User sync discovery rules
Discovery rules determine how users are synced from Active Directory (AD) and assigned to Advanced Server Access. Only one discovery rule can be created per AD job.
Discovery rules consist of the following parts:
- Base DN: Controls where the rule searches for users
- LDAP Query: Controls the specified criteria to filter users
Common Base DN settings
You can use the Base DN setting to control where the LDAP query searches for users. By default, the search scope uses the domain information you specified when creating the connection.
| Usage | Example |
|---|---|
| Search the consumer organizational unit within the ocorp.com domain | cn=users,dc=ocorp,DC=com
|
| Search the privileged-accounts organizational unit within the ocorp.com domain |
OU=privileged-accounts,DC=ocorp,DC=com |
| Search the admins object located in the eng organizational unit within the test.ocorp.edu domain |
CN=admins,OU=eng,DC=test, DC=ocorp,DC=edu |
Common LDAP queries
You can adjust the LDAP query to locate users that meets the specified criteria. You may need to modify the following examples to fit your specific needs. By default, discovery rules include an LDAP query to locate every user within the search scope.
| Usage | Example |
|---|---|
| Locate every user | (objectclass=user)
|