config-ldap-group-sync

Configures group synchronization for an LDAP configuration.

config-ldap-group-sync 
[-c value | --configuration=value] 
[-b value | --bootstrap-config=value] 
<--id=value> 
[--group-sync-enabled=<true|false>] 
[--schedules=value] 
[--clear-schedules] 
[--group-names=value] 
[--clear-group-names] 
[--clear-all] 
[--filter-users-by-groups=<true|false>] 
[--group-search-filter=value] 
[--group-name-attribute=value] 
[--supports-member-of=<true|false>] 
[--member-attribute=value] 
[--ignore-member-groups=<true|false>]

Overview

Use this command to configure group synchronization for an LDAP configuration used with the User Directory LDAP provider.

Options

Option Optional or Required Default Value Description
-c value
--configuration=value
Optional configuration.xml The path to the server configuration file.
-b value
--bootstrap-config=value
Optional none The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file.
--id=value
Required none Specifies the identifier of the LDAP configuration for which to configure group synchronization.
--group-sync-enabled=<true|false>
Optional true Specifies whether group synchronization is enabled for this LDAP configuration.
--schedules=value
This argument was deprecated from version 5.0 and replaced by the similarly-named arguments for the create-ldap-config and update-ldap-config commands because the synchronization schedules are now used for both user and group synchronization.
--clear-schedules
This argument was deprecated from version 5.0 and replaced with the similarly named argument for the update-ldap-config command because the synchronization schedules are now used for both user and group synchronization.
--group-names=value
Optional none Specifies the account names or the distinguished names (DNs) of the groups to be synchronized.
--clear-group-names
Optional none If you specify this argument, the list of group names synchronized are cleared from the LDAP configuration. This argument can be used with the --group-names argument to remove all old group names before adding the new.
--clear-all
Optional none Clears from the LDAP configuration all group synchronization-related configuration options.

As of Spotfire Server 5.0 and later, this option does not clear the LDAP synchronization schedules.

--filter-users-by-groups=<true|false>
Optional none Specifies whether users should be filtered by groups, so that only users who are members of the synchronized groups are synchronized.
--group-search-filter=value
Optional, unless the LDAP server type is set to "Custom" using the --type parameter. For Active Directory servers, the parameter value defaults to objectClass=group.

For Sun ONE Directory Servers, it defaults to &(|(objectclass=nsManagedRoleDefinition)(objectClass=nsNestedRoleDefinition))(objectclass=ldapSubEntry).

For Sun Java System Directory Servers, it defaults to objectClass=groupOfUniqueNames..

Specifies an LDAP search expression filter to use when searching for groups.
--group-name-attribute=value
Optional, unless the LDAP server type is set to "Custom" using the --type parameter. For Active Directory servers, the value defaults to sAMAccountName.

For any version of the Sun Directory Servers with a default configuration, it defaults to cn.

Specifies the name of the LDAP attribute containing the group account names.
--supports-member-of=<true|false>
Optional, unless the LDAP server type is set to "Custom" using the --type parameter. none Specifies whether the LDAP servers support a memberOf-like attribute on the user accounts that contain the names of the groups or roles that the users are members of. In general, this is true for all Microsoft Active Directory servers and all types of Sun Directory Servers.
--member-attribute=value
Optional, unless the LDAP server type is set to "Custom" using the --type parameter. For Microsoft Active Directory servers, the parameter value defaults to memberOf.

For Sun ONE Directory Servers, it defaults to nsRole.

For Sun Java System Directory Server version 6.0 or later, it defaults to isMemberOf.

To use the roles with the Sun Java System Directory Server, override the default value by setting this argument to "nsRole".

For all LDAP servers with support for a memberOf-like attribute, this argument specifies the name of the LDAP attribute on the user account that contains the names of the groups or roles that the user is a member of. In general, this includes all Microsoft Active Directory servers and all types of Sun Directory Servers.

For some LDAP servers with configurations of type Custom, there is no memberOf-like attribute. In those cases, this argument specifies the LDAP attribute on the group account that contains the names of its members.

All configurations of this type use a far less efficient group synchronization algorithm that generates more traffic to the LDAP servers because Spotfire Server first has to search for the distinguished names (DNs) of the group members within the groups, and then perform repeated look-ups to translate the member DN to the correct account name.

--ignore-member-groups=<true|false>
Optional, unless the LDAP server type is set to "Custom" using the --type parameter. For Microsoft Active Directory servers, the parameter value defaults to "false" so all inherited group memberships are correctly reflected. For any version of the Sun Directory Servers, it defaults to "true" because the role and groups mechanisms in those servers automatically include those members. Determines whether the group synchronization mechanism should recursively traverse the synchronized groups’ non-synchronized subgroups and include their members in the search result.