APS supports Windows NT, LDAP and ODBC User Directories. For LDAP and ODBC User Directories, APS requires that certain attributes or columns be available in each user entry so that it can store operational information.
Internally, APS knows each of these attributes by a certain name (described in the chapter entitled User Directories: Schema, Storage and Capabilities). However, CA recognizes that, in some cases, these names cannot be used in a directory, either because of the implementation or because of column naming policies required by the site.
An additional problem is that some attributes/columns will have a different name in different directories. It is highly desirable to be able to reference only a single name when building mail templates, settings overrides and performing attribute replacement within the APS.cfg file.
This section, the [Mappings] section, is used to remap a "known" name of an attribute (or column) to the underlying name.
Every setting in this section can be overridden. However, the expressions that can be used are restricted in that they cannot reference any user information, such as attribute values or group membership (the IsInGroup function). Attempts to do so will be rejected.
Mapping is rarely required. If a "known" name does not exist (at all) within this section, APS will assume that the name in the underlying User Directory is the same as the "known" name.
Note: Certain remappings are required in the APS.cfg file to identify and process Microsoft Active Directories. The following two lines are the minimum required to support an Active Directory as a user store (in the [Mapping] section of the APS.cfg file):
userPassword={IsInDirectory("<dirname>")} unicodePwd
inetOrgPerson={IsInDirectory("<dirname>")} user
smapsPassword ={ IsInDirectory("<dirname>") }
Note: <dirname> is the name of the User Directory entry in your Policy Store.
Note: If the only User Directory is an Active Directory, then the following two lines can be used:
userPassword=unicodePwd inetOrgPerson=user smapsPassword=
To map a standard attribute, use the format:
<logical-name>={<restricted-override>} <physical-name>
Where <logical name> is the name by which the attribute/column is know to APS by. <physical-name> is the underlying LDAP attribute or ODBC column name and <restricted-expression> is an override expression that is expressed in User Directory, not user or context, terms.
For example, under LDAP, users' full names are stored in an attribute called cn. Under ODBC, this is often a column called FullName. These can be mapped to a common name:
Name={IsLDAP()} cn
Name={IsODBC()} FullName0
Now, Name can be referenced in mail templates and override expressions without worrying about the differences between User Directories.
Some of the information maintained by APS is purely informational; it exists simply for reporting purposes. Sites can suppress this information by mapping the "known" name to a blank name. The descriptions of the APS attributes starting on page 140 tell which of these attributes can be suppressed in this way.
Supressing attributes this way does not significantly improve write performance. APS groups all writes into a single server request. For writes, the performance hits are primarily in the network portion of the request, in the record (index) lookup, and in the fault tolerance (journaling) portion of the update. The difference between updating two attributes and four, for example, is normally not even measurable, as long as the updates are performed on the same request.
However, for very large directories, the savings in disk space may be significant enough to be desirable. For example, with 100 million users, not saving smapsPreviousLogin, which might average 24 characters, would save at least 2.4 GB of disk space.
Of course, the saving of this storage should be balanced against the loss of this information for reporting purposes.
smapsPreviousLogin=
This section must be used to rename LDAP groups so that they can be used by APSAdmin as described on page 157. APSAdmin cannot use full DN names in its references, it needs a single name. This section is used to map a single name to a full LDAP DN for those purposes.
FailureGrp=cn=FailureCount,o=Airius.com
This is only used by APSAdmin. You cannot change the name of a group that APS will use as a disable group.
If LDAP Reverse Groups are required (as described on page 164), they are defined in this section.
To have APS treat all LDAP groups as reverse groups, use:
LDAP.ReverseGroups=*
An asterisk should not be considered a wildcard. It can only be used in the above manner to indicate that all groups are reverse groups.
To specify a single group as a reverse group:
LDAP.ReverseGroups=cn=Disabled-NoCredit, o=nds.com
Multiple such lines can exist, one for each reverse group.
|
Copyright © 2014 CA.
All rights reserved.
|
|