Profile Settings
- 27 Sep 2024
- 9 Minutes to read
- Print
- DarkLight
- PDF
Profile Settings
- Updated on 27 Sep 2024
- 9 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
The Profiles tab is used to define profiles for the LDAP Synchronization Tool. For more information about profiles, see Profiles.
The list at the top of the tab shows all the profiles, which have been defined, and allows you to enable or disable each profile by selecting or clearing their corresponding checkboxes, respectively.
For more information about how to perform a test run or validate a profile, see Use LDAP Synchronization Tool.
Profiles > Options (tab)
The Profiles > Options tab defines the profile description and other main settings for each profile.
Table: LDAP Synchronization Tool Configuration Utility – Profile > Options tab | |
Field name | Description |
|---|---|
Profile description | Free-form profile description. Maximum 26 characters. |
Start time | The time that you want synchronization to start each day. |
Repeat interval | Specify the number of hours and minutes to wait between each synchronization on a day. If the repeat interval is set to 00:00, no repeats during the day will be done and only one synchronization will take place at the specified start time. |
Create users | Select this box to create new user records during synchronization. |
Enable created users | Select this box to create user records in an enabled state during synchronization. This setting will be overridden if the Disabled field is mapped on the Filters and Mapping tab. |
Delete users | If this option is selected, LDAP synchronization will process the user records that it has created on OneSpan Authentication Server and verify that they still exist on the LDAP side. If they do not exist, they will be deleted from OneSpan Authentication Server. To prevent user deletion issues, e.g. in case the Reporting scenario is disabled, specify a successor user (via Profiles > OAS > Successor) who will take ownership of any items that may prevent successful deletion of the target user. For more information about user deletion and successor users, see Delete users. |
Update users | Select this box to update user details during synchronization if they have changed. Available options:
|
Include LDAP children | Allow synchronization to create records derived from LDAP children. |
Mirror organizational unit structure | Allow the organizational structure of the source LDAP data store to be replicated on the destination data store. For more information, see Synchronization of organizational units. |
Create missing organizational units | Allow synchronization to create organizational units if necessary. |
Return Digipass to OAS synchronization root on delete | If, during synchronization, LDAP Synchronization Tool detects that a user has been deleted, it will return the corresponding authenticator to the root of the synchronization tree. If the entire tree is synchronized, the authenticator will be returned to the domain root. |
When the Update users option is used, keep in mind that the LDAP Synchronization Tool does not support password synchronization for existing users. Any attempts to do so will fail. For more information, see Password mapping.
Profiles > LDAP (tab)
The Profiles > LDAP tab allows you to define the location and logon details of the source LDAP data source used to synchronize the OneSpan Authentication Server data store with.
Table: LDAP Synchronization Tool Configuration Utility – Profiles > LDAP tab | |
Field name | Description |
|---|---|
Connection | |
LDAP server address | The fully qualified domain name (FQDN) or IP address of the LDAP server used as the source for synchronization. Ensure that the address used in this field matches one of the addresses that any TLS/SSL certificate, which is used for server verification, is issued for (as specified in the CommonName or SubjectAltNames field). |
LDAP server port | The port used by LDAP server. |
LDAPS | Select this to use LDAP over SSL. |
User DN | The security principal user name to be used to log on to the LDAP data store. |
Password | The password to be used to log on to the LDAP data store. |
Test | Click this button to test the connection and logon settings. First, LDAP Synchronization Tool Configuration Utility will attempt to connect to the LDAP server to test the connection settings. If successful and logon credentials are specified, it will attempt to connect and log on to the LDAP server. If no logon credentials are specified, the logon test is skipped. |
Synchronization root | |
DN | Type or navigate to the folder to use as the synchronization root directory. This will only work if the connection to the LDAP data store is successful. |
Profiles > OAS (tab)
Use the Profiles > OAS tab to define the location and login details of the OneSpan Authentication Server data store that is synchronized with the LDAP data source.
