Personal Data Synchronization
Personal information (phone numbers, addresses, images, emails, etc.) is involved into synchronization with a directory server. It is obtained from directory server during the first synchronization and (after it) every time change is detected on AD/LDAP side (explained in How Account Update is detected). This information is stored into groupware in a way that is by vcard map defined (explained in vCard Map Feature chapter). When a users change their personal data (after the first synchronization) on the IceWarp Server side, their data is no longer synchronized. This is because a local change would get overridden by data from the directory server. As mentioned elsewhere, IceWarp Server does not propagate the change to LDAP/AD. For more information refer to the Limitations below.
To restore data synchronization, delete the appropriate user row in the config/adsyncrec.dat file.
Example:
Synchronization consists in replacement of data on the IceWarp Server side with those from AD/LDAP.
Where aliases are taken from
Sync mechanism recognizes 3 attributes as a source of alias:
-
mail
-
otherMailbox
-
proxyAddresses
If Add AD login to local
alias is enabled, alias is also taken from attribute which
serves as AD login source (usually userPrincipalName).
If one of three
default attributes carrying suitable value (domain part) is found, processed
object is added or synced to IceWarp Server domain. One may not like this as
even objects with empty mail attribute can be accepted by IceWarp Server. If this is
the case, define filter that would require non-empty mail attribute e.g. mail=*@*.
Removing alias source from
object on directory server will lead to removal on IceWarp Server's side as
well. Manually added aliases are untouched by sync mechanism.
Limitations
Full functionality requires that operational attributes are included in object's LDIF provided by directory server - particularly objectGUID or entryUUID (both are default ones and can be customized) is necessary for proper identification of object and enables further functionality. That is a possibility to detect object update made on directory server. Default operational attributes used to read modification time from is whenChanged (AD) or modifyTimestamp (generic LDAP).
For customization and more information refer to the Synchronizing Users with LDAP/Active Directory chapter, articles How Entities Are Identified and How Account Update Is Detected.
When there is no unique identifier (other than mail attribute) provided personal data get always (each sync processing) synced overriding local (IceWarp Server side) changes. When there is a way to identify object, while attribute to detect change is missing local change is preserved, but each sync process even groupware data (which is not recommended, see How Account Update Is Detected.
Note: To ensure this works properly, you have to check existence of the objectGUID and whenChanged attributes within the LDIF export from AD or entryUUID and modifyTimestamp for LDAP.
Note: To disable personal data synchronization, use the C_System_ADSyncDisableVCardSync API variable. If set to 0 (zero), synchronization occurs only on basic account properties. This action is recommended to solve groupware service performance issues when synchronizing against directory servers with no equivalent of whenChanged and/or objectGUID.
For information on synchronization of users' photos, refer to the User Accounts > User >Photo.