config-ldap-group-sync
Configures group synchronization for an LDAP configuration.
config-ldap-group-sync [-c value | --configuration=value] [-b value | --bootstrap-config=value] <--id=value> [--group-sync-enabled=<true|false>] [--schedules=value] [--clear-schedules] [--group-names=value] [--clear-group-names] [--clear-all] [--filter-users-by-groups=<true|false>] [--group-search-filter=value] [--group-name-attribute=value] [--supports-member-of=<true|false>] [--member-attribute=value] [--ignore-member-groups=<true|false>]
Overview
Use this command to configure group synchronization for an LDAP configuration used with the User Directory LDAP provider.
Options
Option | Optional or Required | Default Value | Description |
---|---|---|---|
-c value --configuration=value |
Optional | configuration.xml | The path to the server configuration file. |
-b value --bootstrap-config=value |
Optional | none | The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file. |
--id=value |
Required | none | Specifies the identifier of the LDAP configuration for which to configure group synchronization. |
--group-sync-enabled=<true|false> |
Optional | true | Specifies whether group synchronization is enabled for this LDAP configuration. |
--schedules=value |
This argument was deprecated from version 5.0 and replaced by the similarly-named arguments for the create-ldap-config and update-ldap-config commands because the synchronization schedules are now used for both user and group synchronization. | ||
--clear-schedules |
This argument was deprecated from version 5.0 and replaced with the similarly named argument for the update-ldap-config command because the synchronization schedules are now used for both user and group synchronization. | ||
--group-names=value |
Optional | none | Specifies the account names or the distinguished names (DNs) of the groups to be synchronized. |
--clear-group-names |
Optional | none | If you specify this argument, the list of group names synchronized are cleared from the LDAP configuration. This argument can be used with the --group-names argument to remove all old group names before adding the new. |
--clear-all |
Optional | none | Clears from the LDAP configuration all group synchronization-related configuration options.
As of Spotfire Server 5.0 and later, this option does not clear the LDAP synchronization schedules. |
--filter-users-by-groups=<true|false> |
Optional | none | Specifies whether users should be filtered by groups, so that only users who are members of the synchronized groups are synchronized. |
--group-search-filter=value |
Optional, unless the LDAP server type is set to "Custom" using the --type parameter. | For Active Directory servers, the parameter value defaults to objectClass=group.
For Sun ONE Directory Servers, it defaults to &(|(objectclass=nsManagedRoleDefinition)(objectClass=nsNestedRoleDefinition))(objectclass=ldapSubEntry). For Sun Java System Directory Servers, it defaults to objectClass=groupOfUniqueNames.. |
Specifies an LDAP search expression filter to use when searching for groups. |
--group-name-attribute=value |
Optional, unless the LDAP server type is set to "Custom" using the --type parameter. | For Active Directory servers, the value defaults to sAMAccountName.
For any version of the Sun Directory Servers with a default configuration, it defaults to cn. |
Specifies the name of the LDAP attribute containing the group account names. |
--supports-member-of=<true|false> |
Optional, unless the LDAP server type is set to "Custom" using the --type parameter. | none | Specifies whether the LDAP servers support a memberOf-like attribute on the user accounts that contain the names of the groups or roles that the users are members of. In general, this is true for all Microsoft Active Directory servers and all types of Sun Directory Servers. |
--member-attribute=value |
Optional, unless the LDAP server type is set to "Custom" using the --type parameter. | For Microsoft Active Directory servers, the parameter value defaults to memberOf.
For Sun ONE Directory Servers, it defaults to nsRole. For Sun Java System Directory Server version 6.0 or later, it defaults to isMemberOf. To use the roles with the Sun Java System Directory Server, override the default value by setting this argument to "nsRole". |
For all LDAP servers with support for a
memberOf-like attribute, this argument specifies the name of the LDAP attribute on the user account that contains the names of the groups or roles that the user is a member of. In general, this includes all Microsoft Active Directory servers and all types of Sun Directory Servers.
For some LDAP servers with configurations of type Custom, there is no memberOf-like attribute. In those cases, this argument specifies the LDAP attribute on the group account that contains the names of its members. All configurations of this type use a far less efficient group synchronization algorithm that generates more traffic to the LDAP servers because Spotfire Server first has to search for the distinguished names (DNs) of the group members within the groups, and then perform repeated look-ups to translate the member DN to the correct account name. |
--ignore-member-groups=<true|false> |
Optional, unless the LDAP server type is set to "Custom" using the --type parameter. | For Microsoft Active Directory servers, the parameter value defaults to "false" so all inherited group memberships are correctly reflected. For any version of the Sun Directory Servers, it defaults to "true" because the role and groups mechanisms in those servers automatically include those members. | Determines whether the group synchronization mechanism should recursively traverse the synchronized groups’ non-synchronized subgroups and include their members in the search result. |