Table: LDAP Synchronization Tool Configuration Utility – Profiles > OAS tab | |
Field name | Description |
|---|---|
Connection | |
Primary server address | The fully qualified domain name (FQDN) or IP address of the primary OneSpan Authentication Server data store. Ensure that the address used in this field matches one of the addresses that any TLS/SSL certificate, which is used for server verification, is issued for (as specified in the CommonName or SubjectAltNames field). |
Primary server port | The IP port of the primary OneSpan Authentication Server data store. Default value: 8888 |
Backup server address | The fully qualified domain name (FQDN) or IP address of the backup OneSpan Authentication Server data store. This setting is used if the primary server is not available. Ensure that the address used in this field matches one of the addresses that any TLS/SSL certificate, which is used for server verification, is issued for (as specified in the CommonName or SubjectAltNames field). |
Backup server port | The IP port of the backup OneSpan Authentication Server data store. This setting is used if the primary server is not available. |
User ID | The administrator user ID to be used to log on to the OneSpan Authentication Server data store. |
Password | The password to be used to log on to the OneSpan Authentication Server data store. |
Connection timeout | The maximum time span to establish a connection to the OneSpan Authentication Server data store. After the timeout, the connection attempt is considered unsuccessful. The value is given in seconds. Default value: 5 |
Use SSL | Select this option to use TLS/SSL to secure the connections between the LDAP Synchronization Tool and OneSpan Authentication Server. Using TLS/SSL is optional, but we highly recommend to enable this option. By default, this checkbox is selected. |
Verify SSL | Select this option to verify the server TLS/SSL certificate for validity when establishing secure connections via TLS/SSL. If this checkbox is cleared, any TLS/SSL certificate from the server will be accepted. By default, this checkbox is selected. Because accepting any TLS/SSL certificate from the server constitutes a major security risk, always select Verify SSL when in production mode. You should disable this check only for evaluation or testing purposes, if required. |
CA file | The path and file name of the OneSpan Authentication Server CA certificate. This field is available on Linux installations only. It is enabled only if Verify SSL is selected. On Windows, you need to install the certificate in the Trusted Root Certification Authorities certificate store. |
Test login | Click this button to verify that your connection settings and credentials are valid and a connection to the authentication server data store can be established. If the connection test fails, a corresponding error message will be displayed. |
Synchronization root | |
Domain | Navigate to the domain that is to be used as the synchronization root. This will only work if the connection to the OneSpan Authentication Server data store is successful. |
Organizational unit | Specific organizational unit to be used as synchronization root, if required. |
Successor | |
Use the specified OAS user ID as successor user | Select this option if you want the OAS user ID to serve as the successor user. The OAS user ID is the administrative account that is used to log on to the OneSpan Authentication Server data store. This option is only available if Profiles > Options > Delete users is selected. For more information about successor users, see Delete users. |
Successor ID | If you do not want the OAS user ID as the successor user, specify a different user ID. You can verify the existence and validity of the specified user account by clicking the button. For more information about successor users, see Delete users. |
Profiles > Filters and mapping (tab)
Use the Filters section to restrict the source LDAP user information that is synchronized with the destination OneSpan Authentication Server data store. Click Add to define an LDAP attribute and specify a value.
The LDAP attribute can either be entered manually or selected from a drop-down list. This drop-down list is populated with the LDAP attributes previously specified for all filters in all profiles.
For example, you may select the user ID LDAP attribute from the drop down menu. If you enter 12345* in the value, every user ID that starts with the numbers 12345 will be selected for synchronization.
If you add more than one filter element for a single profile, the filters run in AND mode (i.e. both attributes must comply).
Use the Mappings process to map the fields to be synchronized from the different data sources. Click Add to define an LDAP attribute and match it with a OneSpan Authentication Server attribute.
The LDAP attribute can either be entered manually or selected from a drop-down list. The drop-down list is populated with the LDAP attributes previously specified for all mappings in all profiles.
You can define actual values instead of selecting an LDAP attribute. The value supplied must be defined in double quotes. For example, “12345”, or “abc”.
The OneSpan Authentication Server attribute can be selected from a drop-down list.
You cannot map multiple LDAP attributes to one OneSpan Authentication Server attribute.
The User ID field in the destination data store must always have an LDAP attribute mapped to it. Fixed values cannot be used. The following fields must have either fixed valid values assigned to them, or an LDAP attribute which contains valid values for the field:
Offline Authentication Enabled (valid values are Default, No, Yes)
back-end authentication (valid values Default, None, If Needed, Always)
Local Authentication (valid values Default, None, Digipass/Password, Digipass Only, Digipass or Password)
Unsupported characters for the User ID and User Name fields are automatically replaced with the underscore character (_).
Failure to provide a valid value for these fields will result in them being defined with the value Default, regardless of the mapped value.
Users can be linked to other users by supplying the Linked user's domain and the Linked user ID fields. Both fields must have values supplied, either by having an LDAP attribute mapped to them, or by supplying a fixed value.
If the field Disabled is mapped, then this will control whether the associated User is created in enabled or disabled state. If this field is not mapped, then the Enable created users option takes precedence, and whatever is set on that option is applied.
For boolean fields, the following values are treated as FALSE:
"no"
"off"
"false"
"disabled"
Anything empty or consisting only of zeros and spaces is treated as FALSE, anything else is treated as TRUE. Refer to the following table for available fields and associated data types and values.
Field name | Data type | Description |
|---|---|---|
User ID - (only required value) | string | All characters except: /:;,|"<>[]=+*? |
User Name | string | All characters except: /\:;|"<>[]@=+*? |
Description | string | |
string | ||
Phone Number | string | |
Mobile Phone Number | string | |
Assigned Digipass | string | |
Linked User ID | string | |
Linked User's Domain | string | |
Local Authentication | string | “Default”, “None”, “Digipass/Password”, “Digipass Only”, "Digipass or Password" |
Back-end Authentication | string | “Default”, “None”, “If Needed”, “Always” |
Disabled | boolean | |
Lock Count | positive integer | >= 0 |
Locked | boolean | |
Offline Authentication Enabled | string | “Default”, “No”, “Yes” |
Expiration Time | datetime | date/time formatted as YYYY-MM-DD HH:MM:SS |
Virtual Mobile Authenticator Delivery Method | string | |
Virtual Mobile Authenticator Signature Delivery Method | string | |
Virtual Mobile Authenticator MDC profile | string | |
Virtual Mobile Authenticator Signature MDC profile | string | |
For both the Filters and Mappings sections, highlight an existing definition and click Edit to edit the details for that process.
Similarly, highlight an existing definition and click Delete to delete a definition.
LDAP Synchronization Tool searches the entire directory (if a filter is not used, all objects of the selected organization structure will be considered for synchronization). OneSpan does not recommend mirroring the entire directory to the one database. Synchronization should be restricted to users only (it will not affect the structure of the domains). This can be done by filtering the LDAP field ObjectCategory and the value Person.
Was this article helpful?