Defining LDAP Group Settings in IAM - Only Sync if you Need all Groups

Document ID : KB000122716
Last Modified Date : 15/01/2019
Show Technical Document Details
Introduction:

The Group Settings tab lets you define the LDAP groups that you want to pull into Identity and Access Manager.

 

Environment:
DevTest 10.3.0 and 10.4.0
Instructions:

As per our documentation:

The Group Settings tab lets you define the LDAP groups that you want to pull into Identity and Access Manager.

Follow these steps:

  1. Click the Group Settings tab.
  2. Enter the details for your LDAP group attributes and classes.
  3. Click Save to save your changes.
  4. Click Sync LDAP Groups To Identity and Access Manager to make these LDAP groups available for role mapping in IAM.

For step 4, only do this if you did not import your ldap-mappings.xml file into IAM.

When you do the import of the ldap-mappings.xml file into IAM, it will bring in only the groups defined in the file, so there should be no need to do a Sync.

If you do a Sync, then it will bring ALL of the groups based on your LDAP group settings and then there is no way to remove the ones you do not need.  This could be a very large list and may be cumbersome to search through the list to do your role mappings. So, when defining your groups for the first time in IAM, and you have no role values defined in the ldap-mappings.xml file, I suggest you define the groups you need under one or more of the roles in the file before importing into IAM.

If you want to Sync but only bring in certain groups, you can set an LDAP Filter the Group Settings for each Provider:

(CN=User_CADevTest_*) 

For multiple filters:

((CN=User_CADevTest_*) (CN=User_CADevTest_Prod*) )

Then when doing a Sync LDAP Groups to Identity and Access Manager on those group with that prefix were imported in.