Account and Group Settings

This page displays enables you to configure account, and group search options. The search DNs define the list of distinguished names of the containers along with other relevant attributes the define the scope for this connector. The search scope defines how far down in the tree to search from the base DN.

If auto partitioning is not enabled, each of these search DNs is also considered as a partition for partitioned full aggregation. Users, Contacts, Managed Service Accounts, and Groups can have different set of searchDNs to define different scope for each of them. The search scopes are stored in the following search DNs respectively:

  • Contact Search Scope: contact.searchDNs

  • Managed Service Account Search Scope: gmsa.searchDNs

In cases where the scope is not defined for Groups, it follows Account's Search Scope. Defining one search DN to the minimum is required to successfully configure the connector.

Auto Partitioning

SailPoint recommends that you enable the Auto Partitioning feature to enable faster retrieval of Active Directory data. For more information on configuring partitions manually, refer to Partitioning Aggregation.

Note
The Allow Partitioning feature is only available for account aggregation.

To configure auto partitioning, complete the following:

  1. Verify the Enable Partitioning checkbox is selected in your Account Aggregation task. For more information on configuring your account aggregation, refer to Account Aggregation.

  2. In your application configuration, go to Configuration > Settings > Account.

  3. Select the Allow Auto Partitioning checkbox.

  4. In the Number of Partitions dropdown, select the number of partitions. These help improve the performance of auto partitioning and can be tuned by selecting the appropriate partitioning count. For higher user populations, a higher partitioning count is preferred.

  5. Once you have finished configuration on this page, select Save.

Account Search Scope

If the Group Membership Search DN attribute is not defined then connector brings all the group memberships associated with the respective account, which are returned by APIs instead of falling back to the scope defined by Search DN.

User Search Scope

To configure the user's search, complete the following:

  1. In the Search DN field, enter the distinguished name of the domain or OU that defines the scope for users.

  2. (Optional) Specify an Iterate Search Filter string to limit the results returned by the search DN. For more information on the search syntax, refer to the Microsoft Active Directory: LDAP Syntax Filters wiki.

  3. (Optional) Specify Group Membership Search DN to determine the group membership of the users that you are loading. Separate multiple entries with a semicolon.

  4. (Optional) Specify a Group Member Filter String as an LDAP search filter string that applies while fetching the user's group membership.

  5. (Optional) Select Add to create another search filter or select Delete to remove a search filter.

  6. Once you have configured all the search scopes, select Save.

Contact Search Scope

To configure the contact's search, complete the following:

  1. (Optional) In the Search DN field, enter the distinguished name of the domain or OU that defines the scope for contacts.

  2. (Optional) Specify an Iterate Search Filter string to limit the results returned by the search DN. For more information on the search syntax, refer to the Microsoft Active Directory: LDAP Syntax Filters wiki.

  3. (Optional) Specify Group Membership Search DN to determine the group membership of the contacts that you are loading. Separate multiple entries with a semicolon.

  4. (Optional) Select Add to create another search filter or select Delete to remove a search filter.

  5. Once you have configured all the search scopes, select Save.

Managed Service Account Search Scope

To configure the managed service account's search, complete the following:

  1. (Optional) In the Search DN field, enter the distinguished name of the domain or OU that defines the scope for the managed service account.

  2. (Optional) Specify an Iterate Search Filter string to limit the results returned by the search DN. For more information on the search syntax, refer to the Microsoft Active Directory: LDAP Syntax Filters wiki.

  3. (Optional) Specify Group Membership Search DN to determine the group membership of the managed service accounts that you are loading. Separate multiple entries with a semicolon.

  4. (Optional) Select Add to create another search filter or select Delete to remove a search filter.

  5. Once you have configured all the search scopes, select Save.

Group Search Scope

Note
By default, If the scope is not defined for Groups, the connector users the Account search scope.

To configure the group's search, complete the following:

  1. (Optional) In the Search DN field, enter the distinguished name of a container for a group to define the search scope of groups.

  2. (Optional) Specify an Iterate Search Filter string to limit the results returned by the search DN. For more information on the search syntax, refer to the Microsoft Active Directory: LDAP Syntax Filters wiki.

  3. (Optional) Select Add to create another search filter or select Delete to remove a search filter.

  4. Once you have configured all the search scopes, select Save.