LDAP filter for users, groups, and email

In the Directory Synchronization Client, there are 3 synchronization types (groups, users, and email), each with its own LDAP search set up. The searches are independent of one another to give you flexibility in selecting the appropriate data.

For example, you can use the LDAP group attribute to select the users you want, even if you choose not to synchronize the group itself.

This is an example Active Directory schema:

figure text

Below are some examples of the synchronization choices you might make based on this schema.

Group selection

If you require specific policies or exceptions in your cloud product for French and English telesales staff, select the "UK Telesales" and "Fr Telesales" groups for synchronization.

More information about selecting groups is provided in the configuration profile setup instructions (Step 6: Selecting groups for synchronization).

User selection

If your cloud product is currently available only for your European staff, synchronize only those users. You can achieve this by:

Set the users LDAP search filter to search on European users by group.

When setting up a users configuration, set the LDAP search base to the domain level. Then the search filter is set to something like the following:

(&(objectCategory=person)(objectclass=user)(memberOf=CN=All Europe,OU=Global,dc=company,dc=com) (!(userAccountControl:1.2.840.113556.1.4.803:=2)) )

This selects users that are members of the global Europe group, and that are enabled (strictly, that have accounts that are not disabled).

More information about LDAP search filters is provided in the configuration profile setup instructions (Step 4: Setting up the LDAP search configuration).

Select users from the relevant OUs by setting up multiple data sources for the LDAP search.

When setting up your users configuration, on the Configure data source window check the Advanced box. Select another source, and then set the LDAP search base to be one of the European OUs (for example London or Paris). Leave the search filter as the default to load all users from that OU.

Once you have configured that data source, repeat the process for each OU that you want to include. The Directory Synchronization Client merges all of the users from the various OU sources and synchronizes them with the portal.

More information about multiple data sources is provided in the configuration profile setup instructions (Step 2: Selecting your data source).

Email selection

The valid email address list can be created from a completely different LDAP search. This may be especially useful in dealing with users who leave the organization.

For example, when a user leaves the organization, you are likely to disable their account immediately upon departure. If you use the default filter in the users synchronization, this removes the departed user from the cloud service (disabled accounts are not synchronized). You might, however, want to allow email messages to be received for a while after the employee's departure, so the email synchronization might still include the employee's address.

To include European email addresses from the above example and also include departed users in the valid address list, set the LDAP search base to the company domain, and set the search filter to:

(&(objectCategory=person)(objectclass=user)(memberOf=CN=All Europe,OU=Global,dc=company,dc=com)