Versions Compared

Old Version 1

changes.mady.by.user Robert Andelin

Saved on

compared with

New Version Current

changes.mady.by.user Robert Andelin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2025.1

...

Base DN

The base DN is the context DN (distinguished name) where the directory objects reside. If empty, User Administration will use the root DN of the directory tree. Organizational units (ou) and domain components (dc) are used to define directory tree structures.

The following example shows how an organization could structure its directory:

ou=US,ou=People,dc=company,dc=com

ou=Europe,ou=People,dc=company,dc=com

ou=Asia,ou=People,dc=company,dc=com

In this example, you would enter the following base DNs to scan users from Europe and Asia only.

ou=Europe,ou=People,dc=company,dc=com

ou=Asia,ou=People,dc=company,dc=com

Filter

Enter an expression in the Filter field to search on specific parameters. Searches are performed on the base DN(s) and specified scope. The following examples describe some of the ways filters can be used:

Simple filter for users under provided base DN:

(objectclass=person)

Find "devel1" and "devel2" users only:

(&(objectclass=devel1)(objectclass=devel2))

Find users that are members of group "Managers":

(&(objectclass=person)(memberOf=cn=Managers,cn=Users,ou=company,ou=com))

Info
titleAbout Filter Settings in Previous Versions of DTP

In versions of DTP prior to 5.4, the LDAP filter configuration included an extra attribute and template: uid={0}. This attribute and template has been removed in version 5.4 and later. If you upgraded 5.4 or later from a previous version, though, the uid={0} attribute will be set to uid=* for compatibility with the current LDAP user import functionality. There should be no impact to your experience as a result of this change, but we recommend verifying that your user and group import settings function as expected.

Restrict To GroupsEnable this option to import only the users that belong to a group specified in the Group Import Settings. Users that do not belong to a group configured in Group Import Settings will not be imported.

Attribute Mappings

The attributes mapping section defines how User Administration attributes (user login name, first name, last name, and email) map to directory object attributes (uid, givenName, sn, and email). You can use the defaults mappings or configure the attributes to align with your LDAP server. Refer to the documentation for your LDAP server.

Username

This field is used for the login name in User Administration.This field is used for the login name in DTP. The uid attribute is commonly used to identify users in LDAP servers. In Active Directory, the sAMAccountName attribute is used as the client login name. When importing users, usernames are limited to 70 characters.

Default is uid.

First Name

This field is used for the user's first name in User Administration.This field is used for the user's first name in DTP. The givenName attribute is commonly used to specify users' first name in LDAP servers. When importing users, first names are limited to 49 characters.

Default is givenName.

Last Name

This field is used for the user's last name (surname) in User Administration.This field is used for the user's last name (surname) in DTP. The sn attribute is commonly used to specify users' last name in LDAP servers. Default is sn. When importing users, last names are limited to 81 characters.

Email Address

This field is used for the user's email address in User Administration.This field is used for the user's email address in DTP. The mail attribute is commonly used to specify users' email address in LDAP servers. Default is mail. When importing users, email addresses are limited to 256 characters. 

Member Of

This field is used to associate users in User Administration with LDAP groups.This field is used to associate users in DTP with LDAP groups. Default is memberOf. See Advanced Settings for additional information.

...

User search scope

Choose one of the following options from the menu to set the user search scope:

  • Object: Restricts search to the base DN. The maximum number of objects returned is always one.
  • One Level: Restricts search to the immediate children of the base DN. The base DN object is also excluded.
  • Subtree: All child objects, as well as the base DN, are searched. You can request the LDAP provider to chase referrals to other LDAP directory services, including other directory domains or forests.
Group search scope

Choose one of the following options from the menu to set the group search scope:

  • Object: Restricts search to the base DN. The maximum number of objects returned is always one.
  • One Level: Restricts search to the immediate children of the base DN. The base DN object is also excluded.
  • Subtree: All child objects, as well as the base DN, are searched. You can request the LDAP provider to chase referrals to other LDAP directory services, including other directory domains or forests.
Referral

Choose Follow from the menu to enable JNDI lookup. Choose this option for Active Directory servers configured without a DNS.

Choose Ignore from the menu to ignore communication errors when Active Directory returns domain names for referrals other than the name specified in the server.

Page sizeThis setting specifies the number of record requests per page. Setting a page size allows the server to send the data in pages as the pages are being built. Default is 1000.
Membership strategy

This setting specifies how group membership is correlated when importing users from LDAP. DTP can correlate users based on their member or memberOf attribute from the LDAP server.User Administration can correlate users based on their member or memberOf attribute from the LDAP server.

  • Choose Use "Member" Attribute from the menu and groups will be associated with users based on the group Member attribute. The Group Import Settings must be enabled to use this membership strategy.
  • Choose User "Member Of" Attribute from the menu and users will be associated with groups based on the user Member Of attribute. You can set the Member Of attribute in the User Import Settings.
Sync group membership

Enable this option to update user attributes and permissions based on group membership from LDAP.If enabled, DTP will refer to LDAP as the system of record for user membership. Any user/group associations made in DTP that differ from the membership associations in LDAP will be removed or overwritten by the associations stored in LDAP. DTP applies directory configurations in reverse sequence as they appear in the User Directories page.If enabled, User Administration will refer to LDAP as the system of record for user membership. Any user/group associations made in User Administration that differ from the membership associations in LDAP will be removed or overwritten by the associations stored in LDAP. User Administration applies directory configurations in reverse sequence as they appear in the User Directories page. As a result, the directory at the top of the list takes precedence and should be the directory with Sync Group Membership enabled.

Default is disabled.

Use DNs for membership

Enable this setting if DTP should expect distinguished names (DN) from your LDAP server to set user and group associations.Enable this setting if User Administration should expect distinguished names (DN) from your LDAP server to set user and group associations. Disable this setting to associate users and groups based on usernames and/or group attributes.

Default is enabled.

User primary groups

Enable this setting to determine user group membership information using basic and Primary Groups defined in Active Directory.

Default is disabled.

Read timeout (ms)

Specify how long DTP should wait when attempting to read data from the LDAP server before timing out.Specify how long User Administration should wait when attempting to read data from the LDAP server before timing out.

Default is 120000

Connection timeout (ms)

Specify how long DTP should wait when attempting to connect to the LDAP server before timing out.Specify how long User Administration should wait when attempting to connect to the LDAP server before timing out.

Default is 10000

...

The order of the directories is important. When searching for users and groups, User Administration checks directories in order starting from the top of the table. Click and drag directories into the order that they should be searched.   

Anchor
ImportingUsers
ImportingUsers
Importing Users

...

In this example, replace username, password, hostname, port, and configurationName with your specific information.

Info

When users are imported from your LDAP (see Importing Users), their basic information (excluding passwords) is copied into the User Administration database. Over time, as users are removed from your LDAP directories, you might end up with orphaned entries in the User Administration database that you want to clean up. This task is not handled by automatic LDAP synchronization; you will need to do it manually. You can view and remove these users from the User Administration database with the following API endpoints:

  • Preview orphaned entries: GET /ldap/preview/obsoleteUsers
  • Delete orphaned entries: DELETE /ldap/delete/obsoleteUsers