Configuring LDAP user search parameters

About this task

Use the User Search section to search for users in the LDAP database. The search starts at the directory that is defined in the User Base field, and uses the search query that is specified in the User Search field.

Note: Depending on the type of LDAP server that you install, click Set Defaults to load the LDAP utility with the default parameter values for your server type.

Procedure

Enter the user search information.
User Base
Specify the LDAP directory that you want to start the user search from. If left blank, the search is started from the top-level element in the directory. For example, OU=location,DC=domain,DC=com. You can refine your search by going deeper into the OU structure and select to start the search from within a specific organizational unit. For example, to start from an OU called Test, set the User Base value to OU=Test,OU=location,DC=domain,DC=com. The search starts at the Test OU and looks for users that match the User Search criteria. If User Subtree is selected, any OU that belongs to Test OU is also searched.
Note:

Use the Browse icon to the right of the field to navigate through your directory structure and select a specific starting location.

To import users not belonging to any OU, you need to remove the OU from the User Base.
Warning: This action will import the whole domain tree.
User Search

Specify the LDAP filter expression to be used for the user search. For example (objectClass=user). The defined expression must filter the results such that only the users that you want are imported to Remote Control. The default value is (userPrincipalName={0}@MyCompany.com). {0} is substituted with the user ID that is used to log on to Remote Control, and MyCompany.com is the host name of your LDAP server. That is, look for users whose userPrincipleName matches any users that are found within the specified UserBase.
Note: Some environments have thousands of users. Therefore, it is important to create a filter that imports only the users that you want. To limit the users to only those users who are members of groups that are imported into Remote Control through the GroupSearch filter, you must select User Must be in a Group. If you do not select this property, the users that do not belong to any of the imported LDAP groups are automatically assigned to the DefaultGroup user group. The search can be further refined by using more complex queries. For example, set the following values. GroupBase=(OU=location,DC=domain,DC=com) UserSearch= (&(objectClass=user)(|(memberOf=CN=Department1,OU=GROUPS, OU=location,DC=domain,DC=com) (memberOf=CN=Department3,OU=GROUPS, OU=location,DC=domain,DC=com))(name={0})) Define three groups, Department1, Department2, and Department3. The query authenticates and imports any users that have an objectClass value equal to user and that are members of the groups Department1 OR Department3. Users from Department2 cannot log on to Remote Control because they are not imported. The (&(name={0}) is added to the end to specify that the name attribute is used for logging in. This value must match whatever attribute was specified as userid.

User Subtree

Select this option if you want to recursively search the subtree of the element that is specified in the UserBase attribute for users. If you do not select it, only the top level is searched. The default state is not selected.

User Must be in a Group

Select this option to limit the users that are imported to only those users who are members of groups that are imported into Remote Control through the GroupSearch filter. The default state is not selected.
Note: To import users who do not belong to any LDAP group, you must deselect "User Must be in a Group" check box.

Warning: This action imports all users identified by the domain and OU specified in the User Base. You can give permissions to those users only by giving permission to the DefaultGroup (which is the local Remote Control group), where all users are automatically added regardless from their group membership.

LDAP attributes

Type which user-specific LDAP attribute names must be used for importing the user details into the corresponding Remote Control user properties.

Userid

The user ID is the LDAP attribute that contains the user ID that is chosen to be mapped to the userid field in Remote Control.

sAMAccountName

sAMAaccount must be set to use the user ID only portion of the logon (without the UPN Suffix).

userPrincipalName

userPrincipalName must be set to force all logons to use the full User Principal Name.
Set Userid to the userPrincipalName value to ensure that the user ID that is entered is not reported as containing invalid characters. For example, an apostrophe might be reported as an invalid character.

User Password

The name of the LDAP attribute in the user's directory entry that contains the users password. In Active Directory, password is the default name of the attribute.

User Email

The name of the LDAP attribute in the user's directory entry that contains the users email address.
Note: User Email must not have a null value. If your Active Directory Tree does not contain email information, a different attribute must be used. For example, it can be set to userPrincipalName.

Employeeid

The name of the LDAP attribute in the user's directory entry that contains the user's employee ID.

Title

The name of the LDAP attribute in the user's directory entry that contains the user's title.

Forename

The name of the LDAP attribute in the user's directory entry that contains the user's name.

Initials

The name of the LDAP attribute in the user's directory entry that contains the user's initials.

Surname

The name of the LDAP attribute in the user's directory entry that contains the user's surname.

Department

The name of the LDAP attribute in the user's directory entry that contains the user's department.

Company

The name of the LDAP attribute in the user's directory entry that contains the user's company.

Location

The name of the LDAP attribute in the user's directory entry that contains the user's location.

Floor

The name of the LDAP attribute in the user's directory entry that contains the user's floor.

Address_1

The name of the LDAP attribute in the user's directory entry that contains the user's address_1 details.

Address_2

The name of the LDAP attribute in the user's directory entry that contains the user's address_2 details.

Town

The name of the LDAP attribute in the user's directory entry that contains the user's town.

Country

The name of the LDAP attribute in the user's directory entry that contains the user's country.

State

The name of the LDAP attribute in the user's directory entry that contains the user's state.

Telephone

The name of the LDAP attribute in the user's directory entry that contains the user's telephone number.

Mobile

The name of the LDAP attribute in the user's directory entry that contains the user's mobile number.
Click Test User Search
A message box is displayed with the total number of users that are found as a result of the search.
Click OK
The resulting users are shown in the text box. If LDAP synchronization is enabled, this list of users would be imported from LDAP. You can click the icon to the left of each user name to see a list of the LDAP attributes and values that are defined for the user. Click the icon to the right of the user name to display the Remote Control user field values. The user field values are imported into the Remote Control database.

Results

When you have the required user search results, you can save your current configuration by following the steps in Saving your LDAP configuration.