Setting

Description

Enable Nested Groups

Enable or disable support for nested groups.

Some directory servers allow you to define a group as a member of another group. Groups in such a structure are called nested groups. Nested groups simplify permissions by allowing sub-groups to inherit permissions from a parent group.

Manage User Status LocallyIf true, you can activate and deactivate users in Crowd independent of their status in the directory server.
Filter out expired users

If true, user accounts marked as expired in Active Directory will be automatically removed. For cached directories, the removal of a user will occur during the first synchronization after the account's expiration date.

Note: This is available in Embedded Crowd 2.0.0 and above, but not available in the 2.0.0 m04 release.

Use Paged Results

Enable or disable the use of the LDAP control extension for simple paging of search results. If paging is enabled, the search will retrieve sets of data rather than all of the search results at once. Enter the desired page size – that is, the maximum number of search results to be returned per page when paged results are enabled. The default is 1000 results.

Follow Referrals

Choose whether to allow the directory server to redirect requests to other servers. This option uses the node referral (JNDI lookup java.naming.referral) configuration setting. It is generally needed for Active Directory servers configured without proper DNS, to prevent a 'javax.naming.PartialResultException: Unprocessed Continuation Reference(s)' error.

Naive DN Matching

If your directory server will always return a consistent string representation of a DN, you can enable naive DN matching. Using naive DN matching will result in a significant performance improvement, so we recommend enabling it where possible.

This setting determines how your application will compare DNs to determine if they are equal.

  • If this checkbox is selected, the application will do a direct, case-insensitive, string comparison. This is the default and recommended setting for Active Directory, because Active Directory guarantees the format of DNs.
  • If this checkbox is not selected, the application will parse the DN and then check the parsed version.
Enable Incremental Synchronization

Enable incremental synchronization if you only want changes since the last synchronization to be queried when synchronizing a directory.

(warning) Be aware that when using this option, the user account configured for synchronization must have read access to:

  • The uSNChanged attribute of all users and groups in the directory that need to be synchronized.
  • The objects and attributes in the Active Directory deleted objects container.

If at least one of these conditions is not met, you may end up with users who are added to (or deleted from) the Active Directory not being respectively added (or deleted) in the application.

This setting is only available if the directory type is set to "Microsoft Active Directory".

Update group memberships when logging in      

This setting enables updating group memberships during authentication and can be set to the following options:

  • Every time the user logs in: during the authentication, the user’s direct group memberships will be updated to match what’s in the remote directory:

    • Remove the user from all groups that the user no longer belongs to in the remote directory.

    • Add the user to all the groups that the user belongs to in the remote directory. New groups with matching names and descriptions will be created locally if needed. The group will only contain the current user and other memberships will be populated when users who belong to the same group log in or when the synchronization happens.

  • For newly added users only: when a new user logs in for the first time, the user’s direct group memberships will be updated to match what’s in the remote directory.

    Consider that the user's group memberships will be updated only if the user was created during the authentication.

  • Never: during the authentication, the user's group memberships won’t change, even if the local state doesn’t match what’s in the remote.

Synchronization Interval (minutes)

Synchronization is the process by which the application updates its internal store of user data to agree with the data on the directory server. The application will send a request to your directory server every x minutes, where 'x' is the number specified here. The default value is 60 minutes.

Read Timeout (seconds)

The time, in seconds, to wait for a response to be received. If there is no response within the specified time period, the read attempt will be aborted. A value of 0 (zero) means there is no limit. The default value is 120 seconds.

Search Timeout (seconds)

The time, in seconds, to wait for a response from a search operation. A value of 0 (zero) means there is no limit. The default value is 60 seconds.

Connection Timeout (seconds)

This setting affects two actions. The default value is 10.

  • The time to wait when getting a connection from the connection pool. A value of 0 (zero) means there is no limit, so wait indefinitely.
  • The time, in seconds, to wait when opening new server connections. A value of 0 (zero) means that the TCP network timeout will be used, which may be several minutes.
  • No labels