Advanced Configuration for LDAP/AD UserSync Connector¶
UserSync LDAP connector properties¶
LDAP Connector Info¶
| Property | Description | Example |
|---|---|---|
LDAP_CONNECTOR | Name of the connector. | ad |
LDAP_ENABLED | Enabled status of connector: true or false | true |
LDAP_SERVICE_TYPE | Set a service type: ldap or ad | ad |
LDAP_URL | URL of source LDAP. | ldap://example.us:389 |
LDAP_BIND_DN | Property is used to connect to LDAP and then query for users and groups. | CN=Example User,OU=sales,DC=ad,DC=sales,DC=us |
LDAP_BIND_PASSWORD | LDAP bind password for the bind DN specified above. | |
LDAP_REFERRAL | Set the LDAP context referral: ignore or follow. | follow |
LDAP_SYNC_INTERVAL | Frequency of UserSync pulls and audit records in seconds. Default value is 3600, minimum value is 300. | 3600 |
Enable SSL for LDAP Server¶
| Property | Description | Default |
|---|---|---|
PRIVACERA_USERSYNC_SYNC_LDAP_SSL_ENABLED | Set this property to enable/disable SSL for Privacera Usersync. | true |
PRIVACERA_USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS | Set this property if you want Privacera Manager to generate a truststore for your SSL-enabled LDAP server. | true |
PRIVACERA_USERSYNC_AUTH_SSL_ENABLED | Set this property if the other Privacera services are not SSL enabled and you are using SSL-enabled LDAP server. | true |
LDAP Search¶
| Property | Description | Default |
|---|---|---|
LDAP_SEARCH_USER_BASE | Search base for users. | ou=example,dc=ad,dc=sales,dc=us |
LDAP_SEARCH_USER_SCOPE | Set the value for search scope for the users: base, one or sub. | sub |
LDAP_SEARCH_USER_FILTER | Optional additional filter constraining the users selected for syncing. | |
LDAP_SEARCH_USER_GROUPONLY | Syncs only the users who are members of groups synced by the service. | true |
LDAP_SEARCH_GROUP_BASE | Search base for groups. | ou=example,dc=ad,dc=sales,dc=us |
LDAP_SEARCH_GROUP_SCOPE | Set the value for search scope for the groups: base, one or sub. | sub |
LDAP_SEARCH_GROUP_FILTER | Optional additional filter constraining the groups selected for syncing. | |
LDAP_ATTRIBUTE_ONLY | Sync only the attributes of users already synced from other services. | false |
LDAP_SEARCH_INCREMENTAL_ENABLED | Enable incremental search. Syncing changes only since last search. | true |
LDAP_PAGED_RESULTS_ENABLED | Enable paged results control for LDAP Searches. | true |
LDAP_PAGED_CONTROL_CRITICAL | Set paged results control criticality to CRITICAL. | true |
LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS | Enables both user and group deleted searches. | false |
LDAP_SEARCH_CYCLES_BETWEEN_DELETED_DETECTION | Numeric number of cycles between deleted searches. | 6 |
LDAP_SEARCH_DETECT_DELETED_USERS | Override setting for user deleted search. | {{LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS}} |
LDAP_SEARCH_DETECT_DELETED_GROUPS | Override setting for group deleted search. | {{LDAP_SEARCH_DETECT_DELETED_USERS_GROUPS}} |
LDAP_SEARCH_READ_TIMEOUT_MS | Set LDAP search read timeout in milliseconds. | 3600000 |
LDAP_GROUP_LEVELS | Configure Privacera UserSync with AD/LDAP nested group membership. | 10 |
LDAP Manage/Ignore List of Users/Groups¶
| Property | Description | Default |
|---|---|---|
LDAP_MANAGE_USER_LIST | List of users to manage from sync results. If this list is defined, all users not on this list will be ignored. | |
LDAP_IGNORE_USER_LIST | List of users to ignore from sync results. | |
LDAP_MANAGE_GROUP_LIST | List of groups to manage from sync results. If this list is defined, all groups not on this list will be ignored. | |
LDAP_IGNORE_GROUP_LIST | List of groups to ignore from sync results. |
LDAP Object Users/Groups Class¶
| Property | Description | Default |
|---|---|---|
LDAP_OBJECT_USER_CLASS | Objectclass to identify user entries. | user |
LDAP_OBJECT_GROUP_CLASS | Objectclass to identify group entries. | group |
LDAP User/Group Attributes¶
| Property | Description | Default |
|---|---|---|
LDAP_ATTRIBUTE_USERNAME | Attribute from user entry that would be treated as user name. | SAMAccountName |
LDAP_ATTRIBUTE_FIRSTNAME | Attribute of a user’s first name. The default is givenName. | givenName |
LDAP_ATTRIBUTE_LASTNAME | Attribute of a user’s last name. | sn |
