Skip to main content

 

Druva Documentation

inSync Active Directory/LDAP Mapping Feature Enhancements

In this article 

  • Introduction
  • Changes in behavior of AD/LDAP Mappings
  • Benefits of Change in Behavior of inSync AD/LDAP Mapping
  • Updated Behavior of inSync AD/LDAP Mapping
  • New Feature in AD/ LDAP Mapping
  • UI Updates
  • Deprecated Functionalities

Introduction 

Currently, inSync uses AD/LDAP Mapping to,

  • Define filters to import users from registered AD/LDAP account and create user accounts in inSync.
  • Periodically synchronize user details.
  • Manage users in inSync,
    • Add new users in inSync based on users created in AD/LDAP.
    • Preserve users in inSync based on users deleted in AD/LDAP.

Based on use cases and feedback from our users, Druva has updated the behavior of few functionalities in Active Directory (AD)/LDAP mapping feature. 

Changes in Behavior of inSync AD/LDAP Mapping 

Druva has now bounded AD/LDAP Mapping to only import users and their details in inSync using the filters. AD/LDAP Mapping will now only be used for,

  • Initial on-boarding - Import users from registered AD/LDAP and create users in inSync.
  • Automatically import new users that are added to AD/LDAP periodically.

Benefits of Change in Behavior of inSync AD/LDAP Mapping 

New behavior for AD/LDAP Mapping will benefit inSync administrators by reducing their efforts required to perform manual operations, and relying on inSync for user management and updated user information.

  • New AD/LDAP Mapping changes will enable inSync administrators to schedule automatic update for user details, like username, email, and AD/LDAP username in inSync, thus removing the need to manually synchronize the user details.
  • Auto preserve unmapped users will now be a global setting in inSync. Enabling it will allow inSync to periodically scan all the AD/LDAP Mappings before preserving a user that has been moved or removed from an AD Group or OU. Thus, a user will no longer be linked or mapped to a single AD/LDAP mapping. A user will be auto-preserved only if - it is disabled in AD/LDAP or is not a member of an AD group or OU, mapped to of available AD/LDAP mappings defined in inSync.
  • Deleting an AD/LDAP Mapping will no longer automatically delete or preserve users as the users are not directly linked to an AD/LDAP Mapping anymore. However, if Auto preserve unmapped users is enabled globally, and the users are not part of any other AD Mapping, inSync will mark them as ‘Preserved’.

Updated Behavior of AD/LDAP Mapping 

If you are an inSync administrator who manages AD/LDAP Mappings, you will observe the following behavior after the AD/LDAP Mapping update,

  1. If you currently use Synchronize user details to update user details like username, email, and AD/LDAP username in inSync.
    Existing Behavior
    Behavior You need to regularly trigger a manual request for every AD/LDAP Mapping to synchronize user details in inSync with the registered AD/LDAP.
    Access Path In inSync Management Console under Manage > Deployments > AD/LDAP Mappings (select an existing AD/LDAP mapping) and under More > Synchronize user details.
    New Behavior
    Behavior Synchronize user details is now available as a global level setting applicable to all AD/LDAP imported users. If enabled, inSync automatically updates user details at the defined interval, for all users imported in inSync using AD/LDAP Mappings.

    Frequency for scan is defined by Auto sync interval under AD/LDAP settings.

    New name of the functionality Auto update user details.
    Access Path In inSync Management Console under Manage > Deployments > AD/LDAP page. Select AD/LDAP Settings tab and view Auto sync interval in the AD/LDAP Settings area.
  2. If you use Auto preserve unmapped users to automatically mark unmapped users as Preserved in inSync.
    Existing Behavior  
    Behavior

    When you enable this setting, inSync automatically preserves any user who gets removed from the  AD/LDAP Mapping as result of being moved or removed from the AD/LDAP Group, OU, and so on. You are required to enable this setting for every AD/LDAP Mapping for which auto-preservation of users must be done.

    Alternatively, you can also start the synchronization process manually using the Preserve Unmapped Users functionality.

    Access Path In inSync Management Console under Manage > Deployments > AD/LDAP Mappings (select an existing AD/LDAP mapping) and view under inSync Configuration.
    New Behavior
    Behavior

    Auto preserve unmapped users is now available as a global level setting applicable to all AD/LDAP imported users. If enabled, inSync automatically preserves any user who has been disabled or removed from your AD/LDAP.

    Frequency for scan is defined by Auto sync interval under AD/LDAP settings.

    Manual synchronization using the Preserve Unmapped Users functionality is now deprecated.

