config-ldap-group-sync

Configures group synchronization for an LDAP configuration.

config-ldap-group-sync 
[-c value | --configuration=value] 
[-b value | --bootstrap-config=value] 
<--id=value> 
[--group-sync-enabled=<true|false>] 
[--schedules=value] 
[--clear-schedules] 
[--group-names=value] 
[--clear-group-names] 
[--clear-all] 
[--filter-users-by-groups=<true|false>] 
[--group-search-filter=value] 
[--group-name-attribute=value] 
[--supports-member-of=<true|false>] 
[--member-attribute=value] 
[--ignore-member-groups=<true|false>]

Overview

Use this command to configure group synchronization for an LDAP configuration used with the User Directory LDAP provider.

Options


Option	Optional or Required	Default Value	Description
`-c value --configuration=value`	Optional	configuration.xml	The path to the server configuration file.
`-b value --bootstrap-config=value`	Optional	none	The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file.
`--id=value`	Required	none	Specifies the identifier of the LDAP configuration for which to configure group synchronization.
`--group-sync-enabled=<true\|false>`	Optional	true	Specifies whether group synchronization should be enabled for this LDAP configuration.
`--schedules=value`			This argument is deprecated and is replaced with the similarly named argument for the create-ldap-config and update-ldap-config commands, because the synchronization schedules are now used for both user and group synchronization. The argument specifies a comma-separated list of schedules for when the LDAP synchronization should be performed. The schedules are given in a cron-compatible format, where each schedule consists of either five fields or one shorthand label. The five fields are, from left to right, with their valid ranges: minute (0-59), hour (0-23), day of month (1-31), month (1-12) and day of week (0-7, where both 0 and 7 indicate Sunday). A field may also be configured with the wildcard character '', indicating that any moment in time matches this field. An LDAP synchronization is triggered when all fields match the current time. If both day of month and day of week have non-wildcard values, then only one of them has to match. There are also the following shorthand labels that can be used instead of the full cron expressions: @yearly or @annually: run once a year (equivalent to 0 0 1 1 ) @monthly: run once a month (equivalent to 0 0 1 * ) @weekly: run once a week (equivalent to 0 0 * 0) @daily or @midnight: run once a day (equivalent to 0 0 * * ) @hourly: run once an hour (equivalent to 0 * * ) @minutely: run once a minute (equivalent to * * * *) @reboot or @restart: run every time the Spotfire Server is started Consult the Wikipedia article for an overview of the cron scheduler: https://en.wikipedia.org/wiki/Cron.
`--clear-schedules`	Optional		This argument is deprecated and is replaced with the similarly named argument for the update-ldap-config command because the synchronization schedules are now used for both user and group synchronization. By specifying this flag, the LDAP synchronization schedules are cleared from the LDAP configuration. This flag can be used together with the --schedules flag to remove all old schedules before adding the new.
`--group-names=value`	Optional	none	Specifies the account names or the distinguished names (DNs) of the groups to be synchronized. When you specify more than one account name or DN, you must separate these using pipe characters (\|).
`--clear-group-names`	Optional	none	By specifying this flag, the list of group names to be synchronized are cleared from the LDAP configuration. This flag can be used together with the --group-names flag to remove all old group names before adding the new.
`--clear-all`	Optional	none	By specifying this flag, all group synchronization related configuration options are cleared from the LDAP configuration. Starting from Spotfire Server 5.0, it will NOT clear the LDAP synchronization schedules.
`--filter-users-by-groups=<true\|false>`	Optional	none	Specifies whether users should be filtered by groups, so that only users who are members of the synchronized groups are synchronized.
`--group-search-filter=value`	Optional, unless the LDAP server type is set to "Custom" using the `--type` parameter.	For Active Directory servers, the parameter value defaults to `objectClass=group`. For Sun ONE Directory Servers, it defaults to `&(\|(objectclass=nsManagedRoleDefinition)(objectClass=nsNestedRoleDefinition))(objectclass=ldapSubEntry)`. For Sun Java System Directory Servers, it defaults to `objectClass=groupOfUniqueNames`..	Specifies an LDAP search expression filter to use when searching for groups.
`--group-name-attribute=value`	Optional, unless the LDAP server type is set to "Custom" using the `--type` parameter.	For Active Directory servers, the value defaults to sAMAccountName. For any version of the Sun Directory Servers with a default configuration, it defaults to cn.	Specifies the name of the LDAP attribute containing the group account names.
`--supports-member-of=<true\|false>`	Optional, unless the LDAP server type is set to "Custom" using the `--type` parameter.	none	Specifies whether the LDAP servers support a `memberOf`-like attribute on the user accounts that contain the names of the groups or roles that the users are members of. In general, this is true for all Microsoft Active Directory servers and all types of Sun Directory Servers.
`--member-attribute=value`	Optional, unless the LDAP server type is set to "Custom" using the `--type` parameter.	For Microsoft Active Directory servers, the parameter value defaults to memberOf. For Sun ONE Directory Servers, it defaults to nsRole. For Sun Java System Directory Server version 6.0 or later, it defaults to isMemberOf. To use the roles with the Sun Java System Directory Server, override the default value by setting this argument to "nsRole". For some LDAP servers with configurations of type 'Custom', there is no memberOf-like attribute. In those cases, this argument specifies the LDAP attribute on the group account that contains the names of its members. Note that all configurations of this type will use a far less efficient group synchronization algorithm that will generate more traffic to the LDAP servers, because the Spotfire Server will first have to search for the distinguished names (DNs) of the group members within the groups, and then perform repeated lookups to translate the member DN to the correct account name.	For all LDAP servers with support for a `memberOf`-like attribute, this argument specifies the name of the LDAP attribute on the user account that contains the names of the groups or roles that the user is a member of. In general, this includes all Microsoft Active Directory servers and all types of Sun Directory Servers. For some LDAP servers with configurations of type Custom, there is no memberOf-like attribute. In those cases, this argument specifies the LDAP attribute on the group account that contains the names of its members. All configurations of this type use a far less efficient group synchronization algorithm that generates more traffic to the LDAP servers because Spotfire Server first has to search for the distinguished names (DNs) of the group members within the groups, and then perform repeated look-ups to translate the member DN to the correct account name.
`--ignore-member-groups=<true\|false>`	Optional, unless the LDAP server type is set to "Custom" using the `--type` parameter.	For Microsoft Active Directory servers, the parameter value defaults to "false" so all inherited group memberships are correctly reflected. For any version of the Sun Directory Servers, it defaults to "true" because the role and groups mechanisms in those servers automatically include those members.	Determines whether the group synchronization mechanism should recursively traverse the synchronized groups’ non-synchronized subgroups and include their members in the search result.