Both sides previous revision
Previous revision
|
|
tutorial:adm:ad_groups_sync [2021/08/31 14:03] stekld |
tutorial:adm:ad_groups_sync [2024/02/16 15:31] (current) kotynekv [Connector configuration] msDS-parentdistname info |
* **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. Usual values: top, group (every value on a single line) | * **Entry object classes** - List of all objectClasses groups have in AD. It is necessary to find just groups. With wrong settings, it could find even users. Usual values: top, group (every value on a single line) |
* **Group search scope** - Default subtree. Options: object, onelevel or subtree. It means where it will search for groups. As a **subtree**, a search will start on paths in **Base context** and it will search in every **Organization Unit** in this path. FIXME All behave the same on the current version, so other options can't be used: <del>**onelevel** ("onlevel" is a typo) will search just one **OU**, where distinguished names of **Base context** points to and the last **object** means, in **Base context** there are DNs of groups we want to synchronize.</del> | * **Group search scope** - Default subtree. Options: object, onelevel or subtree. It means where it will search for groups. As a **subtree**, a search will start on paths in **Base context** and it will search in every **Organization Unit** in this path. FIXME All behave the same on the current version, so other options can't be used: <del>**onelevel** ("onlevel" is a typo) will search just one **OU**, where distinguished names of **Base context** points to and the last **object** means, in **Base context** there are DNs of groups we want to synchronize.</del> |
* **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter ''(&(!(cn=*Administrator*))(!(cn=*Auditor*)))''. However, you can't use a filter by whole distinguishedName. | * **Custom group search filter** - this enables additional filter for groups, which will be searched for. You can use it e.g. to filter out roles with some specific substrings in their CN by using LDAP filter ''(&(!(cn=*Administrator*))(!(cn=*Auditor*)))''. However, you can't use a filter with wildcards by whole distinguishedName attributes (''distinguishedName'', ''member'', ''manager'' etc.). If you want to for example exclude a certain OU from searches use ''msDS-parentdistname'' attribute instead (available since Windows Server 2012), e.g. ''(!(msDS-parentdistname=OU=Excluded,DC=example,DC=tl))''. |
* **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups. | * **Base contexts for group entry searches** - list of distinguished names (paths), where it will search for groups. |
* **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users. | * **Group members reference attribute** - a name of the attribute, which indicates membership. It contains whole DNs of users. |
| |
Another way to solve this problem is by using "Custom group search filter" in the system configuration. </note> | Another way to solve this problem is by using "Custom group search filter" in the system configuration. </note> |
| |
| |
===== Connector's mapping ===== | ===== Connector's mapping ===== |