Skip to main content

Privacera Documentation

UserSync LDAP connector properties

Property

Description

Example

A) LDAP Connector Info

LDAP_CONNECTOR

Name of the connector.

ad

LDAP_ENABLED

Enabled status of connector: true or false

true

LDAP_SERVICE_TYPE

Set a service type: ldap or ad

ad

LDAP_DATASOURCE_NAME

Name of the datasource: ldap or ad

ad

LDAP_URL

URL of source LDAP.

ldap://example.us:389

LDAP_BIND_DN

Property is used to connect to LDAP and then query for users and groups.

CN=Example User,OU=sales,DC=ad,DC=sales,DC=us

LDAP_BIND_PASSWORD

LDAP bind password for the bind DN specified above.

LDAP_AUTH_TYPE

Authentication type, the default is simple

simple

LDAP_REFERRAL

Set the LDAP context referral: ignore or follow.

Default value is follow.

follow

LDAP_SYNC_INTERVAL

Frequency of UserSync pulls and audit records in seconds. Default value is 3600, minimum value is 300.

3600

B) Enable SSL for LDAP Server

Note

Support Chain SSL - Preview Functionality

Previously Privacera services were only using one SSL certificate of LDAP server even if a chain of certificates was available. Now as a Preview functionality, all the certificates which are available in the chain certificate are imported it into the truststore. This is added for Privacera usersync, Ranger usersync and portal SSL certificates.

PRIVACERA_USERSYNC_SYNC_LDAP_SSL_ENABLED

Set this property to enable/disable SSL for Privacera Usersync.

true

PRIVACERA_USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS

Set this property if you want Privacera Manager to generate a truststore for your SSL-enabled LDAP server.

true

PRIVACERA_USERSYNC_AUTH_SSL_ENABLED

Set this property if the other Privacera services are not SSL enabled and you are using SSL-enabled LDAP server.

true

C) LDAP Search

LDAP_SEARCH_GROUP_FIRST

Property to enable to search for groups first, before searching for users.

true

LDAP_SEARCH_BASE

Search base for users and groups.

DC=ad,DC=sales,DC=us

LDAP_SEARCH_USER_BASE

Search base for users.

ou=example,dc=ad,dc=sales,dc=us

LDAP_SEARCH_USER_SCOPE

Set the value for search scope for the users: base, one or sub.

Default value is sub.

sub

LDAP_SEARCH_USER_FILTER

Optional additional filter constraining the users selected for syncing.

LDAP_SEARCH_USER_GROUPONLY

Boolean to only load users in groups.

false

LDAP_ATTRIBUTE_ONLY

Sync only the attributes of users already synced from other services.

false

LDAP_SEARCH_INCREMENTAL_ENABLED

Enable incremental search. Syncing changes only since last search.

false

LDAP_PAGED_RESULTS_ENABLED

Enable paged results control for LDAP Searches. Default is true.

true

LDAP_PAGED_CONTROL_CRITICAL

Set paged results control criticality to CRITICAL. Default is true.

true

LDAP_SEARCH_GROUP_BASE

Search base for groups.

ou=example,dc=ad,dc=sales,dc=us

LDAP_SEARCH_GROUP_SCOPE

Set the value for search scope for the groups: base, one or sub.

Default value is sub.

sub

LDAP_SEARCH_GROUP_FILTER

Optional additional filter constraining the groups selected for syncing.

LDAP_SEARCH_CYCLES_BETWEEN_DELETED_DETECTION

Numeric number of cycles between deleted searches. Default value is 6.

6

LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS

Enables both user and group deleted searches. Default is false.

false

LDAP_SEARCH_DETECT_DELETED_USERS

Override setting for user deleted search. Default value is LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS.

LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS

LDAP_SEARCH_DETECT_DELETED_GROUPS

Override setting for group deleted search. Default value is LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS.

LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS

LDAP_SEARCH_READ_TIMEOUT_MS

Set LDAP search read timeout in milliseconds. Default value is 3600000.

3600000

D) LDAP Manage/Ignore List of Users/Groups

LDAP_MANAGE_USER_LIST

List of users to manage from sync results. If this list is defined, all users not on this list will be ignored.

LDAP_IGNORE_USER_LIST

List of users to ignore from sync results.

LDAP_MANAGE_GROUP_LIST

List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored.

LDAP_IGNORE_GROUP_LIST

List of groups to ignore from sync results.

E) LDAP Object Users/Groups Class

LDAP_OBJECT_USER_CLASS

Objectclass to identify user entries.

user

LDAP_OBJECT_GROUP_CLASS

Objectclass to identify group entries.

group

F) LDAP User/Group Attributes

LDAP_ATTRIBUTE_USERNAME

Attribute from user entry that would be treated as user name.

SAMAccountName

LDAP_ATTRIBUTE_FIRSTNAME

Attribute of a user’s first name. The default is givenName.

givenName

LDAP_ATTRIBUTE_LASTNAME

Attribute of a user’s last name.

LDAP_ATTRIBUTE_EMAIL

Attribute from user entry that would be treated as email address.

mail

LDAP_ATTRIBUTE_GROUPNAMES

List of attributes from group entry that would be treated as group name.

LDAP_ATTRIBUTE_GROUPNAME

Attribute from group entry that would be treated as group name.

name

LDAP_ATTRIBUTE_GROUP_MEMBER

Attribute from group entry that is list of members.

member

G) Username/Group name Attribute Modification

LDAP_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL

Extract username from an email address. (e.g. username@domain.com -> username) Default is false.

false

LDAP_ATTRIBUTE_USERNAME_VALUE_PREFIX

Prefix to prepend to the username. Default is blank.

LDAP_ATTRIBUTE_USERNAME_VALUE_POSTFIX

Postfix to append pend to the username. Default is blank.

LDAP_ATTRIBUTE_USERNAME_VALUE_TOLOWER

Convert the username to lowercase. Default is false.

false

LDAP_ATTRIBUTE_USERNAME_VALUE_TOUPPER

Convert the username to uppercase. Default is false.

false

LDAP_ATTRIBUTE_USERNAME_VALUE_REGEX

Attribute to replace username to matching regex. Default is blank.

LDAP_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL

Extract the group name from an email address. Default is false.

false

LDAP_ATTRIBUTE_GROUPNAME_VALUE_PREFIX

Prefix to prepend to the group's name. Default is blank.

LDAP_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX

Postfix to append pend to the group's name. Default is blank.

LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER

Convert the name to group's name to lower case. Default is false.

false

LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER

Convert the group's name to uppercase. Default is false.

false

LDAP_ATTRIBUTE_GROUPNAME_VALUE_REGEX

Attribute to replace the group's name to matching regex. Default is blank.

H) Group Attribute Configuration

LDAP_GROUP_ATTRIBUTE_LIST

The list of attribute keys to get from synced groups.

LDAP_GROUP_ATTRIBUTE_VALUE_PREFIX

Append prefix to values of group attributes such as group name.

LDAP_GROUP_ATTRIBUTE_KEY_PREFIX

Append prefix to key of group attributes such as group name.

LDAP_GROUP_LEVELS

Configure Privacera UserSync with AD/LDAP nested group membership.