AdSync Module Configuration
General Module Settings
Start the SAF Admin. Click on ADSync and then General module settings:
In "Method to trigger module execution" you can set the method to trigger the sync. You can see more details about this feature on Periodic Synchronization, and for the other settings of the General module settings refer to the SAF documentation.
Set further AdSync configuration
In the "Module specific properties":
Active Directory (LDAP) settings:
| Field | Value |
|---|---|
| Server | Can contain the name of the domain controller or comma-separated list of domain controllers or be empty (ask current domain for domain controllers). The first domain controller that can be successfully contacted and contains the specified organization unit (see Path) will be used. For LDAPS also specify the LDAPS port (normally port 636), e.g. MyServer:636 |
Path More information: Active Directory Mapping | Path to organization unit which contains the users and groups to synchronize. The used syntax is Active Directory style. Examples: OU=MyDigaSystem,DC=MyDomain,DC=de LDAP://OU=MyOU,DC=MySubDomain,DC=MyDomain,DC=de GC://OU=MyOU,DC=Sub1,DC=Test,DC=local OU=AdSync Root,OU=SecurityGroups,OU=Demo,DC=DPE-AD,DC=local |
| LDAP Filter | You can use Active Directory filters, example: (| (&(objectCategory=Group)(name=DS_*)) (&(objectCategory=User)(name=*)) ) filters all groups starting with DS_ and all users : (category=Group AND name=DS_*) OR (category=User AND name=*). See below for operators (link to Microsoft documentation for more information here) |
| Regex Filter | You can specify a filter for users based on regular expressions Example: synchronize only users that start with a "N" and have at least one digit after it ^N\d+ Matches "N1", "N123" but not "n1", "N" or "NA123" |
| Username | User account used to access domain controller or global catalog. |
| Password | Password for user account. |
| Use secure connection | Use NTLM (NT Lan Manager Authentication) for client authentication (default: true) |
Filters logical operators:
| Logical operator | Description |
|---|---|
| = | Equal to |
| <= | Lexicographically less than or equal to |
| >= | Lexicographically greater than or equal to |
| & | AND |
| | | OR |
| ! | NOT |
DigaSystem settings:
| Field | Value |
|---|---|
| Rules | Allows to specify the user PAR file template which will be used for a newly created user according to the group to which it belongs. The rules are based on regular expressions matching a group name. The first matching rule in the list will be applied. If the groups to which the user belongs don't match any RegEx, the template will be the default template selected below. |
| Default template user | DigaSystem user name that is used as PAR file template for a newly created user (when no rule above is matching). Can be empty. |
| Add domain prefix to synced DigaSystem group names | Optional. Only needed when synchronizing from more than one Active Directory domain to a common RIGHTS.PAR |
| Domain prefixes to ignore | Optional. Only needed when synchronizing from more than one Active Directory domain to a common RIGHTS.PAR Comma-separated list of domain-prefixes to ignore because they are from other domains. |
Configuration of breaks inside action loop:
The time of synchronizing a Windows user account with the according DigaSystem user increases significantly after a certain number of sync actions.
As a result the Rights.par can be blocked to any other writing attempt for quite some time, which is why this configuration box has been added; if this function is activated the synchronization process is interrupted for a configurable time window, if a sync action exceeds a certain amount of time:
| Field | Value |
|---|---|
| Activate breaks inside action loops | During writing separated change ADSync goes in a loop. This checkbox activates breaks during working in a loop |
| Length of actions | ADSync starts single actions one after another in a loop. This parameter limits the time how long ADSync starts more activities. A started activity will run until it has finished. |
| Length of breaks | The length of the break will be in milliseconds |
| Reduce sync cycles by using Highest Committed USN | Use highest commited USN to find out if something has changed in AD without polling all user and group data. |