Previous Topic: Reset Web Services AuthenticationNext Topic: Configure Applications and Authentication Methods

Administration GuideTenant ManagementConfigure User Synchronization

Configure User Synchronization

After tenant creation, you set common user synchronization parameters on the Provisioning Server. In a high-availability environment, these settings are required on one Provisioning Server node. These settings do not interrupt service or require a reboot.

Follow these steps:

  1. SSH into the Provisioning Server system.
  2. Log in (for example, as the root user).
  3. Change the user and open the bash shell with su - imps.
  4. Enable the following settings by running the following commands:

    Note: _impd_etaadmin_pwd refers to the password set in the properties.sh during the Provisioning Server kit installation.

Automatic Correlation

The automatic correlation attribute enables the alternative User Synchronization behavior whereby an attempt to update an existing, uncorrelated account triggers an automatic correlation of the account to the global user prior to the update of the account. If the parameter is No (default), the attempt to update the account will fail with a message indicating the account has not yet been correlated to this global user.

Note: This setting applies to all tenants and endpoints.

Run the following command to enable the attribute:

etautil -u etaadmin -p _impd_etaadmin_pwd update 'eTConfigParamFolderName=Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects' eTConfigParam eTConfigParamName="Automatic Correlation" to eTConfigParamValue=yes

Run the following command to read the current value of the attribute:

etautil -u etaadmin -p _impd_etaadmin_pwd select 'eTConfigParamFolderName=Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects' eTConfigParam eTConfigParamName="Automatic Correlation" list eTConfigParamValue

Run the following command to return the value to its original configuration:

etautil -u etaadmin -p _impd_etaadmin_pwd update 'eTConfigParamFolderName=Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects' eTConfigParam eTConfigParamName="Automatic Correlation" to eTConfigParamValue=no

Force single account across multiple containers

On some hierarchical endpoints, creates one account for a certain endpoint instance when a global user’s account templates specify the same account name in different account containers (on same endpoint). In this case only one account is created despite the account container differences.

This behavior can be useful if the assigned account templates nominate different account containers on the same endpoint where you only want to create one account in one of these account containers.

Note: This setting applies to all tenants and Active Directory.

Run the following command to enable the attribute:

etautil -u etaadmin -p _impd_etaadmin_pwd update 'eTConfigParamFolderName=Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects' eTConfigParam eTConfigParamName="Force single account across multiple containers" to eTConfigParamValue=ActiveDirectory

Run the following command to read the current value of the attribute:

etautil -u etaadmin -p _impd_etaadmin_pwd select 'eTConfigParamFolderName=Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects' eTConfigParam eTConfigParamName="Force single account across multiple containers" list eTConfigParamValue

Run the following command to return the value to its original configuration:

etautil -u etaadmin -p _impd_etaadmin_pwd update 'eTConfigParamFolderName=Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects' eTConfigParam eTConfigParamName="Force single account across multiple containers" to eTConfigParamValue=""

Use Existing Accounts

Enable the alternative User Synchronization behavior whereby a global user's set of assigned account templates (through assigned provisioning roles) will only attempt to prescribe one account that is correlated to the global user on any particular managed endpoint. This behavior can be useful if some accounts already correlated to the global user are named differently or are in different containers than what is prescribed by the account templates included in the global user's provisioning roles and only one account is needed or allowed. If the parameter is enabled and multiple account templates for one endpoint prescribe different names and/or different containers for the account, only one account will be created.

Note: This setting applies to all tenants and endpoints.

Run the command to enable the attribute:

etautil -u etaadmin -p _impd_etaadmin_pwd select 'eTConfigParamFolderName=Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects' eTConfigParam eTConfigParamName="Use Existing Accounts" list eTConfigParamValue

Run the following command to read the current value of the attribute:

etautil -u etaadmin -p _impd_etaadmin_pwd update 'eTConfigParamFolderName=Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects' eTConfigParam eTConfigParamName="Use Existing Accounts" to eTConfigParamValue=yes

Run the following command to return the value to its original configuration:

etautil -u etaadmin -p _impd_etaadmin_pwd update 'eTConfigParamFolderName=Synchronization,eTConfigParamContainerName=Parameters,eTConfigContainerName=Configuration,eTNamespaceName=CommonObjects' eTConfigParam eTConfigParamName="Use Existing Accounts" to eTConfigParamValue=no