LDAP Synchronization is an Enterprise Gateway feature that allows you to initially, and periodically synchronize an organizations Active Directory or LDAP-based user store with user accounts located in the VIP Service, eliminating the need to manually manage users through VIP Manager or Via API calls.
Features of VIP LDAP synchronization:
Mapping LDAP users, administrators, and groups to VIP users, administrators, and groups.
User status attribute handling (new, locked, disabled, terminated).
Self-Service Portal (SSP) mapping to Out-Of-Band (OOB) attributes.
Cross-Domain User Mapping.
Before implementing LDAP Synchronization, you must understand the following:
Running a misconfigured LDAP sync WILL delete all users in your VIP user store and prevent access to the resource being protected by VIP.
Configuring LDAP synchronization in multiple domains can lead to a situation where a VIP user is added based on one domain and the VIP user is removed based on the other
Using sAMAccountName in multiple domains or in a mixed AD environment (such as Windows AD and Novell) can cause overlapping user issues.
The Add setting in the LDAP Synchronization will add all users that satisfy the user filter criteria in the filter settings. When a user is added to your user store, a user license is consumed.
Careful planning should be made before deploying the LDAP synchronization feature. This guide seeks to provide answers to many common questions about configuring this feature.
What version of Active Directory (AD) are supported?
Windows Active Directory 2003
Windows Active Directory 2008
Windows Active Directory 2008 R2
Windows Active Directory 2012
Windows Active Directory 2012 R2
Novell eDirectory 8.8 Service Pack 8
Open LDAP 2.4.44
Oracle Directory Server Enterprise Edition 18.104.22.168.0
Why do I need LDAP synchronization?
LDAP synchronization automatically manages users in your user store and admin store by adding, removing and updating these users based on the user filter(s) settings. These settings can also map users to specific groups with different roles, such as admins or your IT help desk.
How many LDAP synchronization servers do I need?
This depends on your requirements for frequency and availability of LDAP synchronization requirements. Typically, LDAP sync running on a single Enterprise Gateway is sufficient. However, additional instances can be added to reduce server load or provide lead-time for AD synchronization constraints.
What is the maximum number of users that can be synchronized by one Enterprise Gateway?
In testing, a single Enterprise Gateway server successfully synchronized 445,100 users in a single synchronization session from a virtual Domain Controller with 2 cores, 4GB of RAM, and an average CPU utilization of 8%.
What can be Synchronized?
LDAP synchronization can add both Users and Administrators and map them to specific groups, such as Help Desk administrators or Audit administrators. Super Admins cannot be synchronized and must be added manually through VIP Manager. Note: Administrators in one VIP Manager account cannot use the same login name in another VIP Manager account.
Does Enterprise Gateway LDAP synchronization support Active Directory referrals?
No. Symantec VIP Enterprise Gateway does not process or follow referrals.
Can UserPrincipalName be changed to sAMAccountName after a synchronization (or vice versa)?
Because LDAP synchronization maps other AD attributes to a user during a synchronization (such as the users SID), a user's credential will remain mapped to the correct user in the VIP Manager if the UserPrincipalName or sAMAccountName name is modified. However, caution must be taken in situations where sAMAccountName collisions could occur.
What happens if a user name changes?
Because each user is mapped to VIP Manager using unique identifiers in AD, the UserPrincipalName or sAMAccountName can change without destroying a user's VIP Manager mapping.
How do I undo an LDAP synchronization?
To roll back an LDAP synchronization, revert the changes made to the user filter, then select ADD in the LDAP synchronization settings. A full synchronization will restore the user(s) and credential mappings. Technical Support can assist with a cleanup of any users that need to be remove. If an LDAP sync deletes users, DO NOT ADD THE USERS BACK VIA API CALLS. This will destroy the credential mapping and potentially prevent the possibility of a full restore.
Single domains vs. Multi-forest domains
A single domain is the most common configuration. SAMAccountName collisions are unlikely as user store configuration(s) don't typically encounter user filter collisions. When dealing with a multi-domain forest, many precautions and changes must be taken to ensure proper functionality.
How to test an LDAP synchronization and see the results prior to enabling the service
The LDAP synchronization has a simulation option which mimics an LDAP sync without making any actual changes. The results of the simulation are written to a log file. Changes in this simulation log will occur if the service is enabled and an actual LDAP sync is allowed to occur. Running a simulation is a vital to avoiding unwanted changes, and should be performed whenever changes are made. A Simulation cannot be run if the LDAP Service enabled.
