Configuring the LDAP Directory Synchronization service
Complete the following steps to configure the LDAP Directory Synchronization service to automatically synchronize user and administrator records from your user store or LDAP directory to the VIP Authentication Service.
The LDAP Directory Synchronization service lets you automatically synchronize user and administrator records from your user store or LDAP directory to the VIP Authentication Service. You must configure your LDAP Directory Synchronization service before you can use it.
If LDAP synchronization makes changes that you wish to undo, you can also restore your LDAP Synchronization settings and LDAP data to a previous state.
- To configure your LDAP Directory Synchronization service:
- From theUser Store > LDAP Directory Synchronizationpage, do one of the following steps:
- If you have not configured your LDAP Directory Synchronization service yet, you are prompted to do so. ClickYesto configure it for the first time.
- If you have configured your LDAP Directory Synchronization service, clickEditto modify the settings.
- Complete the following fields and clickRun Simulation.FieldDescriptionUser SynchronizationSelectEnableto synchronize newly added, updated, or deleted user records from the LDAP user store to the VIP Authentication Service. By default, the user records that are updated or deleted in the LDAP user store are synchronized with the VIP Authentication Service. Users are created, modified, or deleted in the VIP Authentication Service based on the users’ membership in the LDAP user store.Administrator SynchronizationSelectEnableto synchronize the administrator records from the LDAP user store to the VIP Authentication Service. Administrators are created, modified, or deleted in the VIP Authentication Service based on the Administrators’ membership in the LDAP user store.To enable VIP Enterprise Gateway to synchronize administrators from the LDAP user store to the VIP Authentication Service, you must have mapped the administrators to at least one VIP Administrator Group. The administrators mapped to a specific VIP Administrator Group get the roles assigned to that group in the VIP Authentication Service.PortEnter the port number used by the LDAP Directory Synchronization service for lifecycle management (the default is 8235). This port is always bound to the localhost.Log levelSpecify the preferred logging level for your synchronization service. Select the appropriate level from the drop-down list:
- DEBUG: The log captures general details, and stack traces of all exception events.
- INFO: The log captures general details that are needed to track how the server is functioning. The Logging component accepts and logs any other component’s debug messages.
- WARN: The log captures details of potentially harmful events—rejected transactions and exception events that affect the server.
- ERROR: The log captures details of events that hinder the server or transaction, but which may still allow the server to function (except events that affect the server).
Number of Files to KeepSelect the number of previous log files that the LDAP Validation server keeps.Log Rotation IntervalSelect how frequently you want to create a log file.Enable SyslogSelectYesto enable Syslog settings. This configuration enables the LDAP Directory Synchronization service to send log messages to the syslog. You must configure Syslog Settings (Logs>Syslog Settings) for this feature to work.FrequencySpecify whether the service synchronizes the user IDs of the users and the administrators in your LDAP directory with the VIP User Service daily, weekly, or monthly. By default, synchronization begins daily, at midnight.This setting does not apply to synchronization operations run in Simulation mode.Change ThresholdSpecify the percentage of user records that can be synchronized from the LDAP user store to the VIP Authentication Service. This value applies to the update, delete, and the add operations independently. For example, if you specify the change threshold as 10%, it applies to the update, delete, and add operations as follows:- 10% of the user records that are updated are synchronized with the VIP Authentication Service.
- 10% of the user records that are deleted are synchronized with the VIP Authentication Service.
- 10% of the user records that are added new to the LDAP user store are synchronized with the VIP Authentication Service.
You cannot specify any threshold for synchronizing administrator records. - Use the following filters in your user store filters to exclude the users from synchronizing with the VIP Authentication Service if they have thedisabledorlockedstatus in the user store:
- To exclude users with thedisabledstatus, use:(&(<Your Filter>)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
- To exclude users with thelockedstatus, use:(&(<Your Filter>) (!(userAccountControl:1.2.840.113556.1.4.803:=16)))
The LDAP Directory Synchronization service does not synchronize (add, update, or delete) these users. If the status of the user changes to disabled or locked, the LDAP Directory Synchronization service considers that the user is deleted from the user store and the service removes the user account from the VIP Authentication Service. - ClickSave Changesto save your configuration changes.
- The LDAP Directory Synchronization service changes your user data on the VIP Authentication Service. Run a simulation of the changes before you turn on the service or run a manual synchronization to verify that they are correct.
- If the synchronization service was running before you made these changes, use the slider at the top of theLDAP Directory Synchronizationtab to stop and restart the service.
Although the service will run automatically at the next scheduled time, you can optionally run a manual synchronization after verifying the simulated changes.