H3C Technologies H3C Intelligent Management Center User Manual

364

some value patterns to match any character or character string. For example, the filter (cn=He*)

matches any entry that has a cn attribute value that starts with He.

You can use an advanced filter in the format (operator(attribute1=value)(attribute2=value)) or
(operator(attribute1=value)(operator(attribute2=value))). The operator can be AND (&), OR

(|), or NOT (!). For example, the filter (&(objectclass=a*)(!(cn=b*))) enables UAM to

synchronize any entry that has an objectclass attribute value starting with a but a cn attribute

value not starting with b. The default filter is (&(objectclass=*)(cn=*)), which matches entries that
have any objectclass attribute value and any cn attribute value.
To filter out expired users, use the following filter conditions:

Filter condition

Meaning

accountExpires>=now

Do not synchronize expired users.

accountExpires<=now

Synchronize expired users only.

accountExpires>=now+n

Do not synchronize users that are already expired and will be
expired in n days.

accountExpires>=now-n

Do not synchronize users that have been expired for n days.

accountExpires<=now+n

Synchronize users that are already expired and will be expired in
n days.

accountExpires<=now-n Synchronize

users

that have been expired for n days.

{

State—Select Valid or Invalid from the list to enable or disable the policy. Disabling the policy
does not affect users that have been synchronized to UAM. They can continue to use the
authentication service and self-service. To re-enable a policy, examine the additional user

information fields in the policy to make sure they exist in the IMC platform and change the policy

state to Valid.

{

Sync Object—Select a user type, Access Users or Device Users, from the list. Select Access User
to synchronize users from the LDAP server to UAM as access users. Select Device Users to

synchronize users from the LDAP server to UAM as device management users. Select Access User
in this example.

To avoid synchronization errors, all synchronization policies change to the invalid state when
the additional user information field settings are added, modified, or deleted in the user

management module of the IMC platform.

{

Sync Options-Auto synchronization—Select this option to execute the policy every day to
synchronize all matching users to UAM. The execution time depends on the system settings for

scheduled daily tasks. For more information, see "

32 Configuring global system settings

."

{

Sync Options-Synchronize Users as Needed—Select this option to have UAM synchronize a new
policy-matching user from the server only after the user passes authentication. This option and

the automatic synchronization option are mutually exclusive. If you have a limited number of

licenses, use this option to save user licenses.

{

Sync Options-Synchronize New Users and Accounts—Select this option to have UAM
synchronize users that are not in the IMC platform's user database from the LDAP server, add

these users to the IMC platform and create associated access user accounts in UAM. If this
option is not selected, UAM does not synchronize users that are not in the IMC platform. This

option is mutually exclusive with the Synchronize Users as Needed option.

{

Sync Options-Synchronize New Accounts of Existing Users—Select this option to have UAM
add associated access user accounts in UAM for users that exist both in the IMC platform's user