Advanced LDAP Tweaks for User and Group Synchronization

AVAILABLE TO CUSTOMERS ON:

This article contains a collection of tips for tweaking LDAP synchronization settings. You are using LDAP to sync if the setting at Options → User/Group Sync → Sync Options → Sync Source is set to LDAP. The tips in this article are aimed at administrators with knowledge of LDAP administration. Changing settings without knowledge of the consequences could result in incorrect syncing or user information being overwritten in PaperCut.

LDAP synchronizing to Active Directory: don’t import disabled users

This tip will allow you to prevent disabled users from being imported into PaperCut. Caveats:

• The option Import users from must be set to [All Users]. This tip will not work if importing from a given LDAP group.
• This tip only applies to using LDAP to sync to AD (i.e. Sync Source = LDAP and LDAP Server Type = Active Directory). The option to not import disabled users from Active Directory is standard when using Sync Source = Active Directory (there is a checkbox on the User/Group Sync page).

1. See the user manual appendix Advanced LDAP Configuration for information about the default AD sync parameters.

2. See the following MS KB article for information about LDAP bitwise filters and how disabled users are represented in AD:

• http://support.microsoft.com/kb/305144

3. Set the config key ldap.schema.user-name-search to the following (one line, no spaces):

(&(sAMAccountName={0})(objectCategory=person)(objectClass=user)(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))