The connector for Active Directory and the connector for eDirectory contain predefined behaviors for importing, matching, and provisioning users. CloudAccess provides a way to override the default behavior of the connectors for LDAP identity sources through the Advanced Options on the connectors.
The advanced options allow you to customize which users and groups CloudAccess imports to provision to the connected systems. By default, CloudAccess uses an internal unique attribute to match users and to provision users to the connected systems. For more information about provisioning, see Section 13.7, Troubleshooting Provisioning Issues.
Use the information in the following sections to change the default behavior of the connectors for LDAP identity sources.
CloudAccess allows you to change the default options when you are importing users. If you have a large number of users or groups and you want to import only a subset of those users and groups, you can use the Advanced Options to filter them to a set of users and groups you want imported.
To customize the import options:
Log in with an appliance administrator account to the administration console at
https://appliance_dns_name/appliance/index.html
Click the appropriate connector for the LDAP identity source, then click Configure.
Expand Advanced Options, then use the following information to customize the import of users and groups to CloudAccess:
Identity source search polling rate every: Select how often you want the connector for the LDAP directory to poll the LDAP identity source for changes. By default, the rate is every minute.
Filter extension: Specify a filter for the object class and attribute you want to use to import users. If users do not meet the criteria defined in the filter, CloudAccess does not import those users.
For example, (&(objectclass=user)(samaccountname=abc*)) imports only users that start with the samaccountname of abc*.
NOTE:The connectors for the LDAP identity sources change all of the keys and values in the filter to lowercase. It is best to use a case-ignore attribute.
Identity source LDAP attribute to use for imported accounts: Specify the LDAP attribute that the connector uses as the naming attribute (login name) when importing accounts from the identity source.
Allow unmapped users to authenticate: Select whether to allow users to authenticate that have not been imported to CloudAccess, because they have been excluded by the filter extension. The unmapped users must use an email address to log in. These users can still log in to the User portal page, but will see only public appmarks.
Override default group filter: Select whether to override the default group filter so you can limit which groups the connector for the LDAP identity source imports to CloudAccess. If you select this option, you must specify a correct filter.
For example, (&(objectclass=group)(cn=custom*)) allows only groups with a CN that start with custom*.
NOTE:The connectors for the LDAP identity sources change all of the keys and values in the filter to lowercase. It is best to use a case-ignore attribute.
Click OK, then click Apply to save the changes.
NOTE:When you configure a filter extension for an eDirectory identity source, user objects in the external eDirectory identity store that do not match the filter are not imported into CloudAccess. If you also enable the option Allow unmapped users to authenticate, unmapped users can use Basic SSO type connectors, but they cannot store or play back their credentials for single sign-on later because their user objects do not actually exist in CloudAccess.
CloudAccess automatically maps the attributes between the identity sources and the connected systems. If you want to use custom attributes for the identity sources, use the advanced configuration options on the identity source connectors.
The Admin page displays the default attribute mappings between the LDAP identity source and CloudAccess.
To view the default attribute mapping:
Log in with an appliance administrator account to the administration console at
https://appliance_dns_name/appliance/index.html
Click the appropriate connector for the LDAP identity source, then click Configure.
Expand Advanced Options.
Under the Attribute Mapping heading, click Default to expand and view the default attribute mappings.
The attributes on the left are the attributes for CloudAccess. The attributes on the right are for the LDAP directory. Above the default attributes, you can map five attributes to five custom attributes in CloudAccess. To map the LDAP directory attribute, specify the attribute name in the field next to the custom attribute, then click OK and Apply to save the changes.
The Relaxed user matching option changes how CloudAccess matches users. By default, CloudAccess matches users using an internal unique ID. This option changes the appliance to match users by the CN or sAMAccountName attributes.
Use this option when you want to recreate previously deleted users so CloudAccess can manage the users again. However, you must ensure that you do not create different users with the same CN or sAMAccountName as previously deleted users. Otherwise, those users will have access to the previously deleted users’ cloud application data.