Creating and Updating User Accounts

Synchronization involves searching in the LDAP server for user accounts that match the filter definitions and are located at the search base defined in the synchronization profile. User accounts and the attributes listed for mapping in the profile are retrieved from the LDAP server. For retrieved user accounts, the synchronization process may identify one of the following possible actions:

1. The user account already exists in the OneSpan Authentication Server Appliance organizational hierarchy in the destination domain and organizational unit:

   • With the distinguished name attribute. In this case, the user account is updated.

   • Without the distinguished name attribute. In this case, the synchronization behavior depends on the Update Users setting of the synchronization profile. The following settings are possible:

     • None. Existing user accounts are not updated during synchronization. The status of the Distinguished Name attribute remains unchanged.
     • All. All existing user accounts are updated during synchronization if necessary. The Distinguished Name attribute is created for all users who did not have this attribute so far.
     • Created by LDAP synchronization only. Only user records previously created by LDAP synchronization are updated. The Distinguished Name attribute is not created, because during LDAP synchronization only users who already have this attribute are handled.
     • Not created by LDAP synchronization. Only user records that were not created previously by LDAP synchronization are updated. The Distinguished Name attribute is created for all users who did not have this attribute so far.

2. The user account already exists in the OneSpan Authentication Server Appliance organizational hierarchy in the destination domain, but in a different organizational unit:

   • With the Distinguished Name attribute. In this case, the user account is moved and the properties are updated.
   • Without the Distinguished Name attribute. In this case, no new user account is created and an error is logged. User accounts must be unique within a domain in the OneSpan Authentication Server Appliance data store (see Organizational structure).
3. The user account does not exist in the OneSpan Authentication Server Appliance organizational hierarchy. In this case, the user account is created and the value for the Distinguished Name attribute is added.

Figure: LDAP synchronization to create or update a specific user account

Missing LDAP attributes and LDAP attributes with empty values trigger different synchronization behavior. If a mapped attribute is missing on the LDAP server, the corresponding OneSpan Authentication Server Appliance property is not updated, i.e. the existing value remains. If a mapped attribute is present on the LDAP server with an empty value, the corresponding OneSpan Authentication Server Appliance property is updated with the empty value, i.e. any existing value is overwritten.

If a user account has a Distinguished Name attribute, any manual changes made by the administrator to properties that are mapped to LDAP attributes in the profile are overwritten during synchronization.