Configuring the LDAP Directory Synchronization service

Complete the following steps to configure the LDAP Directory Synchronization service to automatically synchronize user and administrator records from your user store or LDAP directory to the VIP Authentication Service.
The LDAP Directory Synchronization service lets you automatically synchronize user and administrator records from your user store or LDAP directory to the VIP Authentication Service. You must configure your LDAP Directory Synchronization service before you can use it.
If LDAP synchronization makes changes that you wish to undo, you can also restore your LDAP Synchronization settings and LDAP data to a previous state.
  1. To configure your LDAP Directory Synchronization service:
  2. From the
    User Store > LDAP Directory Synchronization
    page, do one of the following steps:
    • If you have not configured your LDAP Directory Synchronization service yet, you are prompted to do so. Click
      Yes
      to configure it for the first time.
    • If you have configured your LDAP Directory Synchronization service, click
      Edit
      to modify the settings.
  3. Complete the following fields and click
    Run Simulation
    .
    Field
    Description
    User Synchronization
    Select
    Enable
    to synchronize newly added, updated, or deleted user records from the LDAP user store to the VIP Authentication Service. By default, the user records that are updated or deleted in the LDAP user store are synchronized with the VIP Authentication Service. Users are created, modified, or deleted in the VIP Authentication Service based on the users’ membership in the LDAP user store.
    Administrator Synchronization
    Select
    Enable
    to synchronize the administrator records from the LDAP user store to the VIP Authentication Service. Administrators are created, modified, or deleted in the VIP Authentication Service based on the Administrators’ membership in the LDAP user store.
    To enable VIP Enterprise Gateway to synchronize administrators from the LDAP user store to the VIP Authentication Service, you must have mapped the administrators to at least one VIP Administrator Group. The administrators mapped to a specific VIP Administrator Group get the roles assigned to that group in the VIP Authentication Service.
    Port
    Enter the port number used by the LDAP Directory Synchronization service for lifecycle management (the default is 8235). This port is always bound to the localhost.
    Log level
    Specify the preferred logging level for your synchronization service. Select the appropriate level from the drop-down list:
    • DEBUG: The log captures general details, and stack traces of all exception events.
    • INFO: The log captures general details that are needed to track how the server is functioning. The Logging component accepts and logs any other component’s debug messages.
    • WARN: The log captures details of potentially harmful events—rejected transactions and exception events that affect the server.
    • ERROR: The log captures details of events that hinder the server or transaction, but which may still allow the server to function (except events that affect the server).
    Number of Files to Keep
    Select the number of previous log files that the LDAP Validation server keeps.
    Log Rotation Interval
    Select how frequently you want to create a log file.
    Enable Syslog
    Select
    Yes
    to enable Syslog settings. This configuration enables the LDAP Directory Synchronization service to send log messages to the syslog. You must configure Syslog Settings (
    Logs
    >
    Syslog Settings
    ) for this feature to work.
    Frequency
    Specify whether the service synchronizes the user IDs of the users and the administrators in your LDAP directory with the VIP User Service daily, weekly, or monthly. By default, synchronization begins daily, at midnight.
    This setting does not apply to synchronization operations run in Simulation mode.
    Change Threshold
    Specify the percentage of user records that can be synchronized from the LDAP user store to the VIP Authentication Service. This value applies to the update, delete, and the add operations independently. For example, if you specify the change threshold as 10%, it applies to the update, delete, and add operations as follows:
    • 10% of the user records that are updated are synchronized with the VIP Authentication Service.
    • 10% of the user records that are deleted are synchronized with the VIP Authentication Service.
    • 10% of the user records that are added new to the LDAP user store are synchronized with the VIP Authentication Service.
    You cannot specify any threshold for synchronizing administrator records.
  4. Use the following filters in your user store filters to exclude the users from synchronizing with the VIP Authentication Service if they have the
    disabled
    or
    locked
    status in the user store:
    • To exclude users with the
      disabled
      status, use:
      (&(<Your Filter>)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    • To exclude users with the
      locked
      status, use:
      (&(<Your Filter>) (!(userAccountControl:1.2.840.113556.1.4.803:=16)))
    The LDAP Directory Synchronization service does not synchronize (add, update, or delete) these users. If the status of the user changes to disabled or locked, the LDAP Directory Synchronization service considers that the user is deleted from the user store and the service removes the user account from the VIP Authentication Service.
  5. Click
    Save Changes
    to save your configuration changes.
  6. The LDAP Directory Synchronization service changes your user data on the VIP Authentication Service. Run a simulation of the changes before you turn on the service or run a manual synchronization to verify that they are correct.
  7. If the synchronization service was running before you made these changes, use the slider at the top of the
    LDAP Directory Synchronization
    tab to stop and restart the service.
Although the service will run automatically at the next scheduled time, you can optionally run a manual synchronization after verifying the simulated changes.