Sync profiles are the profiles used to connect to a directory and automatically synchronise users. They are setup to collect both users and groups automatically every 3 minutes to collect anything that has changed in the period since the last time it synchronised.
To setup a sync profile it is recommended you consult with Cloudwork to make sure you will be adding the correct information.
Base settings will determines what server we are connecting to and what authentication we are using to do the synchronisation with.
- Description - This is only for the administrator’s reference.
- Sync Type - Determines what objects are being synchronised. Options available are
- Role - This will be the default user type that anyone inside this profile will be imported with. Available options are:
- LDAP Server - This is the address of the LDAP server it can be in the form of an IP address or a domain name. To use a non standard port simply put the port on the end of the domain/IP eg to connect to the server on port 1234 you would enter ldaps://schooltest.studentnet.edu.au:1234
If you do not put ldaps:// at the start we will assume ldaps:// for the protocol. If you wish to use ldap:// you must include that in the domain/IP that you put into this field. While we support it we do not recommend it. NB for Password Reset to work LDAPS MUST be in use.
- LDAP User - This is the user that has permission to be able to connect to the server. It is recommended that this be a user specifically designed for this connection. This is in the form of the distinguished name of the user, and will look something like the below example.
This user will need read access to the domain that it will be connecting to, and if Password Reset is enabled it will need the “Reset Password” permission on the domain also.
- LDAP Password - This is the password of the previously entered user.
User settings are required if the sync is set to pick up Accounts, this will give us the container that we are looking for users to synchronise. And the attributes that we will be looking at to be correctly set users up.
Most of the attribute fields will be pre-filled in with defaults for Active Directory. Unless you have a differing configuration then it recommended to leave them as they are. In which case the only setting required will be the Search Container.
- Search Container - This is the base OU that we will search in for user accounts. This is always presented in the form of a distinguished name. All OU’s below this will also be searched.
If this is being setup for a Group Sync then this field needs to be added so we know where to collect the user that belong to that Group.
- Mail Field - This is the Attribute that contains the email address of the user. Default: mail
- Username Field - This is the username attribute that a user will use to log in to most systems with. Default: sAMAccountName
- Password Field - This is the hashed password field that is saved via ADI. Default: hashedpassword
- GUID Field - This is the immutable ID of the user. Default: objectGUID
- First Name Field - This is the field containing the first (given) name of the user. Default: givenname
- Last Name Field - This is the field containing the last name (surname) of the user. Default: sn
The following fields are not compulsory and do not have a default value.
- Sis ID - The ID of the user in the school management system e.g. Edumate, Synergetic
- Password Reset Email – This field defines the value that will be put for the users password recovery email. This can be mail but it can also be any alternate field where an email may reside. If the value in AD is blank, no value will be set.
- Password Reset Mobile – This field defines the value that will be put for the users password recovery mobile number. If the value in AD is blank, no value will be set.
- Extra Attributes – This field is a free form field where you can define extra attributes that will be collected for each user. This can be any field in AD and they will be stored and passed on as attributes to service providers. Basically these can be any fields in AD, that may be required by a service provider.
These are the settings that will allow the synchronisation of group out of the directory.
- Search Container - This is the base OU that we will search in for groups. This is always presented in the form of a distinguished name. All OU’s below this will also be searched.
- Friendly Name Field - This is the friendly name of the group that users will see when it is presented to them. Default: cn
While this default is appropriate for things like email groups, if you are using groups for permissions in service providers like ClickView or Complispace then it is recommended to change this to “dn”
- Group Email Field - This will be the full email address of the group. If the field is not in the form of an email address it will have the default domain attached to it. So if it is set to samaccountname then it will be end up being firstname.lastname@example.org.
If all of the groups that require synchronisation have their own mail attribute then you can set this to mail. NB if this attribute is blank on the group in the directory then it will not be synchronised.
- Default Group Type - This is the default group settings that will apply to email groups when they are created. Options that are available are.
- Anyone can send to group
- Anyone within the domain can send to the group
- Only group members can post
- Only Teachers can post
- Group SIS ID field - The LDAP attribute that stores the SIS ID for a group.
- Group Faculty attribute - This conveys information about a group sync involving particular faculties within an institution e.g. Mathematics
- Group Form attribute - This conveys information about a group sync involving particular forms within an institution e.g. Year 12
Advanced settings revolve around the setup of email domains and other such issues that arise from mail attributes that may not have enough information.
It is recommended that you consult with Cloudwork about making adjustments to these settings.
- Domain - This will be the default domain of any email addresses that need to be created for either users or groups. This will be used if the group does not have a proper email address in it’s set “Group Email Field”
- Force Mail Domain - This option will force all users to have the set domain as their email domain. This is mainly used of the mail attribute of user does not contain a valid email address.
- Directory type - currently the only two options are Active directory and Apple Open directory
- Welcome Email Template - Send a welcome email created from a template that can be configured in the Message template section in Features
e.g. for a domain all users at school (schooltest.studentnet.edu.au) have the mail attribute in the format email@example.com .While this is in the format of an email address it will not work as an email address. In this case if “Force Mail Domain” is checked then it will import that email address as firstname.lastname@example.org instead. Care needs to be taken when using this flag.