You can specify users to sync during LiveSync by defining the accountSynchronizationFilter in your LDAP provisioner config file (for example, provisioner.openicf-ldap.json), which is located in the /path/to/idm/conf directory. The accountSynchronizationFilter allows you to sync a subset of users by specifying standard LDAP search filters to either include or exclude specific users. Only users matching the accountSynchronizationFilter are synced; by default it is set to null and therefore syncs all users during a LiveSync.
An LDAP search filter consists of one or more criterion which can be joined using AND, OR or NOT operators. Each of these operators is represented by a character, which must be specified before the criteria it applies to; each criterion must be contained within brackets, and the operator and all applicable criteria must also be contained within brackets:
- AND represented by & - (&(criterion1)(criterion2)) - this operator can be used in a search filter even if there is currently only one criterion.
- OR represented by | - (|(criterion1)(criterion2))
- NOT represented by ! - (!(criterion1))
You can combine operators within a single search filter to exactly define your subset of users.
When you are combining operators into a single search filter, you must ensure all opening brackets have corresponding closing brackets for the search filter to work.
Example Search Filters
- You can exclude a specific user with the following filter:"accountSynchronizationFilter" : "(!(uid=userID))"
- You can include all users who are a direct member of one of two groups "accountSynchronizationFilter" : "(|(memberOf=cn=internal,ou=employees,ou=north,dc=example,dc=com)(memberOf=cn=internal,ou=employees,ou=south,dc=example,dc=com))"
Example Search Filters for Active Directory only
For syncing between Active Directory and IDM, you can make use of the userAccountControl attribute; this is an Active Directory® attribute that provides information about a user's account status.
- You can exclude all inactive users (that is, only include active users) with the following filter: "accountSynchronizationFilter" : "(!(userAccountControl:1.2.840.1135220.127.116.113:=2))"
- You can include only active users whose organisational unit is customers with the following filter: "accountSynchronizationFilter" : "(&(!(userAccountControl:1.2.840.113518.104.22.1683:=2))(ou=customers))"