Attribute mapping

When you configure a server sync job, you need to map several Active Directory (AD) attributes to required Advanced Server Access server properties. This allows Advanced Server Access to correctly identify and resolve servers within the domain.

Default attributes

By default, Advanced Server Access populates the required AD attributes, but you may need to edit these attributes to match your specific configuration.

Default AD Attribute Advanced Server Access Property Description
dNSHostName Host Name Specifies the hostname used to identify a discovered server within Advanced Server Access.
dNSHostName Access Address Specifies the IP address or DNS name used by the gateway to connect to a discovered server.

Note: If your domain uses an internal DNS server, you must configure the gateway to resolve this name and connect to the discovered server.

operatingSystem Operating System Specifies the server operating system of a discovered server.
unset Alternative Names Optional. Specifies alternative hostnames or DNS entries used to resolve a discovered server. This is sometimes used to remove any cyclical connections in configurations involving bastions.
unset Bastion Optional. Specifies a bastion host that Advanced Server Access clients can use to tunnel traffic to a discovered server.

Label mapping

You can define granular access policies within projects by mapping additional AD attributes to Advanced Server Access labels. Each attribute is included in the LDAP query and the value is mapped to the specified Advanced Server Access label. Label mapping has the following restrictions:

  • Teams can add a maximum of ten labels
  • If an attribute returns multiple values, only one value is mapped to the label
  • Attributes are case-sensitive and must exactly match what is returned by the LDAP query

The Is GUID? option identifies an AD attribute as a Globally Unique Identifier (GUID). Due to how AD encodes GUIDs in responses to LDAP queries, this option ensures that Advanced Server Access can decode and correctly map the AD attribute to an ASA label.

You can not use this option to identify Security Identifiers (SIDs) or other binary-encoded information.

Related topics

Create a server sync job