Description

This article explains how to manage user synchronization in FortiAuthenticator using LDAP filters. It is providing guidance on filtering to include only active Active Directory accounts.

Scope

FortiAuthenticator.

Solution

The Remote User Sync Rules includes an option labeled 'Do not delete synced users when they are no longer found on the remote server'. When this option is not selected, and the LDAP filter is designed to include only active Active Directory (AD) accounts (i.e., those that are not disabled), FortiAuthenticator will only import active users.

As a result, users disabled in Active Directory will be removed from FortiAuthenticator during the next run of the remote sync rule.

To facilitate the import of only active user accounts, the following LDAP filter may be used:

`(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf=CN=XYZ...)))`.

For example, the following filter can be employed:

`(&(objectClass=person)(&(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(|(memberOf=CN=RS,OU=rsync,DC=fortiad,DC=net)))`.

On the other hand, if the option 'Do not delete synced users when they are no longer found on the remote server' is enabled, users who are disabled in AD will still be present in FortiAuthenticator after the next remote sync. In this case, any disabled users will need to be removed manually from FortiAuthenticator.

Related article:

Technical Tip: LDAP filter syntax