LDAP_ATTRIBUTE_EMAIL | Attribute from user entry that would be treated as email. | mail |
LDAP_ATTRIBUTE_GROUPNAME | Attribute from group entry that would be treated as group name. | name |
LDAP_ATTRIBUTE_GROUP_MEMBER | Attribute from group entry that is list of members. | member |
LDAP User/Group Attributes Modification¶
| Property | Description | Default |
|---|---|---|
LDAP_ATTRIBUTE_USERNAME_VALUE_EXTRACTFROMEMAIL | Extract username from an email address. (e.g. username@domain.com -> username). | false |
LDAP_ATTRIBUTE_USERNAME_VALUE_PREFIX | Prefix to prepend to the username. Default is blank. | |
LDAP_ATTRIBUTE_USERNAME_VALUE_POSTFIX | Postfix to append pend to the username. Default is blank. | |
LDAP_ATTRIBUTE_USERNAME_VALUE_TOLOWER | Convert the username to lowercase. | false |
LDAP_ATTRIBUTE_USERNAME_VALUE_TOUPPER | Convert the username to uppercase. | false |
LDAP_ATTRIBUTE_USERNAME_VALUE_REGEX | Attribute to replace username to matching regex. | |
LDAP_ATTRIBUTE_GROUPNAME_VALUE_EXTRACTFROMEMAIL | Extract the group name from an email address. | false |
LDAP_ATTRIBUTE_GROUPNAME_VALUE_PREFIX | Prefix to prepend to the group's name. | |
LDAP_ATTRIBUTE_GROUPNAME_VALUE_POSTFIX | Postfix to append pend to the group's name. | |
LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOLOWER | Convert the group name to lowercase. | false |
LDAP_ATTRIBUTE_GROUPNAME_VALUE_TOUPPER | Convert the group name to uppercase. | false |
LDAP_ATTRIBUTE_GROUPNAME_VALUE_REGEX | Attribute to replace group name to matching regex. |
LDAP Custom Attribute Configuration¶
| Property | Description | Default |
|---|---|---|
LDAP_ATTRIBUTE_LIST | The list of additional attribute keys to get from synced users. | |
LDAP_ATTRIBUTE_VALUE_PREFIX | Append prefix to values of user attributes such as username. | |
LDAP_ATTRIBUTE_KEY_PREFIX | Append prefix to key of user attributes such as username. | |
LDAP_GROUP_ATTRIBUTE_LIST | The list of attribute keys to get from synced groups. | |
LDAP_GROUP_ATTRIBUTE_VALUE_PREFIX | Append prefix to values of group attributes such as group name. | |
LDAP_GROUP_ATTRIBUTE_KEY_PREFIX | Append prefix to key of group attributes such as group name. |
UserSync system properties on Privacera Self-Managed and Data Plane¶
| UserSync property | Description | Property | Default |
|---|---|---|---|
PRIVACERA_USERSYNC_RANGER_URL | Address of Ranger instance. | ranger.url | http://ranger:6080 |
PRIVACERA_USERSYNC_RANGER_USERNAME | Username of Ranger user. | ranger.username | admin |
PRIVACERA_USERSYNC_RANGER_PASSWORD | Password of Ranger user. | ranger.password | admin |
PRIVACERA_USERSYNC_CONTEXT_CLASS | Implementation class used for USContext. Storage of synced Users and Groups. | usersync.context.class | com.privacera.usersync.context.USContextRocksDBOptions: com.privacera.usersync.context.USContextRocksDB com.privacera.usersync.context.USContextMemory |
PRIVACERA_USERSYNC_CONTEXT_DATASOURCE_PRIORITY_LIST | Priority list of configured datasources. Sources nearest the beginning of the list will be used over sources later in the list. | usersync.context.datasource.priority.list | |
PRIVACERA_USERSYNC_DETECT_CACHE_DIFFERENCES_ENABLED | To enable the cache synchronization. While UserSync reads data from an IdP, for performance, the incoming user data is kept in cache and periodically compared to user data already synced to the Privacera portal. From cache, UserSync pushes user data from the IdP that has been reconciled with the Privacera portal to the connected applications. | usersync.detect.DifferencesBetweenCacheAndRangerForUserAndGroup.enabled | true |
PRIVACERA_USERSYNC_DETECT_CACHE_INTERVAL_SECONDS | Frequency of cache synchronization in seconds. | usersync.detect.DifferencesBetweenCacheAndRangerForUserAndGroup.intervalInSeconds | 43200 |
PRIVACERA_USERSYNC_LOADER_BULK_ENABLED | Load users to Portal in batches. | usersync.user.loader.bulk.enabled | true |
PRIVACERA_USERSYNC_LOADER_BULK_BATCHSIZE | Size of batches to load Users into Portal. | usersync.user.loader.bulk.batchsize | 100 |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BATCH_ENABLE | Load group memberships to Portal in batches. | usersync.user.loader.update.group.memberships.batch.enable | false |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BATCHSIZE | Size of batches to load Group memberships into Portal. | usersync.user.loader.update.group.memberships.batchsize | 1000 |
