search cancel

Symantec VIP Enterprise Gateway LDAP Sync: Clarify LDAP % threshold settings

book

Article ID: 150606

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Clarify LDAP % threshold settings in VIP Enterprise gateway

Environment

VIP Enterprise Gateway

Resolution

LDAP sync threshold applies to write (add/update/delete) operations. During a sync, a getUserinfo queries 100% of the user records in the VIP cloud, then 100% of the members of the filters(s) in the User Store(s). Based on the delta between LDAP and the VIP userstore, the LDAP operation will sync a percentage of those records.

For example, an UPDATE operation needs to update x amount of records, a DELETE operation needs to delete Y amount of records, and an ADD operation needs to add X amount of records. If the threshold is set to 10%, during the next scheduled sync, the scheduled sync would be:

10% (x) ADD records
10% (y) UPDATE records
10% (z) DELETE records

The LDAP sync threshold is per each synchronization. For example, if 100 records are required to be created, 10% of those users would be created. During the next job, 90 records are required to be created, and 10% would be created. This will vary if there are changes in the sync runs counts as new records are added to LDAP or if the threshold % value setting is changed in the console settings. The exception to this rule is when clicking RUN ONCE or SYNCHRONIZE NOW -- this forces 100% synchronization of all records.

Thresholds do not apply to the synchronization of administrative records.

Always run an LDAP Sync simulation before applying your changes, then review the simulation logs to see changes that would have been made during an actual sync. 

Note: Use the following filters in conjunction with your User Store filters if you want to exclude users with a disabled or locked status from synchronizing with your VIP Service User Store:

Exclude users with a disabled status disabled in the User Store: (&(<Your Filter>)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Exclude users with a locked status in the User Store: (&(<Your Filter>) (!(userAccountControl:1.2.840.113556.1.4.803:=16)))

If the status of the VIP user changes to disabled or locked, the next LDAP Directory Synchronization considers that the user is deleted from your user store and removes the user's account from the VIP Service.

Attachments