H3C Technologies H3C Intelligent Management Center User Manual
Page 386
368
{
Filter Condition—Enter a filter to match user data you want to synchronize to UAM. The most
basic filter takes the form (attribute=value), where you can use the wildcard asterisk (*) in the
value pattern to match any character or character string. For example, the filter (cn=He*)
matches any entry that has a cn attribute value that starts with He.
You can use an advanced filter in the format (operator(attribute1=value)(attribute2=value)) or
(operator(attribute1=value)(operator(attribute2=value))). The operator can be AND (&), OR
(|), or NOT (!). For example, the filter (&(objectclass=a*)(!(cn=b*))) enables UAM to
synchronize any entry that has an objectclass attribute value starting with a but a cn attribute
value not starting with b. The default filter is (&(objectclass=*)(cn=*)), which matches entries that
have any objectclass attribute value and any cn attribute value.
{
State—Select Valid or Invalid from the list to enable or disable the policy. Disabling the policy
does not affect users that have been synchronized to UAM. They can continue to use the
authentication service and self-service.
{
Sync Object—Select Access Users or Device Users from the list. Select Access Users to
synchronize users from the LDAP server to UAM as access users. Select Device Users to
synchronize users from the LDAP server to UAM as device management users. In this example,
the Access Users option is selected. To avoid synchronization errors, see "
{
Sync Options-Auto synchronization—Select this option to execute the policy every day to
synchronize all matching users to UAM. The execution time depends on the system settings for
scheduled daily tasks. For more information, see "
32 Configuring global system settings
{
Sync Options-Synchronize Users as Needed—Select this option to have UAM synchronize a new
policy-matching user from the server only after the user passes authentication. This option and
the automatic synchronization option are mutually exclusive. If you have a limited number of
licenses, use this option to save user licenses.
{
Sync Options-Synchronize New Users and Accounts—Select this option to have UAM
synchronize users that are not in the IMC platform's user database from the LDAP server, add
these users to the IMC platform, and create associated access user accounts in UAM. If this
option is not selected, UAM does not synchronize users that are not in the IMC platform. This
option is mutually exclusive with the Synchronize Users as Needed option.
{
Sync Options-Synchronize New Accounts of Existing Users—Select this option to have UAM
add associated access user accounts in UAM for users that exist both in the IMC platform's user
database and LDAP server but do not have access accounts in UAM. If this option is not selected,
UAM does not add access accounts for such users.
4.
Click Next to assign services to AD groups.
5.
Assign services to AD groups.
AD groups are organized in a tree hierarchy, see
. Users may use the service assigned
to a specific AD group in the chain of AD groups on top of them, depending on your configuration.
Service assignment page includes two areas: Basic Information and Group & Service
Configuration List.
Basic Info
{
Default Service—Select a default service for the LDAP users. This service is assigned to an LDAP
user if no service has been assigned to any AD group available for the user.
{
Service Query Level—Select the number of AD group layers to be searched for services for the
LDAP users. Options include 1 to 5. The AD group that has the users is Layer 1.
UAM starts the search from Layer 1 AD group and moves up until services are found in an AD
group or the specified top layer is reached.