...
- LDAP v2 and v3 Supported Servers: Microsoft Active Directory (AD), CA Directory
- Directory OS: Windows, UNIX
- Latest version of Java (version 8 or later)
- Memory: 2 GB minimum
- Compatibility with HTTPS secure communications protocol
- Compatibility with CA ServiceAide Cloud Service Management (CSM)
Note: Each tenant must have its own instance of the ADSync utility.
...
You can acquire the utility through the following means:
- Download it from CA Cloud Service ManagementCSM. Navigate to MANAGE, ADMINISTRATION, Tools, Downloads.
- Obtain it from an administrator who has the appropriate permissions for accessing the utility.
...
- The file can be unzipped to any environment with JRE configured.
- All JARs and files must remain together, exactly as they were unzipped. Do not move anything from the unzipped layout.
- The installation location must be able to connect to your LDAP server and CA Cloud Service ManagementCSM.
Once you have unzipped the utility, you are ready to configure the utility.
...
When you run the ADSync Utility, it compares the data between CA Cloud Service Management CSM and your LDAP. Next, the differences between the LDAP server and CA Cloud Service Management CSM data are synchronized as follows:
Directory Server |
---|
CSM | |
---|---|
Active Accounts | Active Accounts |
Disabled Accounts | Inactive Accounts (same user name) |
Expired Accounts | Inactive Accounts (same user name) |
Deleted Accounts | Inactive Accounts (renamed user name) |
Restrictions
- All user IDs are case-sensitive. When you run the synchronization successfully, the utility creates a backup file for all your data. When you run the synchronization the next time, only the differences are updated on CA Cloud Service ManagementCSM. If the case of a user id in the backup file is not identical to the one in LDAP, the one in the backup file is deleted. If you want to modify an ID after the backup is generated, delete the backup and modify the ID manually.
- In the absence of backup files, ADSync Utility cannot remove any users.
- If you want to run a full sync, remove all backup files.
Create the organization structures of the records in CA Cloud Service Management CSM before you start using the ADSync Utility. In the absence of the organization structure, users are not mapped to their respective organizations.
- Use only one instance of ADSync Utility for each directory server.
If you change the search filter, the corresponding backup files are rendered useless. The new search filter results in new backup file (or backup files, depending on the number of search bases).
...
- The ADSync Utility uses a service account to connect to the global catalog server and domain controllers.
- A Search Base list is used to look for users from the list of Organization Units (OUs).
- The application cycles through each OU and looks for users in accordance with the search criteria. This criteria is as defined follows:
(&(objectClass=user)(objectClass=person)(objectClass=organizationalPerson)) - The fields in the Directory Server are mapped with the fields in CA Cloud Service Management CSM using the attribute_map.list file.
- For each matching entry, the application looks for certain attributes. Examples of such attributes are first-name, last-name, and email. The complete list of attributes can be found in the attribute_map.list file. The application also looks for disabled and expired accounts and tags them as inactive users in the data feed. The attribute userAccountControl and loginDisabled are used for for checking disabled accounts. The attribute accountExpires is used for checking expired accounts.
- The application writes the matching entries to a CSV file in ADSync Utility after cycling through all the OUs. The application also constructs an XML document with the data and streams it to CA Cloud Service ManagementCSM.
- The server response contains the errors and warnings that are encountered while processing the data. The response is generated in XML format and written in the INFO tag of the log file. The log file is at <:Install_Directory>/sync/logs/sync_data.log.0. For more information about this file, see logger.properties File. You can set up file monitors on this log file. As part of your monitoring service, look for errors and warnings. The strings to search for, from a monitoring perspective, would be:
- "notes" - The notes tag contains the summary of the overall response that is received from the server.
- "SEVERE"
- "<errors>" or "<error>" - The “errors” tag lists all the errors and the "error" tag contains each individual error.
- "<warnings>" or "<warning>" - The “warnings” tag lists all the warnings and the "warning" tag contains each individual warning.
