How to use LDAP groups as user groups
You can use LDAP groups directly as OMS user groups. This means OMS can, if configured, rely on the LDAP server for issuing memberships to user groups and extending access to assets.
These steps can only be followed if your authentication scheme is set to LDAP and you have Bind DN and Bind password set. Also, if your institution uses a different authentication scheme than LDAP—such as RADIUS, Active Directory, or others—these steps cannot be followed.
By using LDAP groups as user groups, you are shifting all management of OMS user groups (only the groups you specify) to be handled directly from the LDAP server.
User groups imported using this method are just like other user groups, such as the user group being able to inherit an authorization policy and be granted access to assets. Also, you cannot make edits to individual users imported through LDAP group synchronization. A small indicator in your users table shows you which users were imported through LDAP group synchronization and are therefore uneditable.
To use LDAP groups as user groups:
Note: Local OMS user groups can continue to be used regardless of these settings.
1. Starting in the dashboard, click Auth > Authentication.
2. In General Settings, click Authenication scheme > LDAP.
3. In the LDAP User Group Synchronization area, select Synchronize LDAP groups with OMS.
More options appear immediately after the setting is enabled.
4. Set your preferred synchronization method in the Synchronization list.
Periodic Automatically synchronize with LDAP at recurring periods.
Manual Require manual synchronizations, and never synchronize automatically.
Note: With either choice, you can always synchronize by clicking ‘Synchronize Now’.
5. Configure the following settings:
Synchronization Rate (hours)
Required if Periodic
Group DN
Group filter
Group ID attribute
Group name attribute
Group description attribute
See LDAP settings for detailed descriptions of each setting, or move the pointer over a setting name for in-app descriptions.
6. Click the accept icon .
The first synchronization occurs at this time. If your group attribute settings are correct and your filter query returned results, the returned results are now OMS user groups.
The results of this first synchronization—and every subsequent synchronization—appear in your event log. Two events are logged for each synchronization or periodic re-synchronization: one when it begins and one when it finishes. Also, one event is logged for each user added or removed from the user group due to LDAP group membership changes.
Understanding user group synchronization with LDAP
User groups synchronized through LDAP have nearly identical behavior to “normal” user groups. However, the members of these groups are changeable from the LDAP server only.
LDAP group synchronization allows you to use your institution’s LDAP directory as the basis of some user groups. Because many LDAP directories include groups that are maintained by network access, geographical location, job responsibilities, and more, the LDAP directory is already controlling policy for your institution in a number of ways. By allowing OMS to synchronize with specific groups from the LDAP server, you can use the groups and its members just as if they were created natively in OMS.
User groups imported and synchronized from an LDAP server are usable like any other user group. User groups imported using this method are just like other user groups, such as the user group being able to inherit a permission policy and be granted access to assets.
Members of an LDAP-synchronized user group are modifiable from the LDAP server only. Additions or removals of users from a user group fully depend on the LDAP server. For example, the only way to remove a user, from an LDAP user group in OMS, is to remove the user from the LDAP group directly in LDAP.
The users that are imported as part of the LDAP group synchronization are not editable. Any properties those users might have, such as an email address, are dimmed and unavailable for edits with the exception of enabling a user and disabling a user. The reason LDAP-group users are uneditable, after they are synchronized in OMS, is because any edits made would be overwritten the next time a synchronization is performed.
Differences in LDAP synchronization modes
User group synchronization using LDAP groups can be performed automatically or manually. There are differences between the available modes.
Periodic synchronization means that every N-hours (where N is configurable), OMS automatically sends your LDAP group filter query to the LDAP server and fetches its results. This keeps your LDAP-synchronized user groups perpetually synchronized in OMS. The synchronization rate determines how often this is done. For example, a synchronization rate of 12 hours means that 12 hours must elapse before any user additions or removals actually occurring on the LDAP server will be reflected in OMS user groups, as the LDAP query executes every 12 hours only.
Manual synchronization means that OMS will not automatically send an LDAP query to synchronize the user groups. Each time you want to reflect user additions or removals that might have occurred on the LDAP server, you must log in to OMS and manually synchronize. This can cause user groups to become out-of-date with the LDAP server; however, users will never be added or subtracted from these user groups without an OMS administrator’s consent.
Regardless of your chosen synchronization mode, you can synchronize at any time by clicking Synchronize Now. The LDAP activity is recorded in the OMS event log.