Wanting to manage users/groups from an LDAP directory

Steps

  1. Review the existing cloud data structure, specifically the structure of users, groups, and policies. Go to Account > End Users and Account > Groups to view groups and users. (See Groups). Make sure the structure is still as you require. This is a good opportunity to review and amend the structure. Review the exceptions in the policy. (See Defining Web Policies) and exceptions. (See Exceptions).
  2. Review the existing LDAP/Active Directory data structure and decide whether restructuring of LDAP is necessary to match the cloud data more closely.
  3. Modify cloud and/or LDAP data to match each other as closely as possible. You might do this by creating new LDAP groups with the same name and members as the cloud groups.
  4. Download the client and install it on the target client machine.
  5. Configure the Directory Synchronization Client to search the LDAP directory and extract groups and users to a local file. (See the Directory Synchronization Client Administrator’s Guide for instructions.) Compare the results against the cloud data, old CSV files, and/or expectations. Modify the search as necessary to ensure it returns expected results.
  6. Decide whether to allow overwriting of groups of the same names. In the cloud manager, set Overwrite groups as necessary. (See Configure identity management for information.) If you allow overwriting, LDAP groups then take over existing groups but retaining their structure in policies and exceptions. If you do not overwrite groups, make sure that all groups being synchronized from LDAP have different names than those in the cloud, then change any group-based notification in the cloud manager to the new LDAP names as required.
  7. If you have more than one Web policy, go to each policy and assign groups to it (See Assign a group to a different policy).
  8. Then on the Identity Management screen, assign users to a default policy and for User policy assignment, select Follow group membership. With this setting, as users are moved to a different LDAP group, their policy assignment changes in step.
  9. Decide whether email will be sent after new users are synchronized from LDAP.
  10. In the cloud manager, set up a contact with Directory Synchronization permissions. (See Set up authentication (Directory Synchronization only)). This will be the username/logon used for the Directory Synchronization Client logs into the cloud manager.
  11. Now you are ready! In the cloud manager, enable Directory Synchronization. (See Configure identity management).
  12. In the Directory Synchronization Client, set up portal settings in the configuration established above, changing the output type to portal (not file) and using the contact with Directory Synchronization permissions created above. (See the Directory Synchronization Client Administrator’s Guide).
  13. During a slow period, select Replace on the client. Data is synchronized to the cloud manager. Note the number of additions.This is visible in the Synchronization page and also from the notification email messages.
  14. Log onto the cloud manager. Using Account > End Users and Account > Groups, check that users’ and groups’ policies are as expected. (See View and manage user data).
  15. On the Identity Management page, view Recent Directory Synchronizations and compare the totals of additions against those noted in the Directory Synchronization Client. They should match. (See View recent directory synchronizations).
  16. The system is now live. If you are unhappy with the user/groups data you have synchronized then you can use Restore to undo the synchronization data, and try again. (See Restore directories).
  17. If everything appears to be working, set up a schedule time in the Directory Synchronization Client for the background task to run. Close the client tool.