Jeff Letterman In the Name/IP address field, are we supposed to use a single host or can we use a pool DNS name that will send to any one of available domain controllers that is assigned to?
32KoVtkOwcUAhJ4uXAvjWUANSstyAEzecABQFUKnwLQ= - Either one can work. If the Domain were to return a Domain Controller that doesn't have all the user/group objects, some users/groups could be missed and cause the Archer user accounts to get inactivated (depending on LDAP Configuration settings). Also, if the Domain returns a Domain Controller located in another data center, the LDAP Sync process may take longer.
I recommend testing in a non-prod environment to make sure no issues are encountered. During testing, try appending :3268 or modifying the config file to set Referral Chasing to None...see https://community.rsa.com/docs/DOC-46832?sr=search&searchId=3e7532a5-5841-42c5-b8ae-12d1ad553cc7&searchIndex=0.
daGjf7HOzC0MQsqPGAPHl8ovFPk75obP5TkqWBBVboY= We came across an issue recently, our AD team while doing there overall cleanup to correct OUs, removed few groups used in Archer from the OU and placed it another OU. We believe that triggered Archer to identify these groups as new groups on LDAP Synch, so it deleted the old group, removed the link between groups and roles and created a new group with users.
We had to relink the groups with roles again manually to restore the access.
Is there any documentation around this, on how Archer behaves with the change in OU or may be any other gotcha! checklist around LDAP Synch which will be useful to us. Thanks
32KoVtkOwcUAhJ4uXAvjWUANSstyAEzecABQFUKnwLQ= - The behavior described is what I would expect to happen...the Groups are treated as new Groups. To help prevent this, create an OU containing just the Archer Groups to sync and don't move the OU or Groups.
Could you please let us know if there is a way to filter the LDAP sync to bring in only users Windows SSO login accounts, and not sync other accounts, e.g. admin accounts, service accounts etc.
One option is to add Archer users to a specific LDAP Group and set the User Filter to be based on the group name.
(memberOf=CN=Archer Global Users,OU=Archer,OU=Groups,DC=archer,DC=local)
Another option is to set an LDAP attribute to indicate a "special" user account and set the User Filter to NOT return users that have the attribute value.
Another option is to set an LDAP attribute to indicate a "special" user account and set the User Filter to NOT return users that have the attribute value. -- How to configure this option?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.