- "response" - The "response" tag contains the XML response from the server. The data from LDAP is written to CA Cloud Service Management CSM in batches of 500 records. The server generates a response XML for each batch after it is processed.
Info |
---|
During the synchronization, the utility writes backup data to a predetermined backup file. For more details about the backup file, see Backup. |
On
...
CSM (Server Side)
- The data from the LDAP is written to the ADSync Utility first. Then it is validated before being transferred to the CA Cloud Service Management CSM database.
- You can configure a threshold value for deletion of user records from the CA Cloud Service Management CSM database. No records are deleted if the number of records that are marked for deletion is above this value. The synchronization of the remaining data is not affected. The information about a threshold breach is recorded in the sync_data.log.0 file.
- On receipt of the data from the LDAP, CA Cloud Service Management CSM starts immediate processing of the data.
- Based on the user ID in the incoming feed, the corresponding contact record is identified in CA Cloud Service ManagementCSM.
- The incoming entry is compared with the data existing in CA Cloud Service ManagementCSM. An automatic update statement is created based on the difference between the two. This condition applies to changes in attributes like phone, email, and department.
- Each new record is created as a Self-Service user. These users have their primary group and license set to Self-Service. The time zone for the new contact is based on the corresponding location.
- For all inactive contacts in the feed:
All contacts who are Self-Service users are deactivated and the Login Enabled flag is set to false. This change effectively stops the user from logging in to CA Cloud Service ManagementCSM.
All contacts who are technicians are deactivated and the Login Enabled flag is set to false. This change effectively stops the user from logging in to CA Cloud Service ManagementCSM.
All contacts who are part of the Administration group are deactivated and the Login Enabled flag is set to false. This change effectively stops the user from logging in to CA Cloud Service ManagementCSM.
All disabled users who exist in the Directory Server, but not in CA Cloud Service ManagementCSM, remain in the data feed. However new records are not created for such users.
- All deleted users in the Directory Server would not be part of the data feed. The process sets all those CA Cloud Service Management CSM accounts that are not part of the feed as inactive. Such user names are released for reuse in future accounts.
The exceptions that are encountered during the synchronization are written to syn_data.log file. The log includes information about:
- Errors that are encountered while processing data.
- Contacts without locations.
- Contacts that were made inactive.
- Administrative accounts that were inactive in the incoming feed but not made inactive in CA Cloud Service ManagementCSM.
Note |
---|
If the contact timezone is not specified while creating or updating the record, then the default slice timezone is used. This value is set in the Configuration Parameter DEFAULT_TIMEZONE. |
...
After the synchronization process is successful, CA Cloud Service Management CSM generates a response in XML format. This XML information is added to sync_data.log.0 file in the ADSync Utility. Based on the sync_data.log.0 file, ADSync Utility generates a backup file at a predetermined location. The backup data is stored at <:Install_Directory>/sync/backup. Do not modify the structure of this directory. When you run the synchronization successfully the first time, the utility creates a backup file for all your data. When you run the synchronization the next time, only the delta changes are updated on CA Cloud Service ManagementCSM. If you want to run a full synchronization, delete the existing backup files. Otherwise, do not modify the contents of this folder.
...
- Backup File - The utility creates an XML file for writing the backup. This file is at <:Install_Directory>/sync/backup. The name of the file starts with "bak_".
- backupIDMapper.properties File - This file is located at <:Install_Directory>/sync/backup/idMapper. The utility writes a separate backup file for each combination of a search base entry and a search filter. The information about each combination is written to the backupIDMapper.properties file. If this file is absent from the default location, the sync process fails. In that case, no data is sent to CA Cloud Service ManagementCSM. If you delete this file, all the existing backup files are rendered useless.
- ProcessXMLDocument.dtd File - This file provides a template for processing the XML backup files. This file is at <:Install_Directory>/sync/backup/dtd.
...