The list of users read from the LDAP server can be quite long, and you will probably only want to import a small number of them. A Remove from list button is provided, along with several methods of selecting unwanted users.You can use these options to reduce the list to a manageable size and then select the users to import.
|
1
|
Navigate to the Users > Settings page.
|
|
2
|
Set the User authentication method to LDAP or LDAP + Local Users. The Configure LDAP button moves up.
|
|
3
|
|
4
|
In the Settings tab, configure these server options:
|
|
a
|
Enter the name or IP address of the LDAP server in the Name or IP address field.
|
|
•
|
|
•
|
Choose a port from the Standard port choices… drop-down menu:
|
If you choose a port from the Standard port choices… drop-down menu, the port number changes to that of the specified choice.
|
c
|
Enter a server timeout in the Server timeout (seconds) field. The server timeout is the maximum time to wait for each response from the LDAP server over the network. The default is 10 seconds.
|
|
d
|
Enter an overall operation timeout in the Overall operation timeout (minutes) field. The overall operation timeout is the maximum time to spend on any auto operation. The default is 5 minutes.
|
|
•
|
Bind distinguished name (binds the distinguished name to the LDAP server
|
|
•
|
Anonymous login, enter the user name in the Login user name field.
|
|
•
|
Give login name/location in tree, enter the name that is in the first component of the user’s distinguished name and not their login ID in the Login user name field. For example, John Doe may normally log in as jdoe, but you would enter John Doe in the field. You must also give the user tree for login to server in the Directory tab.
|
|
•
|
Bind distinguished name, enter the full distinguished name (DN) to use to bind to the LDAP server in the Bind distinguished name field.
|
|
7
|
To enable TLS mode, ensure the Use TLS (SSL) checkbox is selected. It is enabled by default.
|
|
8
|
To allow an LDAP server to operate in both TLS and non-TLS modes on the same TCP port, select the Send LDAP ‘Start TLS’ request checkbox.
|
|
9
|
To require valid certificates from the LDAP server in TLS mode, ensure the Require valid certificate from server checkbox is selected. It is enabled by default.
|
|
10
|
Optionally, select a local certificate for TLS from the Local certificate for TLS drop-down menu. The default is None.
|
|
11
|
Click the Schema tab.
|
|
12
|
|
•
|
Microsoft Active Directory (default)
|
|
NOTE: What options are available and which are dimmed (unavailable) in the User Objects and User Group Objects sections change according to the schema you choose.
|
|
13
|
If you selected User defined schema, enter an object class in the Object class field. The default is user. These are the default values for the other schemas and cannot be changed:
|
|
•
|
|
•
|
RFC2798 InetOrgPerson – inetOrgPerson
|
|
•
|
RFC2307 Network Information Service – posixAccount
|
|
•
|
Samba SMB – sambaSAMAccount
|
|
•
|
NovelleDirectory – inetOrgPerson
|
|
14
|
If you selected User defined schema, enter a login name attribute in the Login name attribute field. The default is on. These are the default values for the other schemas and cannot be changed:
|
|
•
|
Microsoft Active Directory – sAMAccountName
|
|
•
|
|
•
|
Samba SMB – uid
|
|
•
|
|
15
|
Optionally, in the Qualified login name attribute, specify an attribute of a user object that sets an alternative login name of the user in name@domain format. This may be needed with multiple domains in particular, where the simple login name may not be unique across domains. These are the default values:
|
|
•
|
Microsoft Active Directory – userPrincipalName
|
|
•
|
|
•
|
|
NOTE: With Active Directory, this would normally be userPrincipalName for login using name@domain, but could be set to mail to enable login by email address.
|
|
16
|
If you selected User defined schema, enter a user group-membership attribute in the User group membership attribute field. There is no default. These are the default values for the other schemas and cannot be changed:
|
|
•
|
Microsoft Active Directory – memberOf
|
|
•
|
|
17
|
Optionally, specify an additional user ID group attribute in the Additional user group ID attribute field and select the Use checkbox to enable the attribute’s use. The Additional user group ID attribute, along with the Additional user group match attribute in the User Group Objects section, allow for a schema that may set additional memberships for a user in addition to those that are found via a member and/or memberOf attributes; for example, Active Directory’s group attribute.
|
If the Additional user group ID attribute is specified and its use is enabled, then when a user object is found with one or more instances of this attribute, a search for additional user groups matching those attributes will be made in the LDAP directory. If a group is found with the Additional user group match attribute set to that value, then the user will also be made a member of that group.
|
With Active Directory, this value, along with the Additional user group match attribute value, will give users membership in their primary user group (typically, Domain Users). |
|
18
|
In the LDAP Import Users dialog box, you can select individual users or select all users. To select all users in the list, select the Select/deselect all checkbox at the top of the list. To clear all selections, click it again.
|
|
19
|
|
•
|
To remove the users whose checkboxes you have selected, select the All selected users radio button.
|
|
•
|
To remove certain users on the basis of name, description, or location, select the Any user whose <field1> contains <field2> radio button. Select name, description, or location from the drop-down list in the first field, and type the value to match into the second field.
|
|
•
|
In this option, name refers to the user name displayed in the left column of the list, description refers to the description displayed to its right (not present for all users), and location refers to the location of the user object in the LDAP directory. The location, along with the full user name, is displayed by a mouse-over on a user name, as shown in the image above.
|
|
•
|
For example, you might want to remove accounts that are marked as “Disabled” in their descriptions. In this case, select description in the first field and type Disabled in the second field. The second field is case-sensitive, so if you typed disabled you would prune out a different set of users.
|
|
•
|
To remove certain users from the list on the basis of their location in the LDAP directory, select the All users <field1> <field2> radio button. In the first field, select either at or at or under from the drop-down list. In the second field, select the LDAP directory location from the drop-down list.
|
|
21
|
To undo all changes made to the list of users, click Undo and then click OK in the confirmation dialog box.
|
|
22
|
When finished pruning out as many unwanted accounts as possible with the Remove from list options, use the checkboxes in the list to select the accounts to import.
|
|
23
|
Click Save selected.
|
