After setting up your AD/LDAP, you can configure the provisioning settings to define how user data are managed and updated.
- Go to your Identity Enterprise Manager > USERS > Directory Integration.
- Select a directory > Provisioning.
Provisioning to UniFi Identity Enterprise
- Specify how often you want UniFi Identity Enterprise to import users from the AD/LDAP directory.
- Select "Never" to prevent users from being automatically imported.
Scheduled Import Method: Select the import method for scheduled import.
- Full import: When selected, users of the selected OUs will be imported from the AD/LDAP server to UniFi Identity Enterprise.
Import by rule: The scheduled tasks will run according to the import rules you configured (if any). When selected, UniFi Identity Enterprise will only import the users who belong to the group of AD/LDAP directory that you have selected in the CONDITION field of import rules.
- Click Rule management (optional) to add or edit existing importing rules.
- UniFi Identity Enterprise Email Format: Specify the email format of the imported users. When you import users from the AD/LDAP directory, UniFi Identity Enterprise uses this attribute to generate the UniFi Identity Enterprise email format. You can also use custom expressions to create usernames for imported users.
- Modified User’s Group by Import Rules: Specify whether to sync the changes of the groups in the AD/LDAP directory to all UniFi Identity Enterprise users or to sync only new users based on the user import rules.
User Matching and Actions
You can use matching rules to define whether an imported user should be viewed as a new user or mapped to an already-existing UniFi Identity Enterprise user. Imported users that match the rules will be viewed as existing users and other users will be viewed as new users.
Imported user and existing UniFi Identity Enterprise user are an exact match if
- Email matches: If the email of an imported user fully matches that of an existing UniFi Identity Enterprise user, the user will be viewed as an existing user.
Imported user and existing UniFi Identity Enterprise user are a partial match if
- Both the first and last name match: This occurs when an imported user's first name and last name match those of an existing UniFi Identity Enterprise user, even if the user's email address does not match.
Actions for exact or partial match
- Automatically confirm the import of users with an exact match: When ticked, the exact match users will be auto-confirmed. When unticked, you must manually confirm the exact match users.
- Automatically confirm the import of users with a partial match: When ticked, the partial match users will be auto-confirmed. When unticked, you must manually confirm the partial match users.
Actions for new users
- Automatically confirm the import of new users: New users will be imported to UniFi Identity Enterprise automatically, without needing confirmation.
- Automatically activate the imported users: This option is displayed once the Auto-confirm new user option is enabled. Enable it to activate new users once they are imported to UniFi Identity Enterprise, without needing manual activation.
Import Safeguard enables you to specify the threshold of the unassigned user ratio. When the ratio of unassigned users reaches the set threshold, all import tasks of your workspace will be suspended.
- Enable Import Safeguard.
- Specify the percentage.
- Click Save Changes.
AD Integration Settings
OUs connected to UniFi Identity Enterprise: Select which users under the organizational units (OUs) will be imported to UniFi Identity Enterprise.
LDAP Integration Settings
You can modify the LDAP integration settings in Provisioning > Integration.
- LDAP Version: Select an LDAP version to pre-populate the fields below.
Unique Identifier Attribute: Specify the unique immutable attribute of all LDAP objects that will be imported (users and groups). Only objects possessing this attribute can be imported into your UniFi Identity Enterprise organization. UniFi Identity Enterprise populates this field automatically based on your chosen LDAP version. You can change the auto-populated value during the initial setup. If your LDAP server implements RFC, make sure to enter
entryuuidin this field. For AD LDS, use
- User Search Base: The DN of the container for user searches (that is, the root of the user subtree). This is the base DN of the container that holds all users to be imported to your UniFi Identity Enterprise organization.
User Object Class: The objectClass of a user that UniFi Identity Enterprise uses in its query when importing users. For example,
User Object Filter: By default, UniFi Identity Enterprise auto-populates this field with the objectClass (
objectClass=\<objectClass name>). This must be a valid LDAP filter.
- Group Search Base: The DN of the container for group searches (that is, the root of the group subtree) that holds all groups to be imported to your UniFi Identity Enterprise organization.
Group Object Class: The objectClass of a group that UniFi Identity Enterprise uses in its query when importing groups. For example,
Group Object Filter: By default, UniFi Identity Enterprise auto-populates this field with the objectClass of the group (
- Member Attribute: The attribute containing all the member DNs.
User Attribute (Optional): UniFi Identity Enterprise uses the member attribute on the group object to determine the user group memberships at runtime. Unless your group object and group filter are respectively posixGroup and (
objectclass=posixGroup), leave the user attribute field empty. In the case where you are using posixGroup, we recommend that you configure the member attribute value to memberuid and the user attribute value to UniFi Identity Enterprise.
- Example Email: Verify the settings by entering the email here to confirm that the required user attributes and group memberships can be properly obtained from LDAP.
Delegated authentication allows users to use their AD/LDAP credentials to sign in to UniFi Identity Enterprise. When delegated authentication is enabled, user credentials will be saved in the AD/LDAP server and managed by it.
- This is an advanced feature. To apply for a free trial, use your owner account to sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) > SETTINGS > Plan > Workspace Plan > Apply for Plan Add-Ons.
- To enable “Delegated authentication“, the Identity Enterprise Agent on which your directory is deployed must be in “Active“ status.