Design and topology considerations
Typically, most environments will consist of one Enterprise Gateway server, one User Store, in one Domain, and a Self Service Portal configured.
Assuming all these have been configured and the users are able to login and register credentials we will consider adding LDAP synchronization.
When it comes to LDAP synchronization there are two main configurations. You may choose to run the LDAP synchronization as a system service. If you choose to do so it will perform the user Update, and Delete, or Add features once a day depending on the Frequency set.
Alternately you can run a Synchronize Now forcing a total AD Synchronization and bypassing the LDAP synchronize service settings.
Typically, most environments only use the Update and Delete settings. This way a user is allowed access based on the user filter. They can register a credential, or if a user is disabled or deleted the user will be removed from the VIP Manager upon the next synchronization.
NOTE: When first configuring the LDAP synchronization, ensure that the service status is set to off:
Note: Admin users can only be synchronized to a single VIP account, if the Admin belongs to another Jurisdiction Hash in VIP Manager that user will not be synchronized.
Note: Only Windows AD and Novell active directories are supported with the Enterprise Gateway.
Single Domain Configuration
This is the most common configuration. To configure a single domain single Enterprise Gateway, do the following:
Decide on an LDAP filter, best practice is to use the userPrincipalName attribute since it is always a unique identifier. There are many options when it comes to the LDAP filter which are beyond the scope of this document. If you want to learn more about the LDAP filter refer to this KB:
User Store -> Then click User Store on the left side bar -> Select the User store in the list you wish to modify by clicking Edit -> Then click the Search Criteria tab.
You should see the below image:
Based on a simple filter as shown, the LDAP synchronize will UPDATE, DELETE users based on the Root of Demo.org. Meaning that all users in this domain can use the Self Service Portal (SSP) to register their credentials. Another feature here is the Out of Band (OOB) attributes. These are fully customizable and you can choose any applicable AD Attribute. These do not get added via an LDAP synchronization but rather make the options available to the SSP.
Here is a generic topology of the Single Domain Single Enterprise Gateway layout:
Single Domain Configuration High Availability Enterprise Gateway
The Single Domain Configuration High Availability Enterprise Gateway configuration is very similar to the Single Domain Single Enterprise Gateway. The main difference will be the scheduling of the LDAP synchronization. Since in a HA configuration ideally all settings will be identical. Depending on the size of the AD forest and the number of users being synchronized you may want to offset the frequency by several hours. If the first Enterprise Gateway is still performing a synchronization an error will occur in the second gateway stating Gateway “name” is still performing a synchronization and the second gateway will try again at the next scheduled time. In this type of configuration be sure to check the synchronization cluster name and ensure it’s the same on the gateways performing the LDAP synchronization.
Here is a generic topology of the Single Domain High Availability Enterprise Gateway layout:
Multi Domain Configurations Single Enterprise Gateway
When looking to implement LDAP synchronization in a multi domain configuration, please note that some issues may occur:
Collisions based on sAMAccountName if that is being used to identify users.
Possible user filter issues due to multiple AD types e.g AD VS Oracle.
Here is a generic topology of the Multi Domain Single Enterprise Gateway layout:
Notice that the Enterprise Gateway is able to connect to both domains in the same environment.
When configuring the Multidomain environment with a single Enterprise Gateway it is highly recommended to use UserPrincipalName rather than sAMAccountName. This is to prevent collisions based on same first, last name. If your organization uses other unique identifiers such as employeeID then you can use this attribute as the user identifier. This filter will also prevent or allow users to register their credentials via the SSP.
As an example, here are two user filters:
This would filter all users with a UserPrincipalName and remove disabled users.
Here is a generic topology of the Multi Domain, Multi Enterprise Gateway layout:
When multi domains from multiple Enterprise Gateway servers start using LDAP synchronization they MUST change the cluster names of the Enterprise Gateways. This prevents a scenario where users are incorrectly removed.
For an INCORRECT example:
Acme.com cluster 1 has selected UserPrincipalName.
Roadrunner.org cluster 1 has selected UserPrincipalName
The LDAP synchronization starts on roadrunner.org Enterprise Gateway and leaves email@example.com alone because that user is owned by the cluster 1 Enterprise Gateway.
To change the Enterprise Gateway cluster name:
Logon to the local Enterprise Gateway with an administrator account then proceed to:
Settings-> System Settings -> Synchronization Cluster Name
Ensure that you change the Synchronization Cluster name on at least one of the domains. For ease of tracking it would be best to rename both appropriately, in following with the example Acme, Roadrunner clusters would be appropriate.
