HP Intelligent Management Center v5.1 TACACS+ Authentication Manager Administrator Guide
86
You can also use a complex filter in the form (operator(attribute1=value)(attribute2=value)) or
(operator(attribute1=value)(operator(attribute2=value))) for advanced filtering. The operator
can be & (AND), | (OR), or ! (NOT). For example, the filter (&(objectclass=a*)(!(cn=b*))) enables
TAM to synchronize any entry that has an objectclass attribute value starting with a and a cn
attribute value not starting with b.
The default filter varies with the LDAP server type. If the server type is Microsoft AD, the default
filter is (&(objectclass=user)(sAMAccountName=*)). If the server type is General, the default
filter is (&(objectclass=*)(cn=*)).
Sync Options-Auto synchronization—Select this option to execute the policy every day to
synchronize all matching users to TAM. The automatic execution time depends on the system
parameter LDAP Synchronization Time. For more information about configuring system
parameters, see "Configuring system parameters."
Sync Options-On-Demand Sync—Select this option to have TAM synchronize a new user from
the LDAP server only after the user passes authentication. This option and the Synchronize New
Device Users option are mutually exclusive. If you have a limited number of licenses, use this
option to save user licenses. If you enable both the Auto Synchronization and On-Demand Sync
options, only LDAP users that have been synchronized to TAM can be synchronized from the
LDAP server during automatic synchronization.
Sync Options-Synchronize New Device Users—Select this option to have TAM synchronize all
new users from the LDAP server. If this option is not selected, TA M does not synchronize any new
user from the LDAP server. This option and the On-Demand Sync option are mutually exclusive.
Sync Options-Synchronize Users in Current Node—Select this option to have TAM synchronize
users under the specified sub-base DN, but not synchronize users in any OU under the sub-base
DN. If this option is not selected, TAM synchronizes all users in the sub-base DN, including users
in the OUs in the sub-base DN.
5. Click Next to enter the page for configuring device user parameters.
6. Configure the device user parameters associations with attribute descriptions on the LDAP server.
Account Name—The system automatically populates this field with the attribute description
used on the LDAP server for user account names, which cannot be modified.
User Name—Select the username attribute description used on the LDAP server from the list.
TAM gets the values for this attribute as the usernames of LDAP users. Or select Do Not Sync to
enter a unified username for all LDAP users.
User Password—Select the corresponding attribute description used on the LDAP server for user
passwords from the list. TAM gets the values of this attribute as user passwords of LDAP users.
Or select Do Not Sync to enter a unified user password for all users.
Expiration Date—Select the corresponding attribute description used on the LDAP server for
user account expiration dates from the list. TAM gets the values of this attribute as the expiration
date of LDAP users. Or select Do Not Sync to set a unified expiration date for all LDAP users. You
can either select a date by clicking the Calendar icon , or enter a date in the format of
YYYY-MM-DD.
Max. Online Users—Select the corresponding attribute description used on the LDAP server for
the maximum number of online users with the same user account. TAM gets the values for this
attribute as the maximum number of online users with the same user account. Or select Do Not
Sync to manually set a unified setting for all device users.
Device User Group—Select a device user group for users bound with the synchronization policy.
Click the Select User Group icon . The Select Device User Group window appears. Select a
group and click OK. This parameter cannot be synchronized from the LDAP server.