PRIVACERA_USERSYNC_STARTUP_PERFORM_OPERATIONS_ENABLED | Scan for and perform any pending operations in cache (User/Group objects) at service start-up. | usersync.startup.performoperations.enabled | true |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_MIN | Minimum threads for processing user/group updates (<=0 will use a cached thread pool). | usersync.user.loader.process.thread.min | 1 |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_MAX | Maximum threads for processing user/group updates (if min is <= 0, this has no effect). | usersync.user.loader.process.thread.max | 1 |
PRIVACERA_USERSYNC_LOADER_PROCESS_THREAD_KEEPALIVE_SECONDS | Keep alive time for threads processing user/group updates. | usersync.user.loader.process.thread.keepalive.seconds | 30 |
PRIVACERA_USERSYNC_SECRETS_FILE | JCEKS KeyStore File Paths | privacera.usersync.keystore.files | |
PRIVACERA_USERSYNC_SECRETS_KEYSTORE_PASSWORDS | JCEKS KeyStore Files Passwords | privacera.usersync.keystore.passwords | |
PRIVACERA_USERSYNC_SECRETS_KEYPREFIX | Secure keys alias prefix | privacera.usersync.secure.key.prefix | jceks |
PRIVACERA_USERSYNC_AUTH_SSL_TRUSTSTORE_FILE | SSL Truststore path | ssl.truststore | |
PRIVACERA_USERSYNC_AUTH_SSL_TRUSTSTORE_PASSWORD | SSL Truststore password | ssl.truststore.password | |
PRIVACERA_USERSYNC_RANGER_INIT_RETRY_INTERVAL_IN_MILLIS | Delay in milliseconds between retry attempts for initializing Ranger user loader. | usersync.user.loader.ranger.init.retryinterval.ms | 30000 |
PRIVACERA_USERSYNC_RANGER_INIT_RETRY_LIMIT | Maximum retry attempts for initializing Ranger user loader. (<0 indicates unlimited retries) | usersync.user.loader.ranger.init.retrylimit | -1 |
PRIVACERA_USERSYNC_RANGER_REQUEST_RETRY_INTERVAL_IN_MILLIS | Delay in milliseconds between retry attempts for requests to Ranger | ranger.request.retryinterval.ms | 10000 |
PRIVACERA_USERSYNC_RANGER_REQUEST_RETRY_LIMIT | Maximum retry attempts for requests to Ranger | ranger.request.retrylimit | 3 |
PRIVACERA_USERSYNC_UPDATE_GROUP_MEMBERSHIPS_BULK_ENABLED | Enable bulk update of group memberships to Ranger | usersync.user.loader.update.group.memberships.bulk.enabled | true |
PRIVACERA_USERSYNC_CONTEXT_OPEN_MAX_RETRY | Maximum retry attempts to open RocksDB cache | usersync.context.rocksdb.open.max.retry | 5 |
PRIVACERA_USERSYNC_CONTEXT_OPEN_DESTROY_ON_FAIL | Enable automatic destroy of RocksDB cache if unable to open (corrupted). Cache will be rebuilt. | usersync.context.rocksdb.open.destroyonfail | true |
PRIVACERA_USERSYNC_API_SECURITY_USER_NAME | If configured, Usersync REST APIs are available with basic auth. | usersync.api.security.user.name | |
PRIVACERA_USERSYNC_API_SECURITY_USER_PASSWORD | If configured, Usersync REST APIs are available with basic auth. | usersync.api.security.user.password | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_ROLE_PRIORITY_LIST | Priority list of roles if a user has multiple roles mapped. Highest priority role will be applied to the user. | usersync.user.loader.assign.role.priority.list | ROLE_SYS_ADMIN,ROLE_ADMIN_AUDITOR |
PRIVACERA_USERSYNC_LOADER_ASSIGN_SYS_ADMIN_ROLE_GROUP_LIST | Provide a list of group names, whose members will be assigned the admin role. | usersync.user.loader.assign.role.ROLE_SYS_ADMIN.group.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_SYS_ADMIN_ROLE_USER_LIST | Provide a list of user names, who will be assigned the admin role. | usersync.user.loader.assign.role.ROLE_SYS_ADMIN.user.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_AUDITOR_ROLE_GROUP_LIST | Provide a list of group names, whose members will be assigned the auditor role. | usersync.user.loader.assign.role.ROLE_ADMIN_AUDITOR.group.list | |
PRIVACERA_USERSYNC_LOADER_ASSIGN_AUDITOR_ROLE_USER_LIST | Provide a list of user names, who will be assigned the auditor role. | usersync.user.loader.assign.role.ROLE_ADMIN_AUDITOR.user.list |
LDAP/AD fields for UserSync on PrivaceraCloud¶
These are descriptions of fields for configuring PrivaceraCloud UserSync for LDAP and Active Directory.