NOTE* If you delete an Enterprise Gateway clustered server and it is the last server in that cluster the LDAP synchronization will be unable to take ownership of the users that were synced to it. The fix is to install an Enterprise Gateway then rename the Synchronization Cluster to the old name and run a synchronization then rename the cluster to the same cluster as the new domain Enterprise Gateway servers.
LDAP Reference errors:
This occurs when an AD server, which at one time owned a group of users, is no longer reachable. This error is stating that some users may not be synchronized since the server which hosted them is no longer reachable.
LDAP synchronization logs shows aborting user synchronization:
This is due to a socket time out. The default socket timeout is set to 60 seconds. Increase the socket timeout to 300 seconds.
The Socket Timeout setting is present in the following configuration file.
You should see the following settings.
Change the following Socket Timeout setting to 300.
Save the file, Stop the LDAPSync Service, and Run the LDAPSync Simulation Service.
LDAP when dealing with different Ads
Novell vs Windows AD UID vs SAM
Appendix A: Explanation of LDAP Directory Synchronization settings
View of LDAP Directory Settings:
Service Status: Toggle ON / OFF This enables the Frequency and Change Threshold timers below.
User Synchronization: Update and Delete are the default settings. Add is only used when a synchronize has deleted users or this is a first-time configuration and you wish to preload the users.
Administrator Synchronization: Unchecked by default. These are admins or help desk users who can be updated or deleted or preloaded via the add box.
Port: 8235 default (internal port only)
Log Level: Debug, Info, Warn, Error. This sets the logging for this service.
Number of files to keep: This setting controls the number of logs before deleting the first log.
Log Rotation Interval: This setting sets the time when the log rotates.
Enable Syslog: This allows for the Enterprise Gateway to forward the LDAP synchronize logs to a configured Syslog server.
Frequency: Configures how often you want the service to synchronize users.
Change Threshold: This is a rate limiter. For instance, if you set the change threshold to 10% and made 1,000 changes to your AD only 100 changes will be reflected on the next synchronize. This will continue until the LDAP synchronize reaches total number of changes.
Edit: Allows the Admin to make changes to the settings.
Synchronize Now: Forces a 100% Synchronization, ignores the change threshold settings. Accepts the User Synchronization and Administrator Synchronization values.
Start Simulation: This is a safe method of seeing what the next synchronize will do. This does not do a real synchronize and will not affect your environment. We recommend before enabling this setting you run this simulation to review the changes before turning the LDAP service on.
Appendix A: Explanation of LDAP Directory Synchronization settings
MODIFY_USER Modifications for User:
Describes user record updates.
Taking over the ownership of an IDP User:
LDAP sync starts managing the lifecycle of this user record who had been created from external IDP. However, this user record needs to be present in a minimum of one configured user store.
Taking over the ownership of Anonymous User:
LDAP sync starts managing the lifecycle of this user who had been created from VIP Manager.
Taking over the ownership of EG 9.x:
LDAP sync starts managing the lifecycle of this user whose record had been created by an earlier version of EG. Typically, this will entail certain metadata updates to the user record.
This user will be deleted. Either because it does not exist in the user filter or has been deleted or disabled in AD.
User will be updated(migrated) with the appropriate store bindings in the cloud:
LDAP sync has detected a lifecycle event where the user has either migrated from one enterprise
user store to another or appears in more than one user store. For example a user registered with a sAMAccountName and the user filter is configured for UserPrincipalName the user would be migrated to match the user filter constraints.
User firstname.lastname@example.org is modified to an already existing user in the cloud – Username. Since the Username is being deleted at the same time we will carry on with the update:
LDAP sync is updating a user record meta data which was earlier in 2 user stores as 2 different user records. In this update however, they are merging to a single user name. With the merge, the unique and surviving username needs to have association with 2 stores, whereas the orphaned user id in VIP Manager need to be deleted.
Total number of users fetched from the user-store:
This will give you a total of the users found based on the user filter.
Total number of users who will be deleted in the cloud:
This is a total of the users who are to be deleted either based on the user filter or who match a previous user store and are going to be replaced.
Total number of users who will be updated to the cloud:
Users who exist currently which have new attributes such as a name change or UserPrincipalName change.
Subscribing will provide email updates when this Article is updated. Login is required.