User Access Manager Help >> Operation Guide >> User Access Policy >> LDAP Service >> Sync Policy >> Add/Modify Sync Policy

Add/Modify Sync Policy

According to the synchronized user types, you can add or modify a LDAP synchronization policy for access users or device management users.

Add/Modify Sync Policy for Access Users

Operation Procedure

1. Select the User tab, and then select User Access Policy > LDAP Service > Sync Policy from the navigation tree to enter the LDAP synchronization policy configuration page.
2. Click Add or click the link of the LDAP synchronization policy you want to modify.
3. Configure basic LDAP synchronization information (including the policy name, server name, and filter condition), select the access users as the synchronized users, and then click Next
• If the server type is Microsoft AD and the service sync type is AD group-based, go to step 4.
• If the server type is general or Microsoft AD, and the service sync type is manual assignment, go to step 5.
4. Associate LDAP groups with services.
5. Specify the mappings between INC user parameters and LDAP server attributes. During synchronization, INC will read the values of the LDAP server attributes and use them as the parameter values of the platform users/access users. Note that if the service sync type of the LDAP server for the synchronization policy is AD group-based, you do not need to select services for users. This is because the task has been finished in step 4.
6. Click OK.

Precautions

• If the system already has LDAP synchronization policies, do not add, delete, or modify additional information on the User > User Management > Additional Information page. Otherwise, the existing synchronization polices will become invalid. Once a LDAP synchronization policy becomes invalid, you must manually modify the synchronization policy, re-set the way of synchronizing additional information, and change the state of the policy from invalid to valid.
• When modifying a synchronization policy, you cannot modify the policy name or the LDAP server.
• When synchronizing LDAP users to INC, note that:
  1)For users that do not exist in INC, the synchronization will take place according to the configure synchronization policy.
  2)If an LDAP user already exists in INC, UAM synchronizes all attributes that requires LDAP synchronization according to the synchronization policy, but it does not synchronize any manual settings except the User Group parameter.
• If the service sync type of the LDAP server for a synchronization policy is AD group-based, the service of a user synchronized by using the policy depends on the LDAP group to which the user belongs, the LDAP group-service association, and the structure of the LDAP group on the LDAP server. The service for such a user is selected in this way: From the tree structure taking the user as the root and considering the direct groups and indirect groups to which the user belongs as nodes, select the service that is at a level closest to the user and of the highest priority.
• The LDAP protocol interfaces of Microsoft Active Directory (AD) do not support querying the affiliation between the domain user group and users or other groups. Therefore, do not use domain users and their affiliating groups when setting the AD group-to-service mapping. To do this, you are recommended to use the groups created by the administrator according to the network user organization or create a dedicated set of groups, which facilitates the management and makes the structure clearer.
• If the access service bound with the LDAP users is EAP-PEAP MS-CHAPv2 authentication, you need to configure the parameters for domain controller-assisted PEAP authentication.
• Do not configure overlapping Sub-Base DN and filter conditions for different synchronization policies. If a user is managed by two or more synchronization policies, it is operated repeatedly.
• INC can speed up LDAP user access when the Synchronize Users as Needed option is selected and LDAP user attributes are configured to be synchronized from the LDAP server. If an LDAP user logs online for the first time, INC automatically synchronizes its account name only, and leaves other attributes to be manually synchronized later or automatically synchronized during the periodic LDAP synchronization (at 3:00 a.m. everyday by default according to the INC server time). If binding information is configured to be synchronized from the LDAP server, the binding information cannot be checked before it is synchronized.
• If a user account is associated with an LDAP synchronization policy, UAM connects to the LDAP server to verify the password of the user account, even if the LDAP synchronization policy is configured to synchronize passwords from the LDAP server. The local password configured in the LDAP synchronization policy takes effect only when the account is not associated with the policy.
• You must set the account end time to be earlier than January 1st, 2038. In user synchronization, the system sets the end time to January 1st, 2038 for the accounts whose end time is later than January 1st, 2038. The end time is not displayed for the accounts whose end time is January 1st, 2038.
• When the synchronized user type is device management user, the function of viewing LDAP user list is not provided in the synchronization policy configuration page list.

