Configuring Client Settings

By default, all clients share the same configuration (default configuration according to Configuring LDAP Sync). The default configuration is stored in defaults.xml (see configuration file defaults.xml) and is referenced from LDAPSync.xml (see Configuring LDAP Sync).

You can configure optional client settings for each client used in the AE (see configuration file client_[client number].xml).

Synchronization with client 0 is not supported.

Configuration Files

defaults.xml

The default configuration is stored in ./clients/defaults.xml. If required, you can change path and file name in Clients element in LDAPSync.xml.

client_[client number].xml

You can define specify client specific mappings between LDAP and AE/ARA user groups which can be different from the defaults.xml and for each AE client.

If you do not use client setting configuration files, you must specify the clients when calling the LDAP Sync. All settings are taken from defaults.xml.

The structure is the same as for defaults.xml, but all settings are optional.

Configuration Elements and Their Attributes

You can use all elements and their attributes in all configuration files (defaults.xml and client_[client number].xml).

Elements

Note, that for defaults.xml all elements are required while for the client configuration (client_[client number].xml) all elements are optional.

Element	Required	Description
Schema	Yes	Basic LDAP schema settings to restrict the LDAP tree
UserSchema	Yes	User specific LDAP schema settings
GroupSchema	Yes	Group specific LDAP schema settings
AE	Yes	AE settings for the client synchronization (client number, ...)
GroupMappings	Yes	Mappings between AE and LDAP groups
ARA	Yes	ARA settings, if required

Be aware that no merging of elements happens. If you use client settings, the setting in the client_[client number].xml file overwrites all attributes for that element from defaults.xml.

Example: diverging configuration of a single element

defaults.xml contains the following mapping:

<GroupMappings>
   <map ae="QA" ldap="g1" />
</GroupMappings>

client_10.xml contains the following mapping:

<GroupMappings>
   <map ae="DEV" ldap="g2" />
</GroupMappings>

As a result, only the GroupMapping setting from client_10.xml file is used for synchronization.

Schema Attributes

You can configure distinguish name (DN) used when searching in LDAP for users or groups.

Attribute	Type	Required	Description
baseDN	String	Yes	The root distinguished name (DN) used for searches against LDAP Example: o=example,c=com cn=users,dc=ad,dc=example,dc=com
userDN	String	No	Used when searching for users. Restricts the LDAP user search to a single OU ( in addition to baseDN) Example: ou=Users
groupDN	String	No	Used when searching for groups. in addition to the Base DN. Restricts the LDAP group search to a single OU ( in addition to baseDN) Example: ou=Groups
updateDn	Boolean	No	Whether or not the DN is updated: Attribute value is true: DN of the user is updated Attribute value is not true (it is false or empty or any other value): DN of the user is not updated Attribute is not present: DN of the user is not updated

Example:

<Schema baseDN="DC=QA,DC=spoc,DC=global"
        userDN=""
        groupDN="" 
        updateDn="true"
/>

UserSchema Attributes

UserSchema provides the following settings:

• An additional filter option (LDAP filter string) when searching for users
• Attribute mapping settings for users

Default values are set for working with AD.

Attribute	Type	Required	Default (AD)	Description
userFilter	String	Yes	(&(objectCategory=person)(objectClass=user)(sAMAccountName=*))	The filter used when searching for a user object Example: (&(objectCategory=Person)(objectClass=user)(sAMAccountName=*))
userNameAttribute	String	Yes	sAMAccountName	The attribute field used for loading the username Example: cn, sAMAccountName
userFirstNameAttribute	String	Yes	givenName	The attribute field used for loading the user's first name Example: givenName
userLastNameAttribute	String	Yes	sn	The attribute field used for loading the user's last name Example: sn
userEmailAttribute	String	Yes	mail	The attribute field used for loading the user's email Example: mail

Example:

<UserSchema userFilter="(&(objectCategory=person)
                        (objectClass=user)(sAMAccountName=*))"
            userNameAttribute="sAMAccountName"
            userFirstNameAttribute="givenName"
            userLastNameAttribute="sn"
            userEmailAttribute="mail"
/>

GroupSchema Attributes

GroupSchema provides the following settings:

• An additional filter option (LDAP filter string) when searching for groups
• Attribute mapping settings for groups

Attribute	Type	Required	Default (AD)	Description
groupFilter	String	Yes	(objectClass=group)	The filter to used for searching group objects. Example: (objectClass=group)
groupNameAttribute	String	Yes	cn	The attribute field used for loading of or searching for the group's name. Example: cn

Example:

<GroupSchema groupFilter="(objectClass=group)"
             groupNameAttribute="cn"
/>

AE Attributes

Attribute	Type	Required	Default	Description
userDomain	String	Yes		The domain (LDAP) / department (AE) for the user - only AE /LDAP users with this department / domain are synchronized Typically the last dc= part of the base dn, but not always for AD.
autoDeactivateUsers	Boolean	No	false	Enables/disables deactivation of AE user objects as follows: true:LDAP Sync activates / deactivates user objects which can / can not be found within the specified domain and search filter false: LDAP Sync does not change the active state of the user object in the AE. Removing a user from LDAP will not delete or deactivate the user object in the AE, but the user can not login to the AE anymore as authentication is done against LDAP.

