H3C Technologies H3C Intelligent Management Center User Manual
Page 396
378
sequence number when executing the synchronization policy. If you select Do Not Sync, enter a
device sequence number in the text box next to the list.
Reassign services to the LDAP users
This area appears only when the system parameter Apply for Service by User Group is disabled.
For more information about system parameters, see "
32 Configuring global system settings
."
The access service list displays all services available for the users. You may select multiple services
with different suffixes. To select a service, click the box next to it.
6.
Click Finish.
Modifying a policy when the service sync type is AD group based
To modify a policy for an LDAP server when its Service Sync Type is Based On Active Directory:
1.
Access the LDAP synchronization policy list page.
2.
Click the Modify icon for the synchronization policy you want to modify.
The page for modifying the synchronization policy appears.
3.
Modify basic policy information.
{
Service Group—Displays the service group that the LDAP synchronization policy belongs to. The
system automatically populates this field with the same service group as the LDAP server.
{
Base DN—Displays the absolute path of the directory that stores user data in the LDAP server.
The system automatically populates this field with the base DN specified for the LDAP server.
{
Synchronization Priority—Modify the priority of the LDAP synchronization policy.
Synchronization policies with higher priority values are executed first in a scheduled
synchronization task.
{
Sub-Base DN—Enter the absolute path of the subdirectory that stores user data in the LDAP
server. Make sure that it is in the base DN directory or will be the same as the base DN directory.
UAM synchronizes the user data under sub-base DN rather than base DN. The DNs of attributes
vary with LDAP servers. To get the correct sub-base DN path, use tools such as Softerra LDAP
Administrator.
{
Filter Condition—Enter a filter to match user data you want to synchronize to UAM. The default
filter is (&(objectclass=*)(cn=*)), which matches entries that have any objectclass attribute value
and any cn attribute value. For information about defining a filter, see "
the service sync type is AD group based
{
States—Select Valid or Invalid from the list to enable or disable the policy. Disabling the policy
does not affect users that have been synchronized to UAM. They can continue to use the
authentication service and self-service.
{
Sync Options-Auto synchronization—Select this option to execute the policy every day to
synchronize all matching users to UAM. The execution time depends on the system settings for
scheduled daily tasks. For more information, see "
32 Configuring global system settings
{
Sync Options-Synchronize Users as Needed—Select this option to have UAM synchronize a new
policy-matching user from the server only after the user passes authentication. This option and
the Synchronize New Users and Accounts option are mutually exclusive. If you have a limited
number of licenses, use this option to save user licenses. To avoid synchronization errors, see
Configure basic policy information
."
{
Sync Options-Synchronize New Users and Accounts—Select this option to have UAM
synchronize users that are not in the IMC platform's user database from the LDAP server, add
these users to the IMC platform and create associated access user accounts in the UAM