5 Replies Latest reply on Apr 27, 2018 1:20 PM by cw30755

    LDAP Sync is overwriting teams, any assistance?

    cw30755 Apprentice

      We are getting very close to our go-live with Ivanti, but we are still trying to get a few bugs ironed out.  We are using an LDAP import to get our user data, and 99% our users should just be in a Self Service User team.  but our IT and support staff we do want in specific teams. Here is our current LDAP settings.

       

      LDAP_SSU.jpg

       

      When we have a check, our default team gets overwritten, when it's unchecked, all the LDAP imports fails because:

       

      Update CN=XXXX\, XXXXX,OU=XXXXXX,DC=XXXX,DC=org failed: System.ApplicationException: Item 'CN=XXXXXX\, XXXXXXx,OU=XXXXXXX,DC=XXXX,DC=org' does not contain required property '[Use Text Value]'.

       

      Any place I see LDAP setting mentioned, it seems that Team is always set with a grayed-out checkbox, but I can't figure out how to gray it out.  i know it's probably a simple fix, can anyone help?

       

      Thanks,

      Chad

        • 1. Re: LDAP Sync is overwriting teams, any assistance?
          a.c. Rookie

          We may have done this incorrectly, but all of our users have access to Self Service, so we don't have a "Self Service" team.  For LDAP the teams and departments match our org chart. In the image it's Administration / Administration (poor choice!) but our admin department has other teams, which each have their own LDAP rule.  Self service access was set using the roles under employees - IT folks have additional roles.  Not sure this post is much help.

           

           

          LDAPCapture.PNG

          • 2. Re: LDAP Sync is overwriting teams, any assistance?
            a.c. Rookie

            Although in replying I did find some mistakes in our LDAP rules - Thanks!

            • 3. Re: LDAP Sync is overwriting teams, any assistance?
              MarkLarvo Specialist

              Hi Chad,

               

              I've been learning LDAP this week myself. Here is what I can tell you.

               

              Your Primary team for each employee is going to be set to "Self Service Users" based on. (Typically you might just use the "department" LDAP field to put everyone in their known AD team.)

               

              To get your IT folks in different team you will need to get creative with your filters and run multiple LDAP syncs.

               

              While we use the LDAP department field to set our primary Employee Team we did go a similar route to get people in different Roles. Below you can see how we used filters for multiple LDAP syncs.

               

              ldap sync example.png

               

              Kirkland FW runs first. It puts everyone in their Team using LDAP department. It also puts everyone into the Self-Service role.

              ldap FW sync settings.png

               

              The other entries run afterward selecting people by department to then place them in different roles.

              • Kirkland FW is set to include CWR (contract workers) and add them to our Self-Service role.
              • The other LDAP syncs exclude the CWRs keeping them out of our other roles.

               

              You can use the same logic to set their team for your environment. I would try to exclude your IT people from the first run putting people in the Self-Service Team.

               

              Hope that helps! Reply back with more questions. If I can help you struggle less than I did then my struggle wasn't so bad. ;-)

               

              Good luck!

              • 4. Re: LDAP Sync is overwriting teams, any assistance?
                cw30755 Apprentice

                Thanks for the reply, Mark.  Struggle is a good word to use here!  I really want to keep our LDAP import simple.  Our IT staff is pretty small, I don't really care if they import initially in the right team (and some people are a member of multiple teams) but I want to be able to set the default team for our staff and not have it overwritten.  More of a "If team is null/unvalued, then default to Self Service, User, Else keep the existing team value(s)".  Could that be written as an expression?

                 

                We do have the Contact Role setup as you have (in the red box), so would we even need to assign everyone else to a team at all?  Maybe I'm getting Roles and Teams confused.

                 

                Thanks again!

                • 5. Re: LDAP Sync is overwriting teams, any assistance?
                  cw30755 Apprentice

                  OK, so i have kept searching and found a solution that will work well for my environment.  I found an old support article:

                   

                  LDAP Import - How to set a default team for new users but prevent a team from being overwritten for existing users.

                   

                  I just removed the team from the LDAP mapping and created the initialization rule on the Employee BO in Staging and it looks like it's working very well.  Newly created users from AD go into my Self Service Users team and then it we change them afterwards, they don't get overwritten on the next LDAP sync.  Posting a screenshot in case anyone else is interested.

                   

                  BizRule.jpg