Add Connector¶
| Field name | Description |
|---|---|
| Enable Connector | Enable or disable this connector. |
| Service Type | LDAP or AD |
| Name | Identifying name of this connector. |
Configure Connector¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Service URL | LDAP service URL | Basic |
| Bind DN | Bind DN of the service | Basic |
| Bind Password | Bind password | Basic |
| Search Base | Search base for the LDAP search | Basic |
| Authentication Type | Type of authentication to use. Allowable values: Simple | Advanced |
| Follow Referral | Follow referrals. Allowable values: true or false | Advanced |
| Group Only | Sync only users that are members of groups. Allowable values: true or false | Advanced |
| Attribute Only | Sync only the attributes of users already synced from other services. Allowable values: true or false | Advanced |
| Incremental | Enable incremental search. Syncing only changes since last search. Allowable values: true or false | Advanced |
| Search Deleted User | Enable detection of deleted users. Allowable values: true or false | Advanced |
| Search Deleted Group | Enable detection of deleted groups. Allowable values: true or false | Advanced |
| Search Deleted Cycles | Number of cycles to search for deleted users and groups. Default value is 6. | Advanced |
| Sync Interval | Interval in minutes to sync users. Default value is 60. | Advanced |
| Add Custom Properties | Custom properties to pass to the connector. | Advanced |
Configure Filters¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| User Search Base | Search base for querying users. | Basic |
| User Search Filter | LDAP User search filter. Example: (&(givenName=John)( | |
| Group Search Base | Search base for querying groups. | Basic |
| Group Search Filter | Group search filter. Example: (cn=group*) | Basic |
| Include Users | List of users to include from sync results. If this list is defined, all users not on this list are ignored. | Basic |
| Exclude Users | List of users to ignore from sync results. | Basic |
| Include Groups | List of groups to include from sync results. If this list is defined, all groups not on this list are ignored. | Basic |
| Exclude Groups | List of groups to exclude from sync results. | Basic |
| User Search Scope | User search scope. Default: 2. | Advanced |
| Group Search Scope | Group search scope. Default: 2. | Advanced |
Base Attributes¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Username | Attribute of a user’s username. Default: sAMAccountName. | Basic |
| First Name | Attribute of a user’s first name. Default: givenName. | Basic |
| Last Name | Attribute of a user’s last name. Default: sn. | Basic |
| Attribute of a user’s email. Default: mail. | Basic | |
| Group Name | Attribute of a group’s name. Default: sAMAccountName. | Basic |
| Group Members | Attribute listing a group’s members. Default: member. | Basic |
| Extract From Email | Extract the attribute from an email address. Example: username@domain.com extracts username. Default: false. | Advanced |
| Prefix | Prefix to prepend to the attribute value. No default. | Advanced |
| Postfix | Postfix to append to the attribute value. No default. | Advanced |
| To Lowercase | Convert the attribute value to lowercase. Default: false. | Advanced |
| To Uppercase | Convert the attribute value to uppercase. Default: false. | Advanced |
| Regex | Apply regex to attribute value. No default. | Advanced |
Custom User Attributes¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Attribute Name | Attribute key to sync with user. | Basic |
Custom Group Attributes¶
| Field name | Description | Tab in application set-up |
|---|---|---|
| Attribute Name | Attribute key to sync with group. | Basic |