LDAP synchronization profiles

LDAP user synchronization and the synchronization profiles are set up in the Configuration Tool. For more information about synchronization profiles, refer to OneSpan Authentication Server Appliance Product Guide.

To create an LDAP synchronization profile

1. Launch the OneSpan Authentication Server Appliance Configuration Tool and enter your credentials (see  Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).

2. Select Authentication Server > LDAP User Synchronization.

   

   Figure: Creating LDAP synchronization profiles in the Configuration Tool

3. Click Add to open a configuring dialog for the new LDAP synchronization profile.

   

   Figure: Configuring a new LDAP synchronization profile

4. Configure the settings for the new LDAP synchronization profile:

   • Server settings provide details of the source LDAP server.
   • User management, search base, and filter settings define the location, depth, and accounts to be synchronized from the source directory.
   • Attribute mapping synchronizes specific properties in OneSpan Authentication Server Appliance to values from LDAP source parameters. Destination properties can be defined as a constant or the value of a specified source parameter. If nothing is specified, a default value is used.
   • Hierarchy mappings (Create missing OU's, Mirror OU structure, Include LDAP Children, and Return DIGIPASS to Parent OU on Move/Delete) define whether the destination structure mirrors the source structure and whether existing accounts should be updated.
5. Click Add to finish.

For more information about LDAP user synchronization concepts in general, refer to the OneSpan Authentication Server Appliance Product Guide, Section "LDAP user synchronization". For more information about the LDAP user synchronization settings, refer to the OneSpan Authentication Server Appliance Administrator Reference, Section "Configuration Tool fields".

The following examples match Profiles 1 and 3 used in the OneSpan Authentication Server Appliance Product Guide, Section "Managing source and destination hierarchies".

Example Profile 1: The LDAP source hierarchy has users in organizational units below the search base domain. The Mirror OU Structure and Create Missing OU's options are not selected, although the option to synchronize all user accounts at and below the search base is configured. Users are all synchronized to the single (flat name) destination address in the OneSpan Authentication Server Appliance hierarchy. No sub-organizational units are created.

Example Profile 3: The LDAP source hierarchy has users in organizational units below the search base domain. The Mirror OU Structure and Create Missing OU's options to synchronize all user accounts at and below the search base are selected. The structure of the LDAP server is replicated in OneSpan Authentication Server Appliance.

The Enable box must be selected for the synchronization profile to become operational.

 

1. At least one attribute must always be mapped to the OneSpan Authentication Server Appliance user ID property.
2. Some OneSpan Authentication Server Appliance user properties cannot be retrieved from an LDAP server, e.g. local authentication, back-end authentication, and password. These properties can only be synchronized to a constant value. The Type constant needs to be selected for the attribute mapping entry and the value inserted in the Source/Attribute Value column. If the values are omitted, default values are used. For more information about possible and default values of these properties, refer to the OneSpan Authentication Server Appliance Administrator Reference, Section "User properties".
3. Only one mapping can be configured for each OneSpan Authentication Server Appliance user property.