Administration Console: Directory Configuration Page

Customize the PeopleUpdate directory configuration for a tab using the Directory configuration page in the Administration Console. You can set bind paths, search parameters and proxy (service) account information using this page.

Accessing the Directory Configuration Page

You must have administrative access to the PeopleUpdate Administration Console to modify the directory configuration for a tab.

To navigate to the Directory page:

Log in to the Administration Console. Click here for more information about logging into the Administration Console.
Click Directory in the left navigation bar in the Tab Configuration section.

Testing the Directory Connection

PeopleUpdate allows you to test a directory connection to ensure you have the capability to at least bind to the directory using the LDAP bind path and proxy account credentials you set up in your directory configuration for the tab.

To test the directory connection:

Make the directory changes you need to set up the application in your environment. Refer to the sections below for more information about configuring directory options.
When you've finished setting your directory options, click Save Directory Changes to save your settings.
Click Test Connection to verify that your directory settings are okay and you can connect to the directory. It might take up to two minutes for a misconfigured connection to time out, so be patient when using this feature.

Setting LDAP Bind Paths

You may need to set the LDAP bind paths for regular and group searches to restrict the bind scope for PeopleUpdate to a particular container or to bind to a particular DC for performing searches and updates.

LDAP Bind Path

LDAP bind path to the root of the container you are searching and managing. The path should start with LDAP:// (in capital letters as this value is case sensitive) and the path indicates to PeopleUpdate where to bind to the directory to execute searches.

Note: If you leave the LDAP Bind Path blank it will automatically try to locate a domain controller in the domain using the LDAP://RootDSE bind path, which is the default bind path that binds to the well-known root DSE object.

LDAP Group Bind Path

LDAP search path for group searches. This path is used when updating the memberof attribute of user objects.

Example LDAP Bind Paths

The following LDAP bind paths give you an idea of the different ways you can bind to your Active Directory. You may use DNS names and server names to bind to the directory and you can specify the specific container to which PeopleUpdate should bind when it connects to the directory to execute an operation.

Assume your company's directory DNS name is mycompany.com.

LDAP://mycompany.com/DC=mycompany,DC=com: Searches the root of the LDAP directory and looks up an LDAP server to use from DNS automatically.
LDAP://dc.mycompany.com/DC=mycompany,DC=com: Searches the root of the LDAP directory and uses the DC/GC server dc.mycompany.com to perform the search.
LDAP://dc.mycompany.com/CN=Users,DC=mycompany,DC=com: Searches the Users container of the LDAP directory and uses the DC/GC server dc.mycompany.com to perform the search.
LDAP://dc.mycompany.com/OU=MyCompanyUsers,DC=mycompany,DC=com: Searches the MyCompanyUsers organizational unit (OU) of the LDAP directory and uses the DC/GC server dc.mycompany.com to perform the search.

Search Parameters

Configure search parameters to tweak the performance of your PeopleUpdate application. You will probably not need to change the default values often unless you have specific performance issues you need to address in your environment. Use the Default Search Filter and Group Search Filter to append a standard filter to every Active Directory search executed by PeopleUpdate.

Maximum Number Results	Maximum number of results for PeopleUpdate to return from a directory search. Enter zero (0) to return all matching results. Note: Most Microsoft Active Directory implementations limit the number of search results to 1000. Other vendors default size limits vary by vendor. Refer to your vendor's documentation for more information.
Search Time Limit	Maximum number of milliseconds to wait for a result from the directory while performing a search. Setting the parameter to -1 means to use the directory's default timeout and this is the recommended setting.
Default Search Filter	Specifies the LDAP search filter PeopleUpdate will use when performing every LDAP search. This value is ANDed with the other search criteria passed by users searching the directory. This option enables you to ensure you bind to the correct directory object when searching and helps speed searching by ensuring the search doesn't go through unnecessary directory object containers. Example 1: (objectclass=person) only returns objects of type person. Example 2: (objectclass=group) only returns objects of type group. Example 3: (\|(objectClass=person)(objectclass=group)) returns person or group objects. Note how it employs the nested parentheses and the OR symbol \| to return user or group objects. Example 4: (&(objectclass=person)(sn=Smith)) returns all person objects with the last name of Smith. Note the usage of the AND symbol & to ensure both conditions are met before returning results.
Group Search Filter	Specifies the LDAP search filter PeopleUpdate will use when performing group LDAP search. This value is used in conjunction with the LDAP Group Base DN to filter groups returned when updating the memberof attribute of user objects. This value is ANDed with the other search criteria passed by users searching the directory. This option enables you to ensure you bind to the correct directory object when searching and helps speed searching by ensuring the search doesn't go through unnecessary directory object containers. Example 1: (objectclass=person) only returns objects of type person. Example 2: (objectclass=group) only returns objects of type group. Example 3: (\|(objectClass=person)(objectclass=group)) returns person or group objects. Note how it employs the nested parentheses and the OR symbol \| to return user or group objects. Example 4: (&(objectclass=person)(sn=Smith)) returns all person objects with the last name of Smith. Note the usage of the AND symbol & to ensure both conditions are met before returning results.
Allow Empty Searches	Users must populate at least one attribute in the Search Console's Search page when this is unchecked

Proxy Account

The PeopleUpdate proxy account executes authenticated binds to your Active Directory and performs searches and updates under the proxy account security context. Refer to the Prerequisites section for more information on how to delegate the proper read and write permissions to the proxy account.

Account Name

Account used to search and update Active Directory. The proxy account needs Read and Write access to all attributes in Active Directory you want to search and update through PeopleUpdate.

Example Proxy Account: YOURDOMAIN\PeopleUpdateServiceAcct or PeopleUpdateServiceAcct@yourdomain.local

Note: For pre-windows 2000 accounts, account names can only be 20 characters long and are truncated at the 2-th character. You will need to truncate the account name you enter here if it is longer than 20 characters and you are using the NETBIOS form of the name. If your domain and account name are longer than 20 characters, use the UPN format of accountname@domain as a best practice.

Password

Password for the proxy account

Proxy Account Enabled

Specifies whether PeopleUpdate uses an authenticated bind under the proxy account's security context to bind and search the Active Directory. PeopleUpdate requires a proxy account in order to update directory objects since anonymous binds typically do not have sufficient privileges to update the directory.