Synchronization of Organizational Units

LDAP Synchronization Tool provides several options to synchronize the organizational units (OU) of the source LDAP data store and the destination OneSpan Authentication Server data store.

When setting up a profile in the LDAP Synchronization Tool Configuration Utility, you can enable the following options:

• Include LDAP children

• Mirror organizational unit structure

• Create missing organizational units

With these options enabled, the organizational structure of the source LDAP data store will be replicated to the destination data store. The LDAP tree structure will be preserved. LDAP Synchronization Tool will create organizational units on the destination data store if they do not already exist.

If Create missing organizational units is not selected, LDAP Synchronization Tool will replicate the organizational structure of the source LDAP data store to the destination data store, but it won't create new organizational units.

If onlyInclude  LDAP children is selected, LDAP Synchronization Tool will replicate the organizational structure of the source LDAP data store to the destination data store as a flat data structure. All users will be synchronized.

Limitations when renaming organizational units

LDAP Synchronization Tool cannot mirror existing organizational units that were renamed on the source LDAP data store and contain child OUs. Because of the way the synchronization process works, this would require that multiple OUs with the same name exist at the same time at some point—namely the same child OU under the old OU and under the new (renamed) OU. OneSpan Authentication Server currently does not support multiple OUs with the same name under one domain (see Level names), so this scenario will not work correctly.

If the renamed OU has no child OU, then LDAP Synchronization Tool will create a new OU on the destination data store and move all related users correctly. However, the old OU will not be deleted on the OneSpan Authentication Server side.