To create an LDAP group section, complete the following steps.
- Navigate to the Perceptive Content shared etc directory $(IMAGENOWDIR6)\etc and then open the inserverUR.ini file in a text editor.
-
Create a group section heading. Provide a heading that exactly matches the
group name you use in Perceptive Content.
[Marketing]
-
In the group section you just created, add the group.mode
property.
Note: This property determines which method the User Replication Agent uses to locate groups and their members in the LDAP directory. If you place the group.mode property in any heading section of the INI file, the agent recognizes that heading section as a group section and attempts to import users into the group. When you set the mode to 0, the agent searches for all entries one level below the given DN. When the query is successful, these entries are considered members of the group. Group members are based on the DN of an actual container in the LDAP directory, such as the Organizational Unit (OU). The agent searches for all entries that are one level below the container given in the property, group.dn. When you set the mode to 1, you provide the group.member.attr you want the agent to query to find group members from the DN specified in the group.dn property. For mode 1, group members are based on the value of an attribute in one entry in the LDAP server. For example in Active Directory, you might use sAMAaccountName. You can use a different mode for each group section. LDAP Server may prevent User Replication Agent from replicating large groups if group.mode is set to 0. For large LDAP groups (more than 1000 users), we recommend that you set group.mode to 1.
-
Add the group.department property. This property specifies the
department in which the Perceptive Content group should be created. It does not
support moving groups to or from other departments. This setting does not apply
to existing groups.
Note: The department specified in this property must already exist within the system.
-
Add the group.license.group property. This property specifies
the name of the license group to which users are added according to the group.
Users are limited to one license group. Based on the results of an LDAP query,
if a user belongs to several groups, they will remain in the license group
associated with the group in which they were last discovered.
Note: If license groups are not necessary in your environment, this property is optional.
-
Add the group.dn property. This property specifies the DN of
the container where User Replication Agent begins searching for group members in
the LDAP directory.
Note: Do not use single quotes around this the value for this property. For example, avoid group.dn='OU=Marketing'. Each group.dn property can only add users to the group named in the group section heading. Modify the group.dn property for the DN of the container where the agent begins its search for group members in the LDAP directory. You can specify additional containers by creating additional group.dn<number> properties. Start with the number 2 and then increment each additional property by 1. For example, group.dn, group.dn.2, and group.dn.3. If you skip a number while incrementing the properties as you create additional properties, the agent ignores those properties that come after the skipped number.
[Example Group 1] ; an example group using mode 0 search group.mode=0 group.department=Default group.license.group=Research and Development group.dn = OU=Research and Development, O=ACME, C=US group.dn.2 = O=ACME, C=US group.dn.3 = OU=Sales, O=ACME, C=US group.member.login.attr = uid [Example Group 2] ; an example group using mode 1 search group.mode=1 group.department=Default group.license.group=Research and Development group.dn = O=ACME, C=US group.member.login.attr = uid group.member.attr = member group.member.filter = (name=john)
-
Add the group.member.login.attr property. This property
contains the value of an attribute of a group member entry as the login and user
name in Perceptive Content. If you do not enter a value, common name (CN) is
used.
group.member.login.attr=sAMAccountName
-
Add the group.member.filter property. If
group.mode equals 0, you can use this property to exclude
certain members of the directory based on filter criteria. Refer to the tables
in the “Group operators and search filters” section for valid options you can
use in this property. If the group.mode=1, you can use this
property to filter the group members set for the
group.member.attr property.
group.member.filter=(sAMAccountType=805306368)
-
Add the group.member.attr property. If
group.mode equals 1, provide the attribute from the DN
specified in the group.dn property that contains the group
members' DNs.
group.member.attr=AcctMembers
-
Add the group.import.attr property. This property maps the
LDAP attribute to the appropriate user field in Perceptive Content, allowing you
to import user information, such as last name, first name, and telephone
number.
group.import.attr.last.name = sn group.import.attr.first.name = givenName group.import.attr.phone = telephoneNumber
Note: Refer to the “Appendix: inserverUR.ini” section in this guide for a list of user attributes that you can map to LDAP attributes.