Advanced LDAP Tweaks for User and Group Synchronization

KB Home   |   Advanced LDAP Tweaks for User and Group Synchronization

Main.AdvancedLDAPTweaks History

Hide minor edits - Show changes to output

Added lines 22-23:
----
[-Keywords: disabled users, LDAP to AD-]
Changed line 17 from:
'''3.''' Set the config key @@ldap.schema.user-name-search@@ to the following (one line, no spaces):
to:
'''3.''' Set the [[https://www.papercut.com/products/ng/manual/sys-mgmt-config-editor.html | config key]] @@ldap.schema.user-name-search@@ to the following (one line, no spaces):
Added line 12:
Added line 16:
Added lines 1-19:
(:title Advanced LDAP Tweaks for User and Group Synchronization:)

This article contains a collection of tips for tweaking LDAP synchronization settings.  You are using LDAP to sync if the setting at @@Options → User/Group Sync → Sync Options → Sync Source@@ is set to @@LDAP@@.  The tips in this article are aimed at administrators with knowledge of LDAP administration.  Changing settings without knowledge of the consequences could result in incorrect syncing or user information being overwritten in PaperCut.

!!LDAP synchronizing to Active Directory: don't import disabled users

This tip will allow you to prevent disabled users from being imported into PaperCut.  Caveats:
* The option @@Import users from@@ must be set to @@[All Users]@@.  This tip will not work if importing from a given LDAP group.
* This tip '''only''' applies to using LDAP to sync to AD (i.e. @@Sync Source = LDAP@@ and @@LDAP Server Type = Active Directory@@).  The option to not import disabled users from Active Directory is standard when using @@Sync Source = Active Directory@@ (there is a checkbox on the @@User/Group Sync@@ page).

'''1.''' See the user manual appendix [[https://www.papercut.com/products/ng/manual/apdx-ldap.html#apdx-ldap-active-directory|Advanced LDAP Configuration]] for information about the default AD sync parameters.
'''2.''' See the following two MS KB articles for information about LDAP bitwise filters and how disabled users are represented in AD:
* http://support.microsoft.com/kb/269181
* http://support.microsoft.com/kb/305144
'''3.''' Set the config key @@ldap.schema.user-name-search@@ to the following (one line, no spaces):
->[@(&(sAMAccountName={0})(objectCategory=person)(objectClass=user)(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))@]

----
''Categories:'' [[Category.Domains|+]], [[Category.TipsAndTricks|+]]

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on December 28, 2014, at 10:21 PM
Printable View   |   Article History   |   Edit Article