A site might have hundreds of thousands of members, divided into smaller collections (communities) that can be administered separately. eRoom members and groups can be local to a community (created in eRoom), or brought into eRoom via connections to external-membership directories such as NT Domains (or particular NT groups within) or LDAP directories. A community can use a member list from one or many external membership directories to authenticate members when they log in to the site. When you use an external-membership directory, eRoom synchronizes the community member list with the member information in the external directory.
You manage connections to external-membership directories on the Directories page of Community Settings. Community administrators can add, edit, and delete external-membership directory connections if they have permission to create directory connections (initially set at the site level) in their communities. Without that permission, the controls for managing directory connections are only visible to the site administrator.
When you add a connection to an external directory, all existing local members in the community whose login names match the login names of directory members are converted to sync with the new directory. All local members whose login names don't match, or members who are connected to other external directories, remain unaffected.
For each directory connection that you add, eRoom creates a directory group and stores members from that connection in that group -- the connection and the group have the same name. This group appears in the Groups section of the community member list. The group can only be removed from the list when the connection to the directory is removed. Neither the group's member list nor its name can be edited except by editing the connection.
Notes:
Because directory connections have corresponding directory groups for storing their members, any new connections must have names that are unique not only among names of directory connections, but also among group names in the community. If the name you pick for the directory connection is the same as an existing local member group, you can either Rename connection or Take over group. If you take over the existing group, eRoom converts the group so that members from the directory replace the existing local members, and the group's name and members are non-editable in eRoom.
When a directory connection is deleted from a community, the administrator performing the deletion decides whether members from the deleted directory connection are deleted or become local members of the community.
Click "add a directory connection" to open the Add Directory Connection wizard.
On the Add Directory Connection page, give the connection a unique name, and pick the type of connection you want to add (Windows NT Domain or LDAP directory).
Note: Give your directory connections descriptive names (especially if you have multiple connections pointing to different groups within the same NT Domain) so that eRoom members can more accurately locate specific members using member search pages.
The next options in the wizard depend on the type of directory connection: Windows NT Domain or LDAP directory.
Open the Add Directory Connection wizard.
On the Add Directory Connection page, name the connection and pick Windows NT Domain.
On the Pick Directory page, pick the NT Domain you want for your directory connection.
On the Connection Options page, choose the format you want for user names.
All domain members
Just the members of these groups: (followed by a list of groups you can select from)
On the Email Address page, your initial settings depend on whether your site requires email addresses for login names. If it does, you must specify a suffix for members' email address (the default is the name of the connection, for example "eng.com").
In order for members to receive email from eRoom (such as alerts and change reports), you can either let the NT domain connection create an email address for every member that doesn't have one, or enter email addresses manually on Member Information pages.
Click "OK" to establish the connection.
eRoom synchronizes the NT Domain (or just the groups you picked) with the community member list. The name of the connection appears in the list of Directory Connections on the Directories page of Community Settings.
Open the Add Directory Connection wizard.
On the Add Directory Connection page, name the connection and pick LDAP directory.
On the Pick Directory page
Type the URL of the LDAP directory (which might include a port number). You can specify multiple LDAP servers (one per line) that replicate the LDAP directory. Or, if connecting to Microsoft Active Directory, you can give the domain name of the active directory.
Type the User Name and Password for accessing the directory.
On the Connection Options page
Pick the User Class and Group Class that represents people and groups (the initial values are eRoom's 'best guess').
Provide a Search Root that identifies in the directory structure the 'starting point' for searches in the member/group tree.
Optionally, provide a Search Filter that implicitly (or 'behind-the-scenes') narrows further any searches in this directory. For example, if you want people from Sales or Payroll departments, you might use this search filter: (|(ou=Sales)(ou=Payroll)). Refer to industry-standard LDAP specifications for details about search filter syntax and operators.
On the Test Query page, confirm the results of the test query by clicking "Next", or click "Previous" to adjust its parameters and try again.
On the Field Mapping page, correlate, or map each eRoom-specific field to a corresponding LDAP field (for example, "First name" to "givenName"). eRoom provides 'best-guess' initial values.
Once an eRoom field is mapped to an LDAP field, it cannot be modified in eRoom. You can, however, edit the connection to remap fields. For example, when migrating an Active Directory connection from eRoom 6 to eRoom 7, the administrator should edit the connection to map the eRoom property "Unique ID" to the LDAP attribute "object GUID".
Picking "(not mapped)" for an LDAP field means you can only set that value in eRoom and it is not synchronized from the LDAP directory automatically, as explicitly mapped values are.
Note: If your community requires email addresses for login names, then the "Login name" drop-down list is replaced with this text: "email address is used as login".
On the Test Mappings page, confirm the member field mappings by clicking "OK", or click "Previous" to modify them.
Click "OK" to establish the LDAP directory connection.
eRoom synchronizes the LDAP directory with the community member list. The name of the connection appears in the list of Directory Connections on the Directories page of Community Settings.
Note: You can have several connections (with different names) to the same LDAP directory since an LDAP connection is identified by a combination of all of its properties. You might, for example, use different login credentials and provide different search filters that would produce different member lists from the same directory.
Go to the Directories page of Community Settings.
In the list of Directory Connections, click next to the name of the connection you want to edit (or click its name).
The Edit Directory Connection wizard opens. You can click "Reconnect" (see Explicit reconnect sync, below), or go through the wizard and edit any of the properties (see Implicit member sync, below) for the connection's directory type.
Note: If you change the email suffix on the Email Address page of the Edit Directory Connection wizard for an NT Domain connection, saving the change updates email addresses for all members from that connection.
See also: Member list synchronization
Go to the Directories page of Community Settings.
