LDAP Synchronization

Global LDAP Configuration

In order to keep the user information in the Stages database up-to-date, synchronization with a LDAP directory server is a recurring process. Therefore the LDAP configuration starts with setting the refreshIntervalMinutes attribute specifying a minute interval between two synchronization runs.

Alternatively the synchronizeCronExpression attribute can be used to specify the times when the ldap synchronization is done with a cron expression (see the Language Reference for further information).

If neither the refreshIntervalMinutes nor the synchronizeCronExpression attribute is specified, the synchronization will be done every two hours. Regardless of this setting, synchronization will be performed on Stages start-up. Beside the required refreshIntervalMinutes attribute there are two optional global attributes definable:

  • maximumDeletionPercentage
  • synchronize

In order to avoid temporary deletion of users due to misconfiguration or temporary unavailability of the LDAP server, the maximumDeletionPercentage attribute can be set to specify the maximal percentage of users that can be deleted from the Stages user database within a single synchronization run. If that limit would be exceeded then there will be no deletion at all. The synchronize attribute is used to configure the user related tasks which are performed in the course of a LDAP synchronization run.

Possible user related tasks are:

  • Creation
  • Modification
  • Deletion

Possible values for the synchronize attribute and their meanings

full

  • Effect: All user related tasks are performed if necessary.

nocreate

  • Effect: Synchronized users can be deleted or modified but no new users will be created.

nomodify

  • Effect: No user related task is performed at all, but new users will be created. This setting is useful to LDAP configuration.

ondemand

  • Effect: Only already existing Stages users will be synchronized and new users will be created when successfully loging in the first time.( ondemandFilter required, searchFilter have to be non present)

off

  • Effect: No synchronized is done at all but users can authenticate against the LDAP directory server.

A sample global configuration is as follows:

<ldap refreshIntervalMinutes="60“
 maximumDeletionPercentage="10“
 synchronize="full“>
 …
</ldap>
  • LDAP synchronization is done every 60 minutes
  • At most 10 percent of synchronized users can be deleted from the Stages user database within a single synchronization run
  • Within a synchronization run all possible user related tasks are performed if necessary