Example:

<AE userDomain="QA"
    autoDeactivateUsers="false" 
/>

GroupMappings Attributes

GroupMappings define the mapping between LDAP groups and AE user groups. You have two options:

• Option 1: By setting a VARA object name in AE client 0 which holds the group mappings
• Option 2: By using the XML configuration files for default and client settings

Attribute	Type	Required	Default	Description
readFromVaraObject	String	No		For option 1 state the VARA object name stored in AE client 0 For option 2 (if you do not specify a VARA object) leave the field empty or do not use the GroupMappings element Note, that the VARA object contents can not exceed 1023 characters. If you do not specify a VARA object, you must specify one child element of type "map" at least.

You can map AE user group to one or more LDAP groups. If you specify more than one LDAP group for one AE user group, the members of all this groups are combined (combine groups with OR).

Example:

<GroupMappings readFromVaraObject="UC_LDAP_MAPPING_1000" />

AE object VARA.STATIC:

VARA.STATIC used to store and manage the AE to LDAP group mappings.

map Element

In the map element, you define the mapping between an AE user groups and an LDAP groups.

Attribute	Type	Required	Default	Description
ae	String	YES		The name of the AE user group
ldap	String	YES		The names of the LDAP groups that are mapped to the AE group. Multiple LDAP group names are separated by a comma. Example: Admin, SuperAdmin

Example (equivalent to the above AE object VARA.STATIC):

<GroupMappings >
    <map ae="Administrator" ldap="AUTOMIC.offerings.admin" />
    <map ae="User" ldap="AUTOMIC.offerings.user" />
</GroupMappings>

ARA Attributes

You can enable the ARA synchronization. Then you configure the connection to the ARA instance that must be synchronized.

Attribute	Type	Required	Default	Description
enabled	Boolean	YES		Options: True: ARA synchronization is enabled False: ARA synchronization is disabled
url	String	Yes, if ARA is enabled		URL for the ARA instance which is connected to the AE client
username	String	Yes, if ARA is enabled		User name of the ARA user with permissions to create and edit user in ARA
password	String	Yes, if ARA is enabled		Password for the ARA user used to manage users in ARA You enter or modify the password as plain text. It will be encrypted during the next synchronization run and stored in the configuration file as encrypted password.

Example: ARA disabled

<ARA enabled="false" />

Example: ARA enabled

<ARA enabled="true"
     url="http://localhost:5555"
     username="AE/1000/BOND/BOND"
     password="bond"
/>

Example 1: defaults.xml

<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
			
    <Schema baseDN="DC=sbb01,DC=spoc,DC=global"
            userDN=""
            groupDN="" />
 
    <UserSchema userFilter="(&(objectCategory=person)
                            (objectClass=user)(sAMAccountName=*))"
                userNameAttribute="sAMAccountName"
                userFirstNameAttribute="givenName"
                userLastNameAttribute="sn"
                userEmailAttribute="mail" />
 
    <GroupSchema groupFilter="(objectClass=group)"
                 groupNameAttribute="cn" />
 
    <AE userDomain="sbb01"
        autoDeactivateUsers="false" />
 
    <GroupMappings >
        <map ae="Administrator" ldap="AUTOMIC.offerings.admin" />
        <map ae="User" ldap="AUTOMIC.offerings.user" />
    </GroupMappings>
 
    <ARA enabled="false"/>
			
</Configuration>

Example 2: Minimal client_[client number].xml to enable the sync with default values

<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
			
    <!-- This just enables the sync for this client 
         with defaults from ./defaults.xml -->
			
</Configuration>

Example 3: client_[client number].xml to enable the sync with domain AUTOMIC

<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
			
    <!-- This just enables the sync for this client 
         with defaults from ./defaults.xml -->
    <!-- Here we switch the domain for this client 
         to AUTOMIC, all other settings stay the same-->
			
    <Schema baseDN="DC=AUTOMIC,DC=spoc,DC=global"
        userDN=""
        groupDN="" />
			
    <AE userDomain="AUTOMIC"
        autoDeactivateUsers="false" />
			
</Configuration>