Setting up an LDAP Synchronization
The setup consists of three parts: creating the synchronization on the General tab, setting import of users on the Users tab and setting import of groups on the Groups tab. You can swap between these tabs on the bar at the upper-left corner of the LDAP synchronization properties panel.
General Tab
On the General tab, set the general properties of the synchronization: enable or disable the synchronization, select the LDAP server domain, enter user name and password for access to the server, eventually select to export the imported users to a CSV file. See the list below for a description of individual settings.
Enabled: Here you can enable or disable the synchronization.
LDAP Server: Here you can select the domain that you want to synchronize from.
User: Enter the username for access to the LDAP domain server.
Password: Enter the password for access to the LDAP domain server.
Enabled: If you enable the Export to CSV after successful import option, MyQ creates a CSV file with the imported users after the synchronization.
File: Select the folder where you want to save the created file.
After you correctly set the connection parameters (LDAP server, user and password) and save the settings, the LDAP browser opens on the right side of the screen.
In the User setting, a sub-domain user account with enough rights can also be used for authentication, but the sub-domain has to be specified in the username.
For example, the user Administrator connects to the testAD.local LDAP server, but their account is in the cz.testAD.local sub-domain. For successful authentication, the filled in username should be:
Administrator@cz.testAD.local
Users Tab
On the Users tab, pick one or more base DNs (distinguished names) from which you import the users. In addition, you can assign user attributes from the LDAP server to user properties in MyQ and select additional options concerning the synchronization.
Base DN: Here you can pick the base domain or domains from which you import users. Click +Add to add a text box for the new base DN, and then drag a group from the database browser and drop it in the text box. You can add multiple domains this way.
Properties: These are the properties of every individual user. MyQ will automatically find and assign the user's SAM account name to user name, cn to full name and mail to Email (this applies to Active directory and OpenLDAP only). The user name property is the only one that cannot be changed. To assign an attribute to a property, write the name of the attribute in the property text box or drag it from the attributes of any individual user and drop it in the text box. The following properties support adding multiple values to them, separated by a semicolon (;):
Alias
PIN
Card
For example, in the Alias property, you could add alias1;alias2;alias3.
The AD attribute name should not contain the semicolon (;) character. If a semicolon is part of the attribute's name, that attribute will not be synchronized in MyQ.
For the Card and PIN properties, the administrator can choose one of the following options:
Do not synchronize: This option will skip the synchronization of these values.
Full synchronization: This option will replace the existing values with the new values from LDAP, irrespective of whether the new value is empty or not.
Synchronize if not empty: This option will replace the existing values only if the new values from LDAP are not empty. It won't remove the existing values if the corresponding value in LDAP is empty.
Add new: This option will update the existing values by adding new values from LDAP, without replacing the existing ones.
For assigning default languages to users, you have to use an attribute from the LDAP server that has the language abbreviations as its values. For example, you can create and use an attribute called lang with the values en for English, hr for Croatian, etc. The list of the abbreviations used in MyQ can be found here.
Options: For a description of the common synchronization options, see User information and settings. The basic options that are common for both the synchronization from LDAP servers and for synchronization from CSV files are:
Deactivate missing users: If you select this option, MyQ deletes users that are imported from the current synchronization source and that are not in the source anymore. To delete users that were added from different sources, select the Ignore synchronization source option together with this option.
Add new users: If you select this option, MyQ adds new users from the current synchronization source. If you do not select it, MyQ updates the user accounts of the users who are already in MyQ, but does not add any new users.
Convert user name to lowercase: Unlike some other systems that do not differ between two words with the same letters but different cases (such as "Pear", "pear"), MyQ is case sensitive. You can use the Convert user name to lowercase option to prevent creating multiple accounts for one user.
Use authentication server: If you select this option and a user logs in by entering their username and password, the credentials are not authenticated against the MyQ database, but instead against an LDAP or Radius server. If you synchronize users via LDAP, the source LDAP server is automatically assigned as
the authentication server. If you synchronize users via CSV, you can select the authentication server from the list of predefined authentication servers.Pair by the personal number: If you select this option, MyQ identifies users by their personal number instead of their user names. This way you can keep track of a single user with different names in different sources or a user whose name has changed for some reason. For example, if this option is activated and a username in LDAP changes from cat.stevens to yusuf.islam, MyQ does not create a new user account, but recognizes the old user by their personal number.
Ignore synchronization source: If this option is not selected, MyQ recognizes two users from different synchronization sources as two different entities. This can cause conflicts during synchronizations from multiple sources. If it is selected, MyQ ignores the synchronization sources and treats all users the same, regardless of their synchronization source. For example, if you run a synchronization and MyQ would import/update a user that has been already added from a different synchronization source, it does not update the user. Instead, it shows the message The name/alias "X" is already used by the user "X" among the synchronization results. After you select the Ignore synchronization source option, the user is updated by the latest synchronization.
