Defining group attributes

For group configurations, there is an additional field on the LDAP search configuration window. The Name field defines a rule for constructing a textual name that is used to represent individual users and groups. The name can be constructed from other LDAP attributes using simple template replacement strings.

Note: If you want to synchronize groups with the same name from different domains (for example, domain1/Admins and domain2/admins), you must change the string in the Name field from the default %CN% to %DC%/%CN%.

Attribute names are delimited by percent (%) symbols. The special attributes DN[n] and DC[n] allow part of the object class distinguished name to be used. Anything not enclosed between % symbols is treated as literal text.

The number (n) following the DN or DC attribute is an index, starting from 1, from the least significant component. When used with DN, the index refers to all components of the distinguished name. When used with DC, the index refers to only the DC components of the distinguished name. If the number exceeds the actual number of components, an empty string is substituted. If n is a negative value, it refers to the components starting with the most significant component first.

For example, the table below shows how different replacement string templates would resolve for the following object class:

dn: cn=Marketing, ou=Security, dc=Forcepoint, 
dc=com objectClass: group
Name: SecureMarketing
SamAccountName: SecurityMarketingServices
Template Resolves To
%Name%\%DN[-2]%.%DN[-1]% SecureMarketing\Security.Marketing
%DN[1]%\%SamAccountName% com\SecurityMarketingServices
%Name%\%DC[1]%SamAccountName% Com\SecurityMarketingServices
%DC[-1]%\%SamAccountName% Forcepoint\SecurityMarketingServices

To see a list of examples that you can use for the name template, click Examples.

Click Advanced to edit the group attributes.

You can edit the following attributes:

  • GUID is a unique identifier maintained by the LDAP server. Use this attribute if it is available on your server. Microsoft Active Directory supports GUID, but it is not supported by all servers. If you omit this attribute, the Directory Synchronization Client derives an identifier from the distinguished name (DN) of the object class.

    The disadvantage of using a DN is that if the group is renamed, the group entry is removed and re-added instead of modified. This means that any group associations in the cloud service are broken and must be re-established.

  • Group Token is an optional attribute that holds the number this group is in. The value may be referred to by the “Primary Group attribute” in the user object class settings. If a user’s primary group is set to a particular group token, then the user is part of that group. The group token is specific to Active Directory so may be unavailable in other directories. If unavailable, it should be left blank.
  • Group Parents is used to relate a group to its parent group, if it exists. The optional attribute retrieved from the directory may consist of a single DN that contains the parent group.
  • Group Members is a multiple-value attribute that holds the users (in DN form) who are part of this group.

    Active Directory maintains membership lists on both group and user objects so the Group Members attribute of the group object class lists all the users for the group and the Other Groups and Primary Group attributes list all the groups to which the user belongs. In theory, these should be equivalent. In practice, when the directory is modified, some tools may update one list but not the other. Specifying both attributes causes the lists to be merged.

Note:

Group membership can be represented in the directory by use of either:

Group Members: a list of users/groups belonging to a group.

Group Membership: a list of groups to which a group/ user belongs.

The client allows either convention. For users to be correctly associated with groups one of these must be specified. The Group Membership attribute is labeled Group Parents for group objects and both Primary Group and Other Groups for user objects.