Importing Users and Groups From LDAP

SBM enables you to import and update users, groups, resources, and Contacts record information from a directory using LDAP.

LDAP requires external setup, which varies based on the LDAP provider you are using. In general, these instructions assume that your LDAP system is configured and that you have access to it and understand basic LDAP concepts. If you will use a secure connection to LDAP, refer to Preparing LDAP for SBM for information about preparing CA certificates for use with SBM.

Note: On-premise only – For information about using LDAP to authenticate users and the LDAP "auto add" feature, refer to the SBM System Administrator Guide.

LDAP Import and Update Considerations

Consider the following information before you import or update user accounts and contact information from LDAP:

  • You can use the SBM Application Administrator to import users and contacts from LDAP. You can also update resource attributes by mapping data from LDAP.
  • Managed administrators must be granted the Global Administration privilege to use this feature in SBM Application Administrator.
  • If LDAP fields contain sensitive data that administrators should not see, privileges can be specified in the LDAP tool to limit administrators' access to these fields.
  • Care must be taken when you modify and delete mapped fields in LDAP and SBM. For example, if the name of an attribute is changed in LDAP, it is no longer mapped to the SBM field. Also, fields that are deleted in either tool are no longer mapped.
  • Contact imports only apply to the SBM system Contacts table. You cannot import from LDAP into custom auxiliary tables that store contact data.
  • When you update User and Contact records, SBM fields that contain data are not modified if the mapped field in LDAP is empty. For example, if a Contact record contains a phone number and the LDAP record does not, the phone number for the Contact record is retained after updating. To update SBM with an LDAP attribute that has no active replacement, you must set the LDAP attribute to some non-empty value such as "none."