Parameters

Basic Parameters
• Sync Priority: Specifies the priority for an LDAP synchronization policy, which is an integer in the range of 1 to 9999. The greater the value, the higher the priority. UAM executes scheduled LDAP synchronization policies according to their priorities. LDAP synchronization policies can have the same priority and will be executed at a random order.
• Sub-Base DN: Enter a sub-base DN. The base DN is the root node that saves user data on the LDAP server. As subsets of the base DN, sub-base DNs are used for finer classification and management of user data.
• Filter Condition: The basic format is "attribute name=value". The value part supports fuzzy match by *. For example: cn=He* indicates all nodes each of which has a cn attribute value starting with He. For combined query, you can specify multiple filter conditions by quoting each of them by a pair of parentheses, putting a sign in front of the first left parenthesis to indicate the relationship between them (& for AND, | for OR, ! for NOT), and finally putting the whole string in a pair of parentheses. You can specify filter conditions to process expired users for synchronization. Use the accountExpires>=now condition to filter out expired users for synchronization. Use the accountExpires<=now condition to synchronize the current expired users. Use the accountExpires>=now+n condition to filter out expired users and users that will expire in n days. Use the accountExpires>=now-n condition to filter out users that are already expired for n days. Use the accountExpires<=now+n condition to synchronize only the expired users and users that will expire in n days. Use the accountExpires<=now-n condition to synchronize only the users that are expired for at least n days. The letter n is an integer in the range of 1 to 3650.
• Status: Valid or Invalid. A synchronization policy in the Invalid state cannot be used for on-demand synchronization or common synchronization. Users that have been synchronized to INC by the policy before the policy became invalid are not affected. They can be authenticated to log in and use self-services.
• Sync Object: When you add a sync policy, select the Access Users type to configure the LDAP synchronization policy for access users.
• Auto Synchronization: Enables UAM to synchronize LDAP users at the time specified by the LDAP Sync/Backup Task parameter every day.
• Synchronize Users as Needed: When a PAP or EAP-MD5 authentication user maintained in the LDAP server but not in the UAM system requests access authentication, this feature allows UAM to automatically forwards the request to the LDAP server, which will authenticate the user. After the user passes authentication, the user's information will be automatically synchronized to INC if the number of users managed by INC has not reached the license limit. If the number of users managed by INC has reached the limit, INC will log out the user without synchronizing the user's information. Note that this synchronization feature is not applicable to users using CHAP or any certificates for authentication.To synchronize LDAP users on demand in PEAP/MS-CHAPv2 authentication, make sure the following conditions are met: (1) A default access policy is configured for the service that is assigned to the synchronized LDAP users. (2) The Access Forbidden option is not configured for the default access policy. (3) The EAP-PEAP and MS-CHAPv2 options are configured for the default access policy. When an LDAP user initiates an EAP authentication process for the first time, UAM checks whether the user meets the previous conditions. If it is, UAM synchronizes the LDAP user account as a regular access account, regardless of the result of user authentication.
• Enable Third-Party Authentication: Select this option to enable third-party authentication for the LDAP users synchronized from this policy. If you do not select this option, LDAP users synchronized from this policy will use LDAP authentication.
• Synchronize New Users and Accounts: With this option selected, if a user exists in the LDAP server but does not in INC, the user will be added in the INC and an access user will be added in the UAM component accordingly during synchronization.
• Synchronize New Accounts of Existing Users: With this option selected, if a user exists in both the LDAP server and INC platform but no corresponding access user exists in the UAM component, an access user will be added in the UAM component for the user during synchronization.
• Synchronize Users in Current Node Only: When this option is selected, INC synchronizes users in the current Sub-Base DN only, but does not synchronize any subordinate OU users. When this option is not selected, INC synchronizes users in the Sub-Base DN and all subordinate OUs.
• Inherit Parent Group's Service: When this option is selected, if no service is specified for the user group to which the current LDAP user belongs, the system queries the parent group for a service. If no service is specified for the parent group, the system queries the parent group to which this parent group belongs until a service or a root user group is found. This option is available only when the function of applying for service by user group is enabled, and Synchronized by OU and Manually Specify are selected.
• Filter out Computer Accounts: This option enables UAM to filter out computer accounts during LDAP synchronization. Clear this option if you want to synchronize computer accounts from the LDAP server.
• User Group: If you select Manually Specify, you can specify a user group and all synchronized users will be assigned to the user group. If you select Synchronized by OU, this option is not available. Users in different OUs will be synchronized to the user groups corresponding to these OUs.
  
• SMS Message: When an LDAP user opens an account as an access user, send a SMS to notify the access user of the account password.
• Email: When an LDAP user opens an account as an access user, send an email to notify the access user of the account password.

