The LDAP Synchronization tool finds the changes in the user and group information in an LDAP-compliant directory server that have occurred since the last execution of the tool and propagates those changes to the repository. If necessary, the tool creates default folders and groups for new users. If there are mapped user properties, those are also set.

Which operations the tool can perform depends on what kind of directory server is in use. If using Netscape iPlanet Directory Server, Oracle Intranet Directory Server, or MS Active Directory on a Microsoft Windows platform, the tool can:

If you use iPlanet, you must enable the changelog feature to use the renaming and inactivation operations. Instructions for enabling the changelog feature are found in the vendors iPlanet Administration Guide.

The renaming and inactivation operations are not supported on MS Active Directory on UNIX platforms.

The tool is installed in the inactive state. After it is activated, it is executed once a day at 4 a.m. by default. Before you set it to the active state, you must define the ldap_config object for the repository.

The behavior of the tool is determined by the property settings of the ldap_config object. The tool has four arguments that you can use to override the property settings controlling which operations the tool performs. The arguments override the properties of the same names in the ldap_config object. They are deactivate_user_option, import_mode, rename_group_option, and rename_user_option.

In repositories 5.3 and later, use the method argument source_directory to designate the LDAP servers that are being synchronized. All LDAP servers associated with a particular server config object can be synchronized or only particular LDAP servers. If the argument is not used to designate particular LDAP servers, the job synchronizes all LDAP servers associated with the server config object.