In the list of Directory Connections, click next to the name of the connection you want to delete.
Before you confirm the deletion, decide what to do with members from the directory. Either Delete them or Make them local.
If you pick the second option, all members from that directory become local community members. eRoom doesn't copy passwords from the external directory, so those individuals will need new passwords assigned before they can log in. Those members are flagged with an error icon () in member lists until they have passwords.
Click "OK" to confirm the deletion and remove the connection.
Note: While deleted members do not appear in member lists or search results. eRoom keeps a record of members deleted via a directory connection. This enables you to restore such members by creating a new connection to the associated directory.
Directory synchronization is the process of updating community members and groups in the site database with information from an external directory. If there are new, deleted, or modified users and/or groups within an external directory connected to a community, then the corresponding members and/or groups are added to, deleted from, or modified in the site database respectively.
When you first connect a community to an external directory, eRoom performs an initial member list synchronization in the background. This initial sync creates new eRoom members for members in the external directory, according to the connection's parameters (group name, search root, and so forth), as follows:
All existing local members or deleted members whose login names match those of directory members are converted to sync with the directory (that is, the matching local members are updated with relevant directory member information).
All existing local groups or deleted groups whose group names match those of directory groups are converted to sync with the directory (that is, the matching local groups are updated with relevant directory group information).
All members whose login names don't match, or who are connected to other external directories, remain unaffected.
Any non-matching login names or group names from the directory are added as new community members and groups and initialized with the relevant directory member or group information. eRoom populates member groups with their membership lists.
eRoom does not automatically add to the community member list any members whose login names match those of existing members who are local or from a different external directory. Administrators must resolve such duplicate-name conflicts using the login-conflict-resolution procedure described below.
If the "require email addresses to be used as login names" is on, all new local and external members after the sync will be required to use their email addresses to log in to the site.
Subsequent directory sync operations
After you first connect a community to an external directory, any subsequent member-directory sync is one of these types:
incremental (result of Scheduler's nightly sync, clicking "now" on Scheduler page, or clicking next to the name of a connection)
explicit reconnect (result of clicking "Reconnect" on first page of edit connection wizard)
implicit reconnect (result of editing a directory connection and changing particular properties)
Following a sync, eRoom records the date and time in the "Last Sync" column for each directory connection listed on the Directories page of Community Settings.
If duplicate-name conflicts occur, and if there are fewer than 1000 of them, eRoom provides a "Conflicts" link next to the date and time in the "last sync" column for each directory that encountered such conflicts. (If there are more than 1000 duplicate-name conflicts, check your directory configuration.)
An incremental sync results from
a scheduled nightly sync that runs according to the "Nightly tasks" settings specified on the Scheduler page in Site Settings
clicking "now" under "Synchronize member directories" for a server listed in the "Nightly tasks" section of the Scheduler page in Site Settings
clicking "synchronize all connections" under the list of directory connections on the Directories page in Community Settings
clicking the "(sync)" icon for an individual directory connection on the Directories page in Community Settings
An incremental sync
matches existing connection members by the "UniqueID" (UID) field mapping
matches community members deleted from same directory by UID
does not match existing local members with directory members in order to authenticate them. Instead, any new members in the directory are created and added to the community member list, and duplicate login names are flagged as conflicts.
When you open the Edit Directory Connection wizard and click "Reconnect" on the first page of the edit wizard, eRoom tries to match existing members before creating new ones, as follows:
matches existing connection members by UID
matches local members by name
matches community members deleted from same directory by UID
Note: Use "Reconnect", for example, if you want to reconnect any local or deleted members to the directory without generating login name conflicts or ignoring the deleted members.
When you edit a directory connection and click "OK" after changing any of the following connection properties:
the domain of an NT Domain connection
the URL of an LDAP connection
the "UniqueID" (UID) field mapping for an LDAP connection
...eRoom tries to match existing members before creating new ones, as follows:
matches existing connection members by name
matches community members deleted from same directory by name
Here are two examples of when the "implicit reconnect" sync" is most useful:
When migrating an Active Directory LDAP connection from eRoom 6 to eRoom 7. In this case, the administrator should edit the connection to map the eRoom property "Unique ID" to the LDAP attribute "object GUID". When you click "OK", the subsequent sync updates this property for all users and groups while keeping group member relationships intact.
When migrating an LDAP directory from one server to another, possibly from one vendor to another (for example, from Active Directory to Sun ONE). Since different vendors use different attributes, the current UID mapping for the connection is likely to be invalid. Therefore, eRoom must rely on login or group name for matching members.
On the Directories page of Community Settings, click the "Conflicts" link in the table row corresponding to a directory that did not sync successfully.
The Login Name Conflicts page opens and lists all the login names in the directory that are duplicated in the community member list.
Pick Add in the row corresponding to each member for whom you want to create a new member account.
A second page opens that asks you to pick a new login name for the first member you selected on the preceding page. The external directory's login name for the member appears in the "Site login name" box.
If you only picked a single login name to add, type a unique login name and click "OK".
If you picked multiple login names, you can either Skip it (causing the conflict to remain), or type a unique login name, and click "OK" to go to the next name.
Do this until you resolve all the duplicate-name conflicts. eRoom creates new members for each new login name you specified.
To cancel the login-conflict-resolution task before you add or skip each member, click "Done" and the "Conflicts" link remains. If you add or skip each member, any duplicate names you skipped remain flagged as conflicts until you resolve them. In this case, the "Conflicts" link reappears the next time the directory syncs (either nightly or when you click ).
If a sync operation does not complete due to errors, an "Errors" link appears in the Directories table in the row for the connection that did not complete (also, the date and time for "Last Sync" does not update in this case). Click the link to open the Directory Sync Errors page for more information.