AD Group Synchronization Parameters
• Default Service: service applied to a user if no specific service is found for the user according to the service assignment rules.
• Service Query Level: Maximum number of service query levels for searching a service for a user in the tree structure consisting of the user and the direct and indirect groups to which the user belongs. For more information about groups and services, refer to Supplement About Relationships Between LDAP Groups and Services .
• Priority: When a user belongs to multiple user groups, the user uses the service configured for the user group with a higher priority.
• Service Configuration: Configure the service assigned to the selected user group. You cannot configure a service that dynamically assigns IP addresses.
• AD Group Detailed Information: Used to query AD group detailed information, such as AD group name, AD group distinguished name, AD group description, the group to which the AD group belongs, and member group list.

Add/Modify Sync Policy for Device Management Users

Operation Procedure

1. Select the User tab, and then select User Access Policy > LDAP Service > Sync Policy from the navigation tree to enter the LDAP synchronization policy configuration page.
2. Click Add or click the link of the LDAP synchronization policy you want to modify.
3. Configure basic LDAP synchronization information (including the policy name, server name, and filter condition), select the device management users as the synchronized users, and then click Next
4. Specify the items to be synchronized for device management users.
5. Click OK.

Precautions

• When modifying a synchronization policy, you cannot modify the policy name or the LDAP server.
• Do not configure overlapping Sub-Base DN and filter conditions for different synchronization policies. If a user is managed by two or more synchronization policies, it is operated repeatedly.
• If a user account is associated with an LDAP synchronization policy, UAM connects to the LDAP server to verify the password of the user account, even if the LDAP synchronization policy is configured to synchronize passwords from the LDAP server. The local password configured in the LDAP synchronization policy takes effect only when the account is not associated with the policy.
• When you synchronize user accounts by using an LDAP synchronization policy, make sure the account names synchronized from the LDAP server meet the following requirements:
  ? The account names cannot be empty.
  ? An account name can contain only a maximum of 90 characters.
  ? An account name cannot contain forward slashes (/), at signs (@), backslashes (\) apostrophe ('), or consecutive spaces, and it cannot end with a dollar sign ($).
  If an account name does not meet these requirements, authentication will fail for the related user.

Parameters

Basic Parameters
• Sub-Base DN: Enter a sub-base DN. The base DN is the root node that saves user data on the LDAP server. As subsets of the base DN, sub-base DNs are used for finer classification and management of user data.
• Filter Condition: The basic format is "attribute name=value". The value part supports fuzzy match by *. For example: cn=He* indicates all nodes each of which has a cn attribute value starting with He. For combined query, you can specify multiple filter conditions by quoting each of them by a pair of parentheses, putting a sign in front of the first left parenthesis to indicate the relationship between them (& for AND, | for OR, ! for NOT), and finally putting the whole string in a pair of parentheses. You can specify filter conditions to process expired users for synchronization. Use the accountExpires>=now condition to filter out expired users for synchronization. Use the accountExpires<=now condition to synchronize the current expired users. Use the accountExpires>=now+n condition to filter out expired users and users that will expire in n days. Use the accountExpires>=now-n condition to filter out users that are already expired for n days. Use the accountExpires<=now+n condition to synchronize only the expired users and users that will expire in n days. Use the accountExpires<=now-n condition to synchronize only the users that are expired for at least n days. The letter n is an integer in the range of 1 to 3650.
• Status: Valid or Invalid. A synchronization policy in the Invalid state cannot be used for on-demand synchronization or common synchronization. The system does not remove existing temporary users when the policy becomes invalid. For the users that have been synchronized to INC by the policy before the policy becomes invalid, they can still log in through authentication and use self-services.
• Sync Object: When you add a sync policy, select the Device Mgmt Users type to configure the LDAP synchronization policy for device management users.
• Auto Synchronization: Enables UAM to synchronize LDAP users at the time specified by the LDAP Sync/Backup Task parameter every day.
• Add Device Management User: If a user on the LDAP server is not a device management user in the UAM, this feature adds the user to the UAM as a device management user.
• Synchronize Users in Current Node Only: When this option is selected, INC synchronizes users in the current Sub-Base DN only, but does not synchronize any subordinate OU users. When this option is not selected, INC synchronizes users in the Sub-Base DN and all subordinate OUs.

Related Topics

• Delete Sync Policy
• LDAP User