You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Group Object Class | Object class used for group entries. | groupOfUniqueNames |
19
+
| Group Member Attribute | Naming attribute for group membership. | uniqueMember |
20
+
| Group Search Base | Relative Distinguished Name (RDN) of your group entries. | ou=groups,dc=example,dc=org |
21
+
| User RDN attribute | The attribute which is a part of the user's DN (the leftmost component of the DN). | Empty, defaults to the username attribute |
22
+
| Limit synchronization to these groups | Limits all LDAP actions only to users belonging to one of the specified groups, both ways. Values should be provided as a list separated by commas. | Empty |
22
23
23
24
## Settings in depth
24
25
@@ -36,6 +37,8 @@ Changing the RDN attribute may cause your users to be re-added to Defguard, caus
36
37
*`Username attribute`: The username attribute which will be used to set the username of a Defguard user. The following restrictions apply:
37
38
* Only alphanumeric characters except for <kbd>.</kbd>, <kbd>-</kbd> or <kbd>\_</kbd>
38
39
* At least 1 and at most 64 characters
39
-
40
-
40
+
*`Limit synchronization to these groups`: limits the synchronization scope to only the members of the selected groups, this works both ways:
41
+
* Changes in Defguard will be propagated to LDAP only if a user belongs to a given group in Defguard.
42
+
* If the two way synchronization is enabled, only the users belonging to the specified groups will be fetched from the LDAP server.
43
+
* Adding a user to one of the synchronization groups in Defguard will automatically create that user in LDAP if they don't exist yet. If they already exists, their LDAP data (e.g. the email address) will be overwritten with the data in Defguard if only the one way synchronization (Defguard -> LDAP) is enabled. Otherwise if the two way synchronization is enabled the selected authority server will be respected.
Copy file name to clipboardExpand all lines: enterprise/all-enteprise-features/ldap-and-active-directory-integration/two-way-ldap-and-active-directory-synchronization.md
+26Lines changed: 26 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,6 +49,32 @@ The LDAP two way synchronization has the following options available:
49
49
50
50
If you enabled the LDAP integration but not the two-way synchronization, your changes in Defguard will be propagated to LDAP but not the other way around.
51
51
52
+
### Selecting which users to synchronize
53
+
54
+
If you want to synchronize only selected users, you can specify the groups of which members should be synchronized.
This can be useful if you have a lot of users in your LDAP server and want to synchronize/pull only users belonging to a given group, e.g. `defguard-sync`.
59
+
60
+
This setting is described in more depth in [settings-table.md](settings-table.md"mention") and affects both LDAP → Defguard and Defguard → LDAP synchronizations.
61
+
62
+
After specifying synchronization groups, only members of those groups will be kept in sync.
63
+
64
+
#### Pruning users after changing the synchronization groups
65
+
66
+
{% hint style="info" %}
67
+
The following advice should be applied only when you are using LDAP as the authoritative server.
68
+
{% endhint %}
69
+
70
+
After you change your synchronization groups, users not belonging to the new groups won't be automatically deleted. This may be an issue if you first used the two way synchronization without any synchronization groups, effectively synchronizing everyone and decided later to narrow the scope of synchronization. This can result in many redundant, not synchronized user records in your Defguard instance laying around. If you want to prune your Defguard users to only those who are in your synchronization group, you can follow these steps (assuming you have already set your synchronization groups):
71
+
72
+
1. Wait for a two-way periodic synchronization to complete, you can recognize it by the `LDAP sync completed` log message.
73
+
2. Temporarily disable the whole LDAP integration in the settings .png>)
74
+
3. In the Defguard user's list, bulk assign all users one of your synchronization groups, to bring them into the scope of synchronization. You may want to leave out all users which you don't want to be ever touched by the LDAP integration, e.g. the default admin user or other users you want to keep only in Defguard.
75
+
4. Enable the LDAP integration in the settings <imgsrc="../../../.gitbook/assets/image (98).png"alt=""data-size="line">
76
+
5. Now, the next two-way synchronization will remove all users from Defguard who have the synchronization group you just assigned in Defguard but don't have it in LDAP, effectively leaving you only with users that have the group in both sources.
77
+
52
78
## Synchronization mechanism overview
53
79
54
80
The goal of the LDAP two-way synchronization is to make the two data sources (LDAP and Defguard) equal. To achieve this, two variants of synchronization are used: synchronous and asynchronous.
0 commit comments