LDAP Synchronization

Selection of User Entries to be Synchronized

If not all users of a specified LDAP directory should be synchronized with the Stages user database, it is possible to define match and ignore filters respectively.

NOTE: Both match and ignore filters are applied after the users are retrieved from the LDAP directory. In order to limit the number of user entries transferred from the directory server, an appropriate search filter should be specified.

The match Filter

In order to specify expressions that a user entry must match to get synchronized, the ldap-match tag can be used. This optional tag has to be nested in an ldap-provider tag as shown below:

<ldap-provider url=„SERVER_URL“ key=„AUTHENTICATION_KEY>
…
 <ldap-match id="SOME_ID" value="SOME_VALUE"/>
 …
</ldap-provider>

A match filter tag has two required attributes:

  • id
    • The id attribute specifies the LDAP attribute for which a filter expression is set
  • value
    • The value attribute holds the filter expression that is to be applied on the LDAP attribute. An expression may thereby contain Perl5 style regular expressions. Have a look at http://search.cpan.org/dist/perl/pod/perlre.pod to learn more about regular expressions.

Exemplary match Filter

Below an exemplary match filter is shown:

<ldap-match id=„sAMAccountName“ value=„^a.*“ />

This filter specifies that only users are synchronized with the Stages user database that have an attribute value for sAMAccountName starting with the letter “a“.

The ignore Filter

In contrast to the match filter a ignore filters exclude entries that do match the filter’s expression. The ldap-ignore tag can be used for that purpose. This optional tag has to be nested inside an ldap-provider tag as shown in the example below:

<ldap-provider url=„SERVER_URL“ key=„AUTHENTICATION_KEY>
…
 <ldap-ignore id="SOME_ID" value="SOME_VALUE"/>
 …
</ldap-provider>

The ldap-ignore tag has the two following required attributes:

  • id
  • value

NOTE: It is possible to define multiple ignore filters. An entry will be ignored during synchronization if it matches at least one of the ignore filters.

Combining match and ignore Filters

Match and ignore filters can be combined. A LDAP user is only synchronized with the Stages user database if it matches all match filters and none of the ignore filters.