding LDAP User Groups (1:1 relation)
The AE user group "GrpAE" is mapped to LDAP group "GrpLDAP", the AE user group "GrpAE_B" is mapped to LDAP group "GrpLDAP_B" and the user is tagged as LDAP user (the "LDAP connection" checkbox is checked).
Rules:
The basic rules of Scenario I apply.
Additionally:
| Condition | Action | Graphic description |
|---|---|---|
| The user exists in the GrpAE and in the GrpLDAP_B. | The AE user is removed from the GrpAE and added to the GrpAE_B. Additionally, the AE user data (e.g: first name, last name, e-mail, etc.) is updated. |
|
| The user exists in one of the AE groups (e.g., in GrpAE) and in the GrpLDAP and GrpLDAP_B. | The AE user is also added to GrpAE_B. Additionally, the AE user data (e.g: first name, last name, e-mail, etc.) is updated. |
|
| The user exists in the GrpAE and in LDAP but not in one of the LDAP groups GrpLDAP or GrpLDAP_B. |
The AE user is removed from AE group GrpAE. If the user does not exist in the LDAP at all and the "autoDeactivateUsers" parameter is set to "true", the user will be deactivated in the AE. AE user data is never updated, even when different. |
|
| The user does not exist in the AE at all but the user is in the GrpLDAP or in the GrpLDAP_B or in both. | The corresponding AE user is created and assigned to the corresponding group GrpAE or GrpAE_B or both groups. Additionally, the user data is taken from the LDAP user and the user is tagged as LDAP user (in the AE). |
|
| The user exists in both AE groups (GrpAE and GrpAE_B) but only in one LDAP group (e.g., in GrpLDAP but not in GrpLDAP_B), | The AE user is removed from AE group GrpAE_B (because it is not in LDAP group GrpLDAP_B). Additionally, the AE user data (e.g: first name, last name, e-mail, etc.) is updated. |
|
| The user exists in both AE groups and both LDAP groups. | The AE user data (e.g: first name, last name, e-mail, etc.) is updated. |
|
Scenario III: Two user groups in AE and LDAP - Only one AE User Group is mapped to the corresponding LDAP User Group
The AE user group "GrpAE" is mapped to LDAP group "GrpLDAP" while
The AE user group "GrpAE_B" is not mapped to LDAP group "GrpLDAP_B" (but can contain relevant users)
and the user is tagged as LDAP user (the "LDAP connection" checkbox is checked)
The basic rules of Scenario I apply.
Additionally:
| Condition | Action | Graphic description |
|---|---|---|
| The user exists in the GrpAE and in both LDAP groups (GrpLDAP and GrpLDAP_B) | The AE user data (e.g: first name, last name, e-mail, etc.) is updated. |
|
| The user exists in the GrpAE and in the GrpLDAP_B |
The AE user is removed from the GrpAE. AE user data is never updated, even when different. |
|
| The user exists in at least one of the AE groups (GrpAE and/or GrpAE_B) but it does not exist in LDAP at all. |
The AE user is removed from AE group GrpAE. If the user does not exist in the LDAP at all and the "autoDeactivateUsers" parameter is set to "true", the user will be deactivated in the AE. AE user data is never updated, even when different. |
|
| The user exists in the GrpAE_B and the user is in GrpLDAP (or in GrpLDAP and GrpLDAP_B). | The AE user is additionally assigned to the AEGroup. Additionally, the AE user data (e.g: first name, last name, e-mail, etc.) is updated. |
|
| The user exists in both AE groups (GrpAE and GrpAE_B) and in the GrpLDAP. |
The AE user data (e.g: first name, last name, e-mail, etc.) is updated. |
|
| The user exists in both AE groups GrpAE and GrpAE_B and in both LDAP groups (GrpLDAP and GrpLDAP_B). | The AE user data (e.g: first name, last name, e-mail, etc.) is updated. |
|
| The user exists in both AE groups (GrpAE and GrpAE_B) and in the GrpLDAP_B. | The user is removed from AE group GrpAE. AE user data is never updated, even when different. |
|
| The user does not exist in the AE at all but the user is in both LDAP groups (GrpLDAP and GrpLDAP_B). | The corresponding AE user is created and assigned to the AE group GrpAE. Additionally, the user data is taken from the LDAP user and the user is tagged as LDAP user (in the AE). |
|
Scenario IV: Two user groups in AE and one in LDAP - Two AE User Group are mapped to a single LDAP User Group
The AE user group "GrpAE" is mapped to the LDAP group "GrpLDAP", the AE user group "GrpAE_B" is mapped to the same LDAP group "GrpLDAP" and the user is tagged as LDAP user (the "LDAP connection" checkbox is checked).
Rules:
The basic rules of Scenario I apply.
Additionally:
| Condition | Action | Graphic description |
|---|---|---|
| The user exists at least in one of the AE groups (GrpAE and/or GrpAE_B) and in the GrpLDAP. | The user is in both AE groups (GrpAE and GrpAE_B) and the data for both AE users are updated. |
|
| The user exists at least in one of the AE groups (GrpAE and/or GrpAE_B) and it does not exist in the LDAP group. |
The AE user is removed from the AE groups. If the user does not exist in the LDAP at all and the "autoDeactivateUsers" parameter is set to "true", the user will be deactivated in the AE. AE user data is never updated, even when different. |
|
| If a user does not exist in the AE at all but the user exists in the LDAP group |
The corresponding AE user is created and assigned to the AE groups (GrpAE and GrpAE_B). Additionally, the user data is taken from the LDAP user and the user is tagged as LDAP user (in the AE). |
|
Scenario V: Two user groups in LDAP and one in AE - Two LDAP User Group are mapped to a single AE User Group
This scenario is not supported by LDAP Sync.