|
|
|
To import user details using the Account Import wizard, choose Tools > Account Import Wizard. The wizard steps you through each stage of the import process.
Note: Some wizard screens may not appear, depending on which import options you choose.
In the first wizard screen, you must specify the source for the imported user details.
Choose the LDAP Database or Data File check boxes to synchronize your existing CA DLP user hierarchy with these external sources.
If you choose both check boxes (that is, you want to simultaneously import from an LDAP directory and a data file), you can specify how Account Import handles duplicate records (any user listed in both sources). By default, the record in the data file is imported while the user record in the LDAP directory is ignored, but you can override this default.
Specify the command file containing the changes or additions to your existing CA DLP user hierarchy.
Note: By default, when you export any branch of the CA DLP user hierarchy to a command file, the target file name has an .acc extension.
Applicable if importing from an LDAP directory—see step 1.
You must supply logon details for the source LDAP Directory:
Identify the server hosting the source LDAP directory. Enter its name or an IP address.
Enter the TCP/IP port number used to connect to the LDAP server. CA DLP uses this port to communicate with the LDAP server. The default is port 389.
Identify the LDAP server’s base DN or domain. For example, to specify an Active Directory domain, enter one of these formats:
company.com or dc=company,dc=com
Note: If Account Import can detect the default DN, it is shown automatically. Also, some configurations, for example Domino Server, may require you to leave this field empty.
Enter your user name on the LDAP Server. The name format depends on the type of LDAP database. For example, if you import users from a Microsoft Exchange server, this name will be the same as your domain user name, with your domain and name separated by a backslash:
unipraxis\frankschaeffer
On other LDAP databases, this name may be a fully qualified LDAP distinguished name, for example:
cn=frankschaeffer,o=unipraxis
Note: If the LDAP server permits anonymous access, leave both the User and Password fields blank.
Applicable if importing from an LDAP directory—see step 1.
Where possible, the wizard automatically detects the type of LDAP directory (for example, Microsoft Active Directory) and key details about the LDAP directory structure. The wizard provides ‘best guess’ default values, but you can override these if necessary. Specifically, you must ensure that the following fields contain correct values.
You must specify the LDAP attribute that holds the user names.
Specify the LDAP search filter needed by the wizard to extract users from the LDAP database.
Specify the LDAP search filter needed by the wizard to extract the LDAP containers that correspond to CA DLP user groups.
Note: If you override the default search filters and specify different object classes and categories, ensure that the new filter conforms to RFC 2254.
Applicable if importing from an LDAP directory—see step 1.
You must specify the root directory for user data extracted from the LDAP directory.All users and groups at and below this root directory will be copied into CA DLP.
Click the Browse button to select the root LDAP tree level. For example, select ‘ou=Unipraxis/ou=Sales’ to import all users from this level downwards:
Example LDAP directory structure
Specify the target parent group in the CA DLP user hierarchy; you can only choose one of your management groups as the parent group.
All users and groups imported from LDAP and or a data file will be added to this parent group.
Note: If you choose to reorganize existing CA DLP users to match the directory structure in LDAP or the structure specified the data file (you choose this in step 6), the reorganization only affects CA DLP users within the target parent group.
Applicable if importing from an LDAP directory or data file—see step 1.
Now define the synchronization scope. The Account Import wizard enables you to synchronize your CA DLP user hierarchy with an external source. You can select any combination of the following synchronization options.
This option creates new CA DLP accounts for unknown users. That is, it creates a new account for each imported user who has no corresponding account in CA DLP.
Note: If a user is created with a user name matching a user account that was previously deleted, CA DLP can automatically recreate the deleted user. See the Administration console online help for details; search the index for ‘users, recreating’.
This option rearranges the existing hierarchy of CA DLP users to synchronize it with the hierarchical group structure specified in step 7. If you do not select this option, all existing CA DLP users stay in their current group.
This option updates existing user accounts with email addresses and attributes imported from corresponding users in the LDAP directory or data file. See steps 9 and 10 for details.
Note: The full name associated with each CA DLP user account is imported automatically from the LDAP directory.
Important! We do not recommend that you use this parameter, as existing email events may no longer be associated with the correct user—see the /ed parameter for details.
This option prefixes names for new user accounts with the specified domain (such as unipraxis\srimmel). If the user names in the LDAP directory or data file do not have a domain prefix (that is, the user name does not contain a backslash), this setting will automatically add one.
Note: This option is essential if single sign-on is enabled on your CMS.
These options determine how to handle anomalous users and groups, whether you must confirm the changes, and how new user names are composed.
The available options determine how imported users are organized into parent groups in the CA DLP user hierarchy:
Available only if you selected ‘Create new users’ in step 6.
The source LDAP directory structure may contain empty containers. These are containers that hold subcontainers or other items, but no users. When importing users, you can set up Account Import wizard to ignore these empty containers or to create corresponding empty user groups in CA DLP.
If you select this option, the wizard creates empty user groups for each empty LDAP or data file container.
If you clear this option, the wizard ignores empty containers. For example, an LDAP directory may include the following branch:
LDAP: ou=Unipraxis/ou=London/ou=Sales
If the ‘Sales’ container is empty of users but the ‘London’ container is not empty, the wizard creates the following hierarchy in the Administration console:
CA DLP: Unipraxis/London
Available only if you selected ‘Re-organize existing users’ in step 6.
