Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working with your Active Directory Data > LDAP filter for users, groups, and email
LDAP filter for users, groups, and email
In the Directory Synchronization Client, each of the three synchronization types has its own LDAP search set up. This means there is great flexibility in selecting the appropriate data, and the searches are completely independent of each other.
For example, you can use the membership of an LDAP group attribute as a means of selecting the users you want, even though you may not select that group itself to be synchronized.
This is an example Active Directory schema:
Below are some examples of the synchronization choices you might make based on this schema.
Group selection
If you require specific policies or exceptions in your cloud product for French and English telesales staff, select the "UK Telesales" and "Fr Telesales" groups for synchronization.
For more information about selecting groups, see Step 7: Selecting groups for synchronization.
User selection
If your cloud product is only currently available for your European staff, then you should synchronize only those users. You can achieve this by:
When setting up a users configuration, set the LDAP search base to the domain level. Then the search filter is set to something like the following:
(&(objectCategory=person)(objectclass=user)(memberOf=CN=All Europe,OU=Global,dc=company,dc=com) (!(userAccountControl:1.2.840.113556.1.4.803:=2)) )
This selects users that are members of the global Europe group, and that are enabled (strictly, that have accounts that are not disabled).
For more information about LDAP search filters, see Step 5: Setting up the LDAP search configuration.
When setting up your users configuration, on the Configure data source window check the Advanced box. Select another source, and then set the LDAP search base to be one of the European OUs (for example London or Paris). Leave the search filter as the default to load all users from that OU.
Once you have configured that data source, repeat the process for each OU that you want to include. The Directory Synchronization Client merges all of the users from the various OU sources and synchronizes them with the portal.
For more information on multiple data sources, see Selecting multiple data sources.
Email selection
The valid email address list can be created from a completely different LDAP search. This gives the flexibility of synchronizing different employees' addresses if required, and also handling leavers in 2 different ways.
For example, when an employee leaves the company, you are likely to disable their account immediately upon departure. If you use the default filter in the users synchronization, this removes them from the cloud service as disabled accounts are not synchronized. However, you might want to allow emails to be received for a while after the employee's departure, so the email synchronization should still include the employee's address.
To include European email addresses from the above example and also include leavers in the valid address list, set the LDAP search base to the company domain, and set the search filter to:
(&(objectCategory=person)(objectclass=user)(memberOf=CN=All Europe,OU=Global,dc=company,dc=com)

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working with your Active Directory Data > LDAP filter for users, groups, and email
Copyright 2016 Forcepoint LLC. All rights reserved.