Dynamic Group Generation

Created: 2012-04-20 08:09:59
Modified: 2020-07-27 13:24:31
Tags: Features Group as Group Sync UnitySync

Do you want to generate Destination Groups or Group Membership based on a Source LDAP single or multi-valued attribute? .

Note: This solution uses two custom Raw Config entries. These are explained further in the instructions below:

field-group= dyn-group-context=

  • Create a standard LDAP to LDAP connection
  • Go to the Custom tab and click on the Raw Config button
  • The field-group parameter identifies the source attribute on which to base the dynamic Groups
    • You may only specify one attribute, but it may be single valued or multi valued
    • If it is multi valued, all values will generate a Destination Group
    • Set the field-group attribute:
      field-group=CustomGroupAttrib
  • The dyn-group-context parameter is used to stamp structure on the dynamically generated Group record in the ldif.txt
    • The DN specified must be a valid structure appearing within the scope of Selection DN
    • Or if there is no Selection DN, then a valid structure that exists anywhere on the Source
    • Set the dyn-group-context attribute: dyn-group-context=ou=source,dc=domain,dc=com
  • On the Source tab, if Source Objects Type ‘Groups’ is not already selected, enable it now

NOTE: Groups must be selected in order to sync a dynamically generated Group. However, this will also sync Source Groups that exist within the scope of the sync. If you do not want other Groups synced, add the following Optional LDAP Query Filter on your Source tab for Group(s) to avoid pulling any Source Groups:
(Displayname=NeverPullGroups)
Because the above filter will always be false, no groups will be synced from the source.

  • Enable Discovery and Simulation, then run the Connection.
    • Review the resulting ldif.txt file.
    • The end of the ldif.txt should contain the dynamically generated Group object(s)
  • Enable Discovery and Synchronization, then run the connection
    • The Sync phase should Add the desired Group(s) with all applicable membership

CAVEAT: There is a caveat on Dynamic groups if you are using Create/Join (aka Both) instead of Create. More info below on regarding use of Create/Join when using Dynamic Group generation.

Using Create/Join, If you are also syncing regular groups from source to destination, you must enter a valid join query to find those groups on the destination. (i.e. samaccountname=^samaccountname^)

However, Dynamically generated groups will NEVERY find a match on JOIN. (no matter the query used).

Correctly configured, you can expect to see this on every sync for your group modifies.

Add Exists | cn=Sales Group,ou=Groups,DC=2k19,DC=test
Mod Object | cn=Sales Group,ou=Groups,DC=2k19,DC=test

Additionally, you MUST leave the dynamically generated groups in the sync OU. If a dynamically generated group is moved outside the sync ou, you the group will NOT be Modified. In this case, you can expect to see this in the log:

Add Exists | cn=Sales Groupp,ou=Groups,DC=2k19,DC=test
Mod No Object |cn=Sales Groupp,ou=Groups,DC=2k19,DC=test

(If located, the group can be moved back into the sync OU).

Of course, if you have any questions about this feature, please contact our Technical Support Team.

Knowledgebase

Directory
  1. Directify - Self Service

  2. Mimic - Replication

  3. UnitySync - Sync
Password
  1. emPass - Sync
Obsolete
  1. Profiler
  2. SimpleSync