If your existing CA DLP user hierarchy contains users not present in the LDAP directory, you can move them to an ‘exceptions’ group. This can be any existing group in the user hierarchy. If you do not select this option, these non-LDAP users are preserved in the CA DLP user hierarchy.
Note: This setting only affects CA DLP users within the specified target parent group.
Note: Users prepended with a domain name other than the one set on the Synchronization Scope screen are not moved (see Synchronize users from this domain in step 6).
If you select this option, you must confirm all of the resulting changes to the user hierarchy. See step 13 for details.
If you do not select this option, synchronization is automatic. (Note that you cannot confirm or reject individual changes.)
Available only if you selected ‘Use LDAP attributes to group users’ in step 7.
If required, Account Import can derive a hierarchy of parent groups based on a concatenation of specified LDAP attributes.
Choose which LDAP attributes to use, and specify the order in which they are used to derive a group hierarchy. For example, these LDAP attributes arranged in the following order:
country
office
department
Produce this group hierarchy in CA DLP:
Account Import only displays the most commonly used LDAP attributes in this screen. If you need to add an attribute not listed here (for example, an employee attribute custom created for your organization), use the Edit and Save buttons to add this attribute to the list.
If you need to modify the values of an LDAP attribute before using these values to derive a group hierarchy in CA DLP, you can append a conversion expression, enclosed in square brackets, to the attribute name. Use the Edit and Save buttons to add the attribute-plus-expression to the attribute list.
Available only if importing from an LDAP directory (see step 1) and you selected ‘Copy user attributes’ in step 6.
Account Import can synchronize e‑mail addresses in the CMS database with addresses in an external source, typically an LDAP directory. Such synchronization is essential for CA DLP features that rely on email address mapping!
In this screen, add the LDAP attributes that contain email addresses. If required, Account Import can select the default email attributes. Each imported address is associated with a CA DLP user.
Note: If you use the ICAP agent to integrate with BlueCoat ProxySG servers, you need to import the distinguishedName attribute.
Available only if importing from an LDAP directory (see step 1) and if you selected ‘Copy user attributes’ in step 6.
CA DLP lets you define custom attributes for user accounts. For example, you can create an Employee ID attribute and assign a unique ID to each user in your organization. Account Import can copy user attributes from an LDAP directory or data file to the custom user attributes defined in CA DLP.
In this screen, the CA DLP attributes are listed on the left. To map an LDAP attribute to CA DLP attribute, select CA DLP attribute then choose an LDAP user attribute from the drop-down list.
To combine multiple LDAP attributes and write them as a single value to a CA DLP attribute, double-click the LDAP attribute, then manually type a comma separated list of the LDAP attributes you want to combine. For example:
DeskLocation: building,floor,deskNumber
If necessary, you can rename any CA DLP or LDAP attribute. To do this, double-click the attribute and type its new name.
If necessary, you can modify the imported value for any LDAP attribute before writing them to an attribute of a CA DLP user account. To do this, double-click the LDAP attribute, then append a conversion expression, enclosed in square brackets, to the attribute name.
When the import operation runs, the Account Import will update the attributes for each CA DLP user with the corresponding attribute values in the LDAP directory.
Select which CA DLP account attribute maps CA DLP users to LDAP (or data file) users when synchronizing the CA DLP user hierarchy with that in LDAP (or the data file). This anchor can be the user name, the user full name, or any of the defined user attributes.
Account Import uses the specified CA DLP attribute to locate the corresponding user in the LDAP directory (or data file). Having established a link between the target user account in CA DLP and the source user, Account Import can then update the account details in CA DLP with the imported information (the user’s parent group, e‑mail addresses and other attributes). If you choose to anchor the user synchronization on:
The LDAP attribute mapped to CA DLP user names was specified in the User Name Attribute field in step 3.
The LDAP attribute mapped to CA DLP user full names was specified in step 10.
The LDAP attributes mapped to CA DLP account attributes were specified in step 10. Enter a value in the Attribute Index field, where index 1 refers to UserAttribute1, index 2 to UserAttribute2, and so on.
It is possible that the user name in the CA DLP database is different to the value of the XML <user> tag or LDAP attribute used for the user name. For example, if a user has recently married.
To stop the user name in the CA DLP database being overwritten during a synchronization process, you need to ensure that this check box is not selected.
Note: This check box is automatically selected and disabled if you choose to anchor the user synchronization on the user name. This is because the synchronization will not match against a CA DLP user unless the user name is the same.
Wait while Account Import identifies all the changes and additions that will be made to the CA DLP user hierarchy.
If you selected the ‘Manual confirmation’ option in step 7, the wizard lets you confirm or reject the changes to the existing user hierarchy.
In the Confirm Changes screen:
Click to view a list of the proposed changes to the CA DLP user hierarchy. Note that these changes may take several minutes to appear if the import operation involves substantial additions or changes to the user hierarchy. When the list of changes appears, click Next to accept the changes and proceed to the next screen; click Cancel to reject all of the changes and quit the wizard.
Select this check box to that any emaildelete commands in the command file will be carried out during the import operation.
Important! We do not recommend that you use this parameter, as existing email events may no longer be associated with the correct user—see the /ed parameter for details..
Note: This option is only enabled if importing from a command file—see step 1. If you have carried out a synchronization, then the value of the E‑mail addresses can be deleted option in the Synchronization Scope screen (see step 6) is matched in this disabled option.
The wizard now has all the information it needs. Wait while it imports the user data and updates the CA DLP user hierarchy.
Details about the import operation are recorded in a log file.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |