Managing Source and Destination Hierarchies
- 02 Jan 2025
- 3 Minutes à lire
- SombreLumière
- PDF
Managing Source and Destination Hierarchies
- Mis à jour le 02 Jan 2025
- 3 Minutes à lire
- SombreLumière
- PDF
The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article
Avez-vous trouvé ce résumé utile ?
Merci pour vos commentaires
LDAP synchronization of user accounts can either synchronize user accounts to a flat name space as specified, or mirror the organizational unit structure of the source LDAP server.
If the synchronization profile is not configured to mirror the source structure, user accounts from the search base in the LDAP server hierarchy are synchronized to a single destination address in the OneSpan Authentication Server Appliance organizational hierarchy as defined in the synchronization profile. The synchronization profile can be configured to either recursively synchronize all user accounts at and below the search base (Profile 1 in the examples below), or only user accounts at the level of the search base (Profile 2 in the examples below).
If the synchronization profile is configured to mirror the source structure and create missing organizational units, synchronization creates an organizational structure on the destination OneSpan Authentication Server Appliance instance to match the structure on the LDAP server. If the LDAP structure differs from the existing OneSpan Authentication Server Appliance organizational hierarchy, missing organizational units that contain users on the source server are created in the OneSpan Authentication Server Appliance organization (Profile 3 in the examples below). If Create missing OU's is not configured, organizational units that do not already exist in the OneSpan Authentication Server Appliance organizational hierarchy are not created, so that these parts of the hierarchy will be missing (Profile 4 in the examples below).
The options that define the structure and synchronization in the OneSpan Authentication Server Appliance are explained in the table below.
| Option name | Description |
|---|---|
| Search Base | The Search Base settings in a synchronization profile can be used to restrict synchronization to parts of the LDAP structure. They define the starting point for searches in the LDAP server. |
| Destination | The Destination setting defines the domain and optionally the organizational unit in the OneSpan Authentication Server Appliance organizational hierarchy, where the user accounts will be created or updated. The destination therefore defines the root of the replicated organizational structure. |
Mirror OU Structure Create Missing OUs Include LDAP Children Return Digipass to Parent OU on Move/Delete | These options define whether the synchronization matches the source LDAP structure. For a detailed description of these options, refer to the OneSpan Authentication Server Appliance Administrator Guide. |
| Update Users | The Update Users option defines whether existing user accounts in the OneSpan Authentication Server Appliance organizational hierarchy are updated during the synchronization. For more information, see Creating and updating user accounts and refer to the OneSpan Authentication Server Appliance Administrator Reference. |
User accounts can be synchronized to different destination domains and/or organizational units in the OneSpan Authentication Server Appliance organizational hierarchy through separate definitions of synchronization profiles using the above options as shown in the examples below.
Synchronization Profiles 1 and 2 are both configured to synchronize from the LDAP server search base 'Domain A, Organizational Unit A1', to the OneSpan Authentication Server Appliance destination address 'Domain A, Organizational Unit A1'.
Profile 1 is configured to synchronize all user accounts at and below the search base. Users 1 to 9 are synchronized to the single destination address in the OneSpan Authentication Server Appliance organizational hierarchy. No sub-organizational units are created below the organizational unit A1 at the destination.
Profile 2 is configured to synchronize only user accounts at the level of the search base. Users 1 to 3 are synchronized to the single destination address at in the OneSpan Authentication Server Appliance organizational hierarchy. Users 4 to 9 are not synchronized and no sub-organizational units are created below the organizational unit A1 at the destination.
Figure: Synchronization including LDAP children
Profiles 3 and 4 are configured to synchronize from the LDAP server search base 'Domain A, Organizational Unit: Digipass users', to the OneSpan Authentication Server Appliance destination address 'Domain B, Organizational Unit: Digipass users'.
Profile 3 is configured to synchronize all user accounts at and below the search base, to mirror the organizational unit structure, and to create missing organizational units. The structure of the LDAP server is replicated in the OneSpan Authentication Server Appliance organizational hierarchy.
Profile 4 is configured to synchronize all user accounts at and below the search base and to mirror the organizational unit structure. The structure of the LDAP server is replicated in the OneSpan Authentication Server Appliance organizational hierarchy, but the sub-organizational units A1 and A2 are not created, because the option to create missing organizational units has not been selected.
Figure: Synchronization to mirror LDAP server structure
Although parent and child organizational units can have the same names in an LDAP hierarchy, this is not possible in the OneSpan Authentication Server Appliance organizational hierarchy. Therefore, if the LDAP structure includes the same names for parent and child organizational units, user synchronization will fail.
Cet article vous a-t-il été utile ?