    Access Path In inSync Management Console under Manage > Deployments > AD/LDAP page. Select AD/LDAP Settings tab, and view Auto sync interval under the AD/LDAP Settings area.
    Note:

    If you have defined multiple AD/LDAP Mappings in your inSync environment, then after upgrade, you will observe the following behavior based on setting defined for Auto preserve unmapped users,

    • If you have currently set Auto preserve unmapped users as Enabled for all the AD/LDAP Mappings, then after upgrade, Auto preserve unmapped users will be automatically Enabled for you at the global level.
    • If you have currently set Auto preserve unmapped users as Disabled for all the AD/LDAP Mappings, then after upgrade, Auto preserve unmapped users will be automatically Disabled for you at the global level.
    • If there are few AD/LDAP Mappings for which currently you have set Auto preserve unmapped users as Disabled and few AD/LDAP Mappings which have Auto preserve unmapped users as Enabled, then after upgrade, Auto preserve unmapped users will be automatically Disabled for you at the global level. In this case, Druva Support will contact you to know your preference and will define the behavior for you at the global level.
  3. If you use Delete AD/LDAP Mapping to delete AD/LDAP Mappings from inSync,
    Existing Behavior

    Currently provides three options,

    1. Delete AD Mapping - Deletes only the AD/LDAP Mapping, but all the users that inSync created by using this AD/LDAP mapping can continue to use inSync.
    2. Delete AD Mapping and Preserve Users - Deletes the AD/LDAP mapping and preserves all the users that inSync created by using this AD/LDAP mapping.
    3. Delete AD Mapping and Delete Users - Deletes the AD/LDAP mapping and also deletes all the users that inSync created by using this AD/LDAP mapping.
    New Behavior

    Only one option -

    • Delete AD Mapping - Deleting AD/LDAP Mapping will only delete the AD Mapping from inSync.

    inSync will now automatically scan users, that are part of deleted AD Mapping, and if the users are not part of any other AD/LDAP Mapping, inSync will mark them as ‘Preserved’. This behavior is driven by the setting defined in Auto preserve unmapped users defined earlier.

    To delete AD/LDAP users, that are auto-preserved, either inSync administrator can manually delete such users or rely on inSync Auto delete preserved users functionality to automatically delete users from inSync. Until deleted, users will be in ‘Preserved’ state in inSync.

    Following two options are now deprecated,

    • Delete AD Mapping and Preserve Users
    • Delete AD Mapping and Delete Users

New feature in AD/LDAP Mapping 

Auto enable users 

Currently, AD/LDAP users are automatically imported to inSync, if Auto import new users setting is enabled, irrespective of their current state - whether enabled or preserved. Later, if any of the users is marked Active in AD/LDAP, or again associated with any AD/LDAP Mapping, inSync administrators have to manually enable such users in inSync.

Auto enable users will enable inSync to automatically scan periodically for all the auto-preserved unmapped users in inSync, and if they fall under any AD Mapping will enable such users in inSync. Schedule for scan is defined by Auto sync interval under AD/LDAP settings.

Note: Only inSync users which are auto-preserved will be marked as Active. Deleted users cannot be enabled again.

Capability to Change Priority of AD/LDAP Mappings 

inSync administrators can now change the priority of AD/LDAP Mappings in inSync. By default, inSync assigns lowest priority to the latest AD/LDAP Mapping. If users belong to multiple AD/LDAP Mappings, an administrator can change the priority of the AD/LDAP Mapping to determine the Mapping that inSync will use to import the users. For more information, see Set Priority for AD/LDAP Mapping.

UI Updates 

The following UI updates are made in inSync Management Console to consolidate AD/LDAP settings:

  • Renamed the following menu items under Manage > Deployments

    • From -> AD/LDAP Deployments To -> AD/LDAP
    • From -> Non AD/LDAP Deployments To -> Non AD/LDAP
  • Moved Registered AD/LDAP Accounts and AD/LDAP Settings from  > Settings > AD/LDAP Accounts tab to Manage > Deployments > AD/LDAP.

    Previous UI:

    Updated UI:

    Three new tabs are added under Manage > Deployments > AD/LDAP page.

    Settings under Mappings tab

    • Mappings tab - Displays the existing AD/LDAP Mappings in inSync. Provides an option to create a new mapping, delete existing mappings, and manually import users from AD/LDAP.
    • Accounts tab - Displays list of already registered AD/LDAP Accounts. Provides an option to register new AD/LDAP account, modify details, and delete the already registered AD/LDAP accounts.
    • AD/LDAP Settings tab - Displays AD/LDAP Settings in the left pane and provides an option to edit them. Displays priority of AD/LDAP Mappings in the right pane and provides an option to change the priority.
  • Settings under Accounts tab

    Settings under AD/LDAP Settings tab

Deprecated Functionalities

With this feature update, we have deprecated the functionalities currently available under the following,

  1.   In inSync Management Console, under Manage > Deployments > AD/LDAP Mappings (select an existing AD/LDAP mapping), select Delete
    • Delete Mapping and Preserve Users
    • Delete Mapping and Delete Users
  2. In inSync Management Console, under Manage > Deployments > AD/LDAP Mappings (select an existing AD/LDAP mapping), select More > Preserve Unmapped Users. Manual synchronization using the Preserve Unmapped Users functionality is now deprecated.

For additional information on AD/LDAP Mapping enhancements, contact Druva Support.

  • Was this article helpful?