If you select this option together with the Deactivate missing users option, all users that were added from different sources and are not in the current synchronization source are deleted during the synchronization.Append the domain name to the username (username@domain.local): With this option selected, the name of the domain can be retrieved from the MyQ username. The information about the domain may be needed for example, when scanning to users' home folders is used on an embedded terminal.
Filter: You can filter the users import by specifying the values of attributes. Add the conditions in the form of LDAP filter syntax. Users with a different value on this attribute are not accepted and are filtered out of the import. For example:
Search filter | Description |
---|---|
(objectClass=*) | All objects. |
(&(objectCategory=person)(objectClass=user)(!(cn=andy))) | All user objects but "andy". |
(sn=sm*) | All objects with a surname that starts with "sm". |
(&(objectCategory=person)(objectClass=contact)(|(sn=Smith)(sn=Johnson))) | All contacts with a surname equal to "Smith" or "Johnson". |
For attributes where the values are strings, such as the cn attribute, you can use the wildcard * symbol to search for substrings.
DN attributes (like memberOf) do not accept wildcard * search and must be searched by the whole string.
Transformation: this feature enables administrators to define regular expressions (RegEx) to transform user data during the synchronization process, details are available here.
Groups Tab
On this tab, you can import groups and the group structure from the LDAP source. There are four different ways of specifying which groups are imported. You can use multiple different methods together and by each method, you can create different groups of users. You can also select to import the groups under an existing group in MyQ.
Do not change default group: A user can be a member of multiple groups but all their prints, copies and scans are accounted to only one group: the default (accounting) group of the user. If you select this option, the default group of the selected user does not change during the synchronization.
Import groups under this group: You can select an existing group in MyQ under which you import the groups from the LDAP database.
Groups stored in user's attribute:
Attribute: You can select this option if you want to use an attribute that defines groups in the LDAP database. To add it, type the name of the attribute in the property text box or drag the attribute from any individual user and drop it in the Attribute text box.
You can also create groups by combining multiple attributes. To create such groups, put each of the attributes between two percentage signs (%). For example, the combination of attributes %attribute1%_%attribute 2% , imports a new group named value1_value2.
Furthermore, you can create tree structures of groups by separating the attributes with vertical bars. For example, the combination of attributes %attribute1%|%attribute2%, imports a group value1, and its sub-group value 2.
Make default: If you select this option, the group becomes the default group of the imported user.
Group stored in user's DN:
OU component index: Here you can select a group by its OU (organizational unit) index among the DN components. The index is counted from right to left: the first OU group from the right has index 1, the second from the right has index 2 and so on.
On the image above, there are two OU groups: test_users has index 1 (as it is the first OU group from the right), tree1 has index 2. The other components are not OU and therefore have no index.
Make default: If you select this option, the group becomes the default group of the imported user.
Tree group stored in user's DN: Here you can import the whole tree structure of groups. You can restrict the import to any part of the structure by striping the DN components from the left and from the right. In the respective text boxes, enter the amount of components to be striped from the left and
from the right side. You have to strip at least one component from the left (the user CN component) and one component from the right (the right-most DC component).On the image above, there are six components. If you strip one component from the left and one from the right, you import the following structure of groups: MYQTESTLAB > test_users > tree1 > tree3. By stripping components from the left, you remove the groups from the bottom to the top of the structure. By stripping components from the right, you remove the groups from the top to the bottom of the structure.
Make default: If you select this option, the bottom group of the imported structure becomes the default group of the imported user.
Group stored in user's memberOf attribute:
Group base DN: MyQ can import security and distribution groups stored in the user's memberOf attribute. The security groups are used to define access permissions granted to their members. Distribution groups can be used for sending emails to a group of users. To specify which groups should be taken into consideration during the import, you have to insert the groups base DN. MyQ imports only groups that are included in the base DN; other groups stored in the memberOf attribute are ignored. The group base DN does not have to be in the same organizational unit as the users base domain. If a user is member of more than one group on the LDAP server, all the groups are stored in the memberOf attribute. Therefore, the Make default option, which requires a single value, is not available for this method of import.
To add the groups base DN, drag it from the database browser and drop it in the Group base DN text box.Filter: You can filter this import by specifying the values of attributes. Add the conditions in the form: Attribute=Value. Groups with a different value on this attribute are not accepted and are filtered out of the import. You can use the * symbol to search for substrings. The symbol can be appended from both sides. For example, if you add a cn=*in* condition, only users whose common name attribute contains "in" are accepted. You can add one condition per row. Groups are accepted if they satisfy at least one condition.
Import empty groups: If you select this option, groups from the Group base DN are imported even if there is no user having them in their memberOf attribute.
Import tree of groups: If you select this option, the whole tree structure is imported. Otherwise all groups are added separately; not as a part of a tree structure.