Adding an ldap synchronization policy – H3C Technologies H3C Intelligent Management Center User Manual
Page 94
85
−
CLI Access Not Supported—Device users can log in to a device, but cannot execute any
command on it.
An empty field indicates that no authorization policy is specified for the device users, and that
the users use the authorization policy assigned to the device user group to which the user
belongs.
If different authorization policies are assigned to a device user and the device user group, the
policy configured for the device user takes effect.
4.
To return to the Sync Policy list, click Back.
Adding an LDAP synchronization policy
To add an LDAP synchronization policy:
1.
Click the User tab.
2.
On the navigation tree, select Device User Policy > LDAP Service > Sync Policies.
The Sync Policy list displays all LDAP synchronization policies.
3.
In the Sync Policy list area, click Add.
4.
Configure basic information for the synchronization policy:
{
Policy Name—Enter a unique name for the synchronization policy.
{
Server Name—Select the LDAP server to which you want to assign the policy. Available options
are all LDAP servers that are configured in TAM.
{
Base DN—The system automatically populates this field with the absolute path of the directory
that stores user data on the LDAP server.
{
Sub-Base DN—Enter the absolute path of the subdirectory that stores user data on the LDAP
server. Make sure it is in the Base DN directory or is the same as the Base DN directory. TAM
synchronizes the user data under Sub-Base DN rather than Base DN. The DNs attributes vary
with LDAP servers. To get the correct Sub-Base DN path, use tools such as Softerra LDAP
Administrator.
{
Filter Condition—Enter a filter to match the user data you want to synchronize to TAM. The most
basic filter takes the format (attribute=value), where you can use the wildcard asterisk (*) in the
value pattern to match any character or character string. For example, the filter (cn=He*)
matches any entry that has a cn attribute value that starts with He.
You can also use a complex filter in the format (operator(attribute1=value)(attribute2=value))
or (operator(attribute1=value)(operator(attribute2=value))) for advanced filtering.
The operator can be AND (&), OR (|), or NOT (!).
For example, the filter (&(objectclass=a*)(!(cn=b*))) enables TAM to synchronize any entry that
has an objectclass attribute value starting with a and a cn attribute value not starting with b.
The default filter varies with the LDAP server type. Server type options are:
−
Microsoft AD—The default filter is (&(objectclass=user)(sAMAccountName=*)).
−
General—The default filter is (&(objectclass=*)(cn=*)).
{
Auto synchronization—Execute the policy daily to synchronize all matching users to TAM. The
automatic execution time depends on the system parameter LDAP Synchronization Time. For
more information about configuring system parameters, see "
{
On-Demand Sync—TAM synchronizes a new user from the LDAP server only after the user
passes authentication