TACACS+ Authentication Manager Help >> Operation Guide >> Device User Policy >> LDAP Service >> Sync Policies

Sync Policies

Use LDAP synchronization policies to synchronize accounts from an LDAP server to INC. The LDAP user information will be synchronized every morning (INC server time) during the periodic LDAP synchronization. Click the Synchronize link for an LDAP sync policies to immediately synchronize the LDAP user information. To view the synchronization result, click Synchronization Result.

Features

• Add/Modify Sync Policies

  Procedure

  1. Click the User tab, and then select Device User Policy > LDAP Service > Sync Policies from the navigation tree.
  2. Click Add to create an LDAP sync policies, or click the icon of the LDAP sync policies you want to modify.
  3. Set the LDAP synchronization parameters, such as the policy name, server name, and filter conditions.
  • Sub-Base DN: Absolute path of the subdirectory that stores user data on the LDAP server. The sub-base DN must be part of the bsse DN of the server.
  • Filter Condition: The basic format is "attribute name=value". The value part supports fuzzy match by *. For example: cn=He* indicates all nodes each of which has a cn attribute value starting with He. For combined query, you can specify multiple filter conditions by quoting each of them by a pair of parentheses, putting a sign in front of the first left parenthesis to indicate the relationship between them (& for AND, | for OR, ! for NOT), and finally putting the whole string in a pair of parentheses.
  • Auto Synchronization: Automatically synchronizes accounts at the early morning every day (by the INC server time).
  • On-Demand Sync: When a PAP or EAP-MD5 authentication user maintained in the LDAP server but not in TAM requests authentication, this feature allows TAM to automatically forwards the request to the LDAP server, which will authenticate the user. After the user passes authentication, the user will be automatically synchronized to INC. This synchronization feature is not applicable to users using CHAP or any certificates for authentication.
  • Synchronize New Device Users: With this option selected, if a user exists in the LDAP server but does not in TAM, the user will be added to TAM accordingly during synchronization.
  • Synchronize Users in Current Node: When this option is selected, TAM synchronizes users in the current sub-base DN only, but does not synchronize any subordinate OU users. When this option is not selected, TAM synchronizes users in the sub-base DN and all subordinate OUs.
  4. Click Next.
  5. Specify the mappings between device user parameters and LDAP server attributes. During synchronization, TAM will read the values of the LDAP server attributes and use them as the parameter values of the device users.
  6. Click Finish.
• Delete Sync Policies

  Procedure

  1. Click the User tab, and then select Device User Policy > LDAP Service > Sync Policies from the navigation tree.
  2. Click the icon of the policy you want to delete.
     A confirmation dialog box appears.
  3. Click OK.
• Validate On-Demand Synchronization

  Procedure

  1. Click the User tab, and then select Device User Policy > LDAP Service > Sync Policies from the navigation tree.
  2. Click On-Demand Sync.

Remarks

• For users who do not exist in INC: During user synchronization from LDAP to INC, synchronization will be performed according to the configured sync policies.
• For users who already exist in INC, INC does not synchronize any manually entered or selected settings (including the password) in the sync policies.
  
• In a sync policies, On-Demand Synchronization and Synchronize New Device Users cannot both be selected.
• Do not configure overlapping sub-base DNs and filter conditions for different synchronization policies. If a user is managed by two or more synchronization policies, the user will be bound to different policies in different synchronization processes.
• When a user that uses an on-demand sync policies logs in for the first time, and if the policy specifies user attributes to be synchronized from the LDAP server, for the user to get online quickly, INC synchronizes only the account name and password attributes when adding an account for the user to INC, and leaves other attributes to be manually synchronized later or automatically synchronized in the early morning of the next day (at 3:00 a.m. by default, according to the INC server time).
• To delete an LDAP sync policies bound with users, remove the bindings first.
• To configure and use multiple on-demand synchronization policies, validate them in bulk by clicking the On-Demand Sync button after adding or modifying all synchronization policies.
• LDAP users cannot log in to the TAM Self-Service Center before data synchronization through LDAP sync policies.