Configuring links
- Navigate to the Synchronization page.
-
In the Synchronization tab, click the link
you want to configure in the Links list.
The link's details will appear in the link details area.
-
In the link details area, click the Edit
button
.
The Edit LDAP Group Link dialog opens. - Enter a name for the link in the name field or leave it as the default value.
-
Like the LDAP server, each link has an
Inbound check box and an
Outbound check box. Select the
Inbound check box to enable inbound
synchronization for the information stored in that link.
Note: A link is synchronized only when both the link and the corresponding server synchronizations are enabled.
-
You will now configure where in the server the link will
point to and how data will be gathered.
Note: For steps 4 and 5 you will need direct access to the attributes of the objects (i.e. folders, users, and user groups) in your server. The Active Directory Users and Computers administrative tool does not allow you to see these attributes; you need to use an LDAP browser, which you can find online and are available for free to download.
The Distinguished name for the context field is used in conjunction with the Scope field to specify where in the LDAP server you will search. Each object in the LDAP server has a distinguishedName attribute that serves to identify it in the server's hierarchical structure. In the Distinguished name for the context field, enter the value of the distinguishedName attribute of the location (i.e., folder) in the LDAP server you want to search. The Scope field determines how far in the hierarchy you will search. There are three options:
- Search the context
- This will search the object that was specified by the distinguished name you entered above, and nothing else. If you specified a folder, the synchronization will not return any users or user groups, as NexJ will only look at the folder object.
- Search directly under the context
- This will search all of the files that are children (i.e. directly under) of the object that was specified by the distinguished name you entered. If you specified a folder, the synchronization will return any users or user groups that are in that folder, but not including any found within sub-folders.
- Search the subtree rooted at the context
- This is the same search as the previous one, except all users and user groups found in sub-folders of the folder you specified will be included as well.
- The ID attribute will be used to uniquely identify a user or user group. You should use the ObjectGUID attribute, if it exists on your server; if not, you may use the distinguishedName attribute instead.The transformation determines how the information accessed in the LDAP server is converted into information that is stored as objects in the NexJ database. Leave this value as the default value.
-
While the previous attributes may be configured independently in
the user groups link and users link, the membership
attribute fields for the user groups and users links must
be configured together. This field uses two attributes (one belonging
to user groups and the other belonging to users) to map users to
groups - essentially, to determine which users belong to which
groups.
The values of the attributes specified in the membership attribute fields on the users link and user groups link must be the same for membership to be determined.
For example, for a Windows Active Directory, you can enter the memberOf attribute in the users link and distinguishedName attribute in the user groups link for these fields. In the Active Directory, when a user belongs to a group, it acquires a new memberOf attribute with a value of the distinguishedName of that group, hence these two values being equal will establish membership.