Notes

  1. The first step in configuring your system to run ARSLSYNC is to ensure LDAP Authentication and Password Case Sensitivity is enabled in the OnDemand Administrator client. See LDAP (Lightweight Directory Access Protocol) authentication support for detailed instructions on how to configure LDAP Authentication.
  2. ARSLSYNC uses the following parameters in the ARS.CFG file:
    • ARS_LDAP_SERVER_TYPE (required) [AD, SUN, OPEN, SDS]: Specifies the type of LDAP repository being configured. Only a single server can be configured per Content Manager OnDemand instance.

    • ARS_LDAP_USER_FILTER (required): Used to query LDAP for users that will be imported into Content Manager OnDemand. For example, your LDAP product might use a filter such as this: (&(objectclass=user)(objectclass=CMODUSER)). For assistance with creating your LDAP filters, refer to your LDAP product documentation or contact your LDAP administrator.

    • ARS_LDAP_GROUP_FILTER (required): Used to query LDAP for groups that will be imported into Content Manager OnDemand. For example, your LDAP product might use a filter such as this: (objectclass=group). For assistance with creating your LDAP filters, refer to your LDAP product documentation or contact your LDAP administrator.

    • ARS_LDAP_GROUP_MAPPED_ATTRIBUTE (required): Used to create the Content Manager OnDemand group name.

    • ARS_LDAP_IGN_GROUPS: Specifies the Content Manager OnDemand group IDs that ARSLSYNC ignores when syncing. You can specify up to 128 group IDs, delimited by a comma.

    • ARS_LDAP_IGN_USERIDS: Specifies the Content Manager OnDemand user IDs that ARSLSYNC ignores when syncing. If the parameter does not exist or you do not specify a value, Content Manager OnDemand defaults to QONDADM. You can specify up to 512 user IDs, delimited by a comma. If you specify a list of user IDs and you want to include QONDADM, you must specify it on the list.

    • ARS_LDAP_GROUP_USER_FILTER_USE_DN: True or False. Default is True. Specifies whether to use the full distinguished name for the group member filter. If False, the ARS_LDAP_GROUP_MAPPED_ATTRIBUTE will be used.

    • ARS_LDAP_USER_RESULT_BEGIN: Specifies the beginning string to be parsed from the result of performing the user filter search. This parameter is not commonly used.

    • ARS_LDAP_USER_RESULT_END: Specifies the ending string to be parsed from the result of performing the user filter search. This parameter is not commonly used.

    • ARS_LDAP_PROXY_MAPPED_ATTRIBUTE: If specifying a ARS_LDAP_MAPPED_ATTRIBUTE that needs to be parsed by a ARS_LDAP_USER_RESULT_BEGIN/END string, specifies the non-parsed attribute that should be used for authentication. This parameter is not commonly used.

    • ARS_LDAP_GROUP_USER_FILTER: Used to override the default group membership filter. For example: ARS_LDAP_GROUP_USER_FILTER=(&(objectClass=inetOrgPerson)(memberOf=%s)). This parameter is not commonly used.

    • ARS_LDAP_GROUP_USER_RESULT_BEGIN: Specifies the beginning string to be parsed from the result of performing the group member search. This parameter is not commonly used.

    • ARS_LDAP_GROUP_USER_RESULT_END: Specifies the ending string to be parsed from the result of performing the group member search. This parameter is not commonly used.

    • ARS_LDAP_SYNC_USERS_ONLY: True or False. Specifies whether to omit the syncing of groups.

    • ARS_LDAP_GM_ATTRIBUTE: Specifies which attribute contains the name of the group member. This parameter is not commonly used.

    A sample of the ARS.CFG file entries for an LDAP configuration with ARSLSYNC parameters specified (Active Directory) might look like this: 
         ARS_LDAP_SERVER=adserver.yourcompany.com 
     ARS_LDAP_PORT=3268 
     ARS_LDAP_USE_SSL=FALSE 
     ARS_LDAP_BASE_DN=dc=ondemand,dc=yourdomain,dc=local 
     ARS_LDAP_BIND_ATTRIBUTE=sAMAccountName 
     ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName 
     ARS_LDAP_ALLOW_ANONYMOUS=FALSE 
     ARS_LDAP_BIND_MESSAGES_FILE= 
     ARS_LDAP_IGN_USERIDS=QONDADM
     ARS_LDAP_SERVER_TYPE=AD
     ARS_LDAP_USER_FILTER=(objectclass=user)
     ARS_LDAP_GROUP_FILTER=(objectclass=group)
     ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=CN
     ARS_LDAP_IGN_GROUPS=CMOD_ADMINS,CMOD_USERADMINS
  3. The ARSLSYNC program must be run as the instance owner.
  4. The command requires the use of either the sync (-s) or preview (-t) parameter. In preview mode, no changes are made to the server. This should be used during the configuration of ARSLSYNC. Once you are satisfied that your filters are set correctly, you can proceed to run the command in sync mode.
  5. The ARSLSYNC program issues status messages which are sent to the system log. The messages will contain a manifest of any changes made to the system.
    • ARS0460I - LDAP Synchronization Success
    • ARS0461I - LDAP Synchronization Failed
  6. ARSLSYNC includes a verbose option (-v) which displays all changes, and lists any users or groups that already exist in Content Manager OnDemand. The existing users and groups will remain unchanged.