|
|
|
Specifies the LDAP server’s base DN or domain. For example, to specify an Active Directory domain you must enter one of these formats:
unipraxis.com
or
dc=unipraxis,dc=com
Specifies the base context for import operations in the LDAP directory. All users and groups at and below this level will be copied into CA DLP. For example, the context might be:
ou=dept,ou=room
Specifies the target parent group in the CA DLP user hierarchy. All imported users and groups will be added to this parent group. You must specify the path to this group, relative to the root‑level ‘Users’ group.
Derives a user's group from the LDAP attributes in this comma separated list. You can specify a single /ga parameter, set to a comma-separated list of LDAP attributes, or you can specify multiple instances of the /ga parameter, each set to a single LDAP attribute; the instances are processed in the order in which they occur in the command or configuration file. For example:
/ga division,department,team
Or
/ga division /ga department /ga team
Specifies that users imported into CA DLP will have a flat hierarchy. That is, new accounts for all imported users will be created in a single group. The target group is the group specified by the /wr parameter—see above.
The LDAP directory structure, or the structure specified in a data file, may contain empty containers. These may hold subcontainers or other items, but no users. This parameter creates corresponding empty user groups in CA DLP.
Note: To use the /ce parameter, the /ca parameter must also be set.
If your existing CA DLP hierarchy contains users not present in the LDAP directory or data file, this parameter moves them to an ‘exceptions’ group, defined by the /eg parameter—see below.
Note: Users prepended with a domain name other than the one set in the /pd <domain> parameter (see below) are not moved.
Used in association with /me. This parameter specifies the target ‘exceptions’ group. This can be any group in the CA DLP user hierarchy. You must specify the full path to the group, relative to the root-level ‘Users’ group. For example, this specifies the Users/Non-LDAP users subgroup:
/eg "Non-LDAP users"
If this parameter is omitted and /me is set, Account Import creates a default ‘Exceptions’ group, immediately below the root-level ‘Users’ group.
Prefixes new CA DLP user names with the specified domain name. You do not need to add a backslash. If the user names in the LDAP directory or data file do not have a domain prefix (that is, the user name does not contain a backslash), this setting will automatically add one.
Specifies which LDAP attributes are written to the email address table in CA DLP.
Important! You must also include the /at parameter, otherwise any /ml attributes you specify will not be written to CA DLP user accounts—see the /at parameter.
You can specify a single /ml parameter, set to a comma-separated list of LDAP attributes, or you can specify multiple instances of the /ml parameter, each set to a single LDAP attribute. For example:
/ml mail,proxyAddresses,legacyExchangeDN
Or
/ml mail /ml proxyAddresses /ml legacyExchangeDN
Important! For ease of maintenance, we strongly recommend you use multiple instances of /ml.
The /ml parameter also enables you to modify email addresses in the LDAP directory before writing them to the CMS database. To do this, you specify a conversion expression.
Note: If you use the ICAP agent to integrate with BlueCoat ProxySG servers, you must use the /ml parameter to import the distinguishedName attribute.
Specifies that emaildelete commands are carried out during the import or synchronization process. If you specify this parameter for a:
Important! If you do not specify this parameter (this is the default), then emaildelete commands are ignored. However, we recommend that you use this parameter with extreme caution.
If an email address is removed from a user’s address list, then any events associated with the deleted email address are no longer associated with that user. If you do specify the /ed parameter in order to clean up a misconfigured import, be aware that valid email addresses may also be removed. It may be better to remove any problematic email addresses using:
Specifies which LDAP attributes are written to account attributes of CA DLP users.
Important! You must also include the /at parameter, otherwise any /al attributes you specify will not be written to CA DLP user accounts—see /at.
You can specify a single /al parameter, set to a comma-separated list of LDAP attributes, or you can specify multiple instances of the /al parameter, each set to a single LDAP attribute; the instances are processed in the order in which they occur in the parameter file. For example:
/al division,employeeID,rank
Or
/al division /al employeeID /al rank
Important! For ease of maintenance, we strongly recommend you use multiple instances of /al.
LDAP attributes are assigned to CA DLP account attributes in the order in which they occur. That is, the first LDAP attribute is assigned to UserAttribute1, the second to UserAttribute2, and so on. In both examples above, the LDAP attribute Rank is assigned to UserAttribute3.
The /al parameter also enables you to:
/al <attribute1><SV separator><attribute2><SV separator><attribute3>
For example:
/al Building,Floor,DeskNumber
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |