Notes: This topic is organized into the following sections:
A site might have hundreds of thousands of members, divided into smaller collections (communities) that can be administered separately. eRoom members and groups can be local to a community (created in eRoom), or brought into eRoom via connections to external-membership directories such as NT Domains (or particular NT groups within) or LDAP directories. A community can use a member list from one or many external membership directories to authenticate members when they log in to the site. When you use an external-membership directory, eRoom synchronizes the community member list with the member information in the external directory.
You manage connections to external-membership directories on the Directories page of Community Settings. Community administrators can add, edit, and delete external-membership directory connections if they have permission to create directory connections (initially set at the site level) in their communities. Without that permission, the controls for managing directory connections are only visible to the site administrator.
When you add a connection to an external directory, all existing local members in the community whose login names match the login names of directory members are converted to sync with the new directory. All local members whose login names don't match, or members who are connected to other external directories, remain unaffected.
For each directory connection that you add, eRoom creates a directory group and stores members from that connection in that group -- the connection and the group have the same name. This group appears in the Groups section of the community member list. The group can only be removed from the list when the connection to the directory is removed. Neither the group's member list nor its name can be edited except by editing the connection.
Notes:
Because directory connections have corresponding directory groups for storing their members, any new connections must have names that are unique not only among names of directory connections, but also among group names in the community. If the name you pick for the directory connection is the same as an existing local member group, you can either Rename connection or Take over group. If you take over the existing group, eRoom converts the group so that members from the directory replace the existing local members, and the group's name and members are non-editable in eRoom.
When a directory connection is deleted from a community, the administrator performing the deletion decides whether members from the deleted directory connection are deleted or become local members of the community.
Click "add a directory connection" to open the Add Directory Connection wizard.
On the Add Directory Connection page, give the connection
a unique name, and pick the type of connection
you want to add (Windows NT Domain
or LDAP directory).
Note: Give
your directory connections descriptive names (especially if you have multiple
connections pointing to different groups within the same NT Domain) so
that eRoom members can more accurately locate specific members using member search pages.
The next options in the wizard depend on the type of directory connection:
Windows NT
Domain or LDAP
directory.
Open the Add Directory Connection wizard.
On the Add Directory Connection page, name the connection and pick Windows NT Domain.
On the Pick Directory page, pick the NT Domain you want for your directory connection.
On the Connection Options page, choose the format you want for user names.
All domain members
Just the members of these groups: (followed by a list of groups you can select from)
On the Email Address page, your initial settings depend
on whether your site requires email
addresses for login names. If it does, you must specify a suffix for
members' email address (the default is the name of the connection, for
example "eng.com").
In order for members to receive email from eRoom (such as alerts and
change reports), you can either let the NT domain connection create an
email address for every member that does not have one, or enter email
addresses manually on Member
Information pages.
Click "OK" to establish the connection.
eRoom synchronizes
the NT Domain (or just the groups you picked) with the community member
list. The name of the connection appears in the list of Directory Connections
on the Directories page of Community Settings.
Open the Add Directory Connection wizard.
On the Add Directory Connection page, name the connection and pick LDAP directory.
On the Pick Directory page:
Type the URL of the LDAP directory (which might include a port number). You can specify multiple LDAP servers (one per line) that replicate the LDAP directory. Or, if connecting to Microsoft Active Directory, you can give the domain name of the active directory.
Type the User Name and Password for accessing the directory.
Pick the User Class and Group Class that represents people and groups (the initial values are eRoom's 'best guess').
Provide a Search Root that identifies in the directory structure the 'starting point' for searches in the member/group tree.
Optionally, provide a Search Filter that implicitly (or 'behind-the-scenes') narrows further any searches in this directory. For example, if you want people from Sales or Payroll departments, you might use this search filter: (|(ou=Sales)(ou=Payroll)). Refer to industry-standard LDAP specifications for details about search filter syntax and operators.
Optionally, select the Enable fast incremental synchronization check box so that nightly syncs will only sync the members who reside beneath the search root of the connection. Members who do not reside beneath the search root, but who would be visible indirectly via group membership, are always ignored when this option is enabled. This option improves the time of nightly syncs for larger connections that have many groups.
If the underlying
directory server is Active Directory, you can select the secure bind check box to secure all
communication between any eRoom server on this site and the directory
server for this connection. If the underlying Active Directory server
accepts only secure bind requests, this option is on and read-only by
default. With this option turned on, all user information transmitted
between the eRoom server and the Active Directory server is encrypted
and signed.
Note:
This setting does not rely upon SSL or IPSEC, nor does
it require any special configuration of the Active Directory server or
the eRoom server.
On the Test Query page, confirm the results of the test query by clicking "Next", or click "Previous" to adjust its parameters and try again.
On the Field Mapping page, correlate,
or map, each eRoom property to the appropriate LDAP attribute. For example,
the eRoom property "First name" maps to the LDAP attribute "givenName".
For each eRoom property, pick a corresponding LDAP attribute from the
drop-down list. eRoom provides 'best-guess' initial values.
Once an eRoom property is mapped to an LDAP attribute, it cannot be
modified in eRoom. You can, however, edit the connection to remap
eRoom properties to LDAP attributes. For example, when migrating an Active
Directory connection from eRoom 6 to eRoom 7, the administrator should
edit the connection to map the eRoom property "Unique ID" to
the LDAP attribute "object GUID".
Unmapped fields: To specify an eRoom property for which you can only set a value in eRoom, pick "(not mapped)" for the LDAP attribute. Unlike explicitly mapped values, "(not mapped)" fields are not synchronized from the LDAP directory.
Custom fields: To specify an LDAP attribute that does not appear in a property-mapping drop-down list but which is known to be valid for the user class specified for the directory connection, pick ”r;(custom)”. When you do, a text box appears in which you can type the name of the LDAP attribute. If this attribute is not found in the LDAP directory (for whatever reason, perhaps it doesn’t really exist or is misspelled), or if there is no value in the text box, no error message notifies you that the attribute cannot be found. In this case, no value for this attribute appears on the Test Mappings page in the next step. The "(custom)" selection and manually entered attribute remain on the Field Mapping page unless the attribute becomes explicitly visible in the LDAP schema on the directory server for the user class in question. If it does, then the next time you edit the Field Mapping page of the connection wizard, the attribute will be included in the drop-down list instead of the "(custom)" choice, and no edit box will appear next to the drop-down list.
Note: If your
community requires email addresses for login names,
then the "Login name" drop-down list is replaced with this text:
"email address is used as login".
Note: If instant messaging is enabled for your
site, the Field Mapping page has controls for mapping IM information.
On the Test Mappings page, confirm the member field mappings by clicking "OK", or click "Previous" to modify them.
Click "OK" to establish the LDAP directory
connection.
eRoom synchronizes
the LDAP directory with the community member list. The name of the connection
appears in the list of Directory Connections on the Directories page of
Community Settings.
Note: You can
have several connections (with different names) to the same LDAP directory
since an LDAP connection is identified by a combination of all of its
properties. You might, for example, use different login credentials and
provide different search filters that would produce different member lists
from the same directory.
Go to the Directories page of Community Settings.
In the list of Directory Connections, click 
next to the name of the connection you want to edit (or click its name).
The Edit Directory Connection wizard opens. You can click "Reconnect"
(see Explicit
reconnect sync, below), or go through the wizard and edit any of the
properties (see Implicit
member sync, below) for the connection's directory
type.
Note: If you
change the email suffix on the Email Address page of the Edit Directory
Connection wizard for an NT Domain connection, saving the change updates
email addresses for all members from that connection.
See also: Member list synchronization
Go to the Directories page of Community Settings.
In the list of Directory Connections, click 
next to the name of the connection you want to delete.
Before you confirm the deletion,
decide what to do with members from the directory. Either Delete
them or Make them local.
If you pick the second option, all members from that directory become
local community members. eRoom does not copy passwords from the external
directory, so those individuals will need new passwords assigned before
they can log in. Those members are flagged with an error icon (
)
in member lists until they have passwords.
Click "OK" to confirm the deletion and remove the connection.
Note: While
deleted members do not appear in member lists or search results. eRoom
keeps a record of members deleted via a directory connection. This enables
you to restore such members by creating a new connection to the associated
directory.
Directory synchronization is the process of updating community members and groups in the site database with information from an external directory. If there are new, deleted, or modified users and/or groups within an external directory connected to a community, then the corresponding members and/or groups are added to, deleted from, or modified in the site database respectively.
When you first connect a community to an external directory, eRoom performs an initial member list synchronization in the background. This initial sync creates new eRoom members for members in the external directory, according to the connection's parameters (group name, search root, and so forth), as follows:
All existing local members or deleted members whose login names match those of directory members are converted to sync with the directory (that is, the matching local members are updated with relevant directory member information).
All existing local groups or deleted groups whose group names match those of directory groups are converted to sync with the directory (that is, the matching local groups are updated with relevant directory group information).
All members whose login names don't match, or who are connected to other external directories, remain unaffected.
Any non-matching login names or group names from the directory are added as new community members and groups and initialized with the relevant directory member or group information. eRoom populates member groups with their membership lists.
eRoom does not automatically add to the community member list any members whose login names match those of existing members who are local or from a different external directory. Administrators must resolve such duplicate-name conflicts using the login-conflict-resolution procedure described below.
If the "require email addresses to be used as login names" is on, all new local and external members after the sync will be required to use their email addresses to log in to the site.
Subsequent directory sync operations
After you first connect a community to an external directory, any subsequent member-directory sync is one of these types:
incremental (result
of Scheduler's nightly sync, clicking "now" on Scheduler page,
or clicking 
next to the name of a connection)
explicit reconnect (result of clicking "Reconnect" on first page of edit connection wizard)
implicit reconnect (result of editing a directory connection and changing particular properties)
Following a sync, eRoom records the date and time in the "Last Sync" column for each directory connection listed on the Directories page of Community Settings.
If duplicate-name conflicts occur, and if there are fewer than 1000 of them, eRoom provides a "Conflicts" link next to the date and time in the "last sync" column for each directory that encountered such conflicts. (If there are more than 1000 duplicate-name conflicts, check your directory configuration.)
An incremental sync results from the following:
a scheduled nightly sync that runs according to the "Nightly tasks" settings specified on the Scheduler page in Site Settings
clicking "now" under "Synchronize member directories" for a server listed in the "Nightly tasks" section of the Scheduler page in Site Settings
clicking "synchronize all connections" under the list of directory connections on the Directories page in Community Settings
clicking the
"(sync)" icon for an individual directory connection on
the Directories
page in Community Settings
An incremental sync does the following:
matches existing connection members by the "UniqueID" (UID) field mapping
matches community members deleted from same directory by UID
does not match existing local members with directory members in order to authenticate them. Instead, any new members in the directory are created and added to the community member list, and duplicate login names are flagged as conflicts.
When you open the Edit Directory Connection wizard and click "Reconnect" on the first page of the edit wizard, eRoom tries to match existing members before creating new ones, as follows:
matches existing connection members by UID
matches local members by name
matches community members deleted from same directory by UID
Note: Use
"Reconnect", for example, if you want to reconnect any local
or deleted members to the directory without generating login name conflicts
or ignoring the deleted members.
When you edit a directory connection and click "OK" after changing any of the following connection properties:
the domain of an NT Domain connection
the URL of an LDAP connection
the "UniqueID" (UID) field mapping for an LDAP connection
...eRoom tries to match existing members before creating new ones, as follows:
matches existing connection members by name
matches community members deleted from same directory by name
Here are two examples of when the "implicit reconnect" sync" is most useful:
When migrating an Active Directory LDAP connection from eRoom 6 to eRoom 7. In this case, the administrator should edit the connection to map the eRoom property "Unique ID" to the LDAP attribute "object GUID". When you click "OK", the subsequent sync updates this property for all users and groups while keeping group member relationships intact.
When migrating an LDAP directory from one server to another, possibly from one vendor to another (for example, from Active Directory to Sun ONE). Since different vendors use different attributes, the current UID mapping for the connection is likely to be invalid. Therefore, eRoom must rely on login or group name for matching members.
On the Directories
page of Community Settings, click the "Conflicts" link in the
table row corresponding to a directory that did not sync successfully.
The Login Name Conflicts page opens and lists all the login names in
the directory that are duplicated in the community member list.
Pick Add
in the row corresponding to each member for whom you want to create a
new member account.
A second page opens that asks you to pick a new login name for the
first member you selected on the preceding page. The external directory's
login name for the member appears in the "Site login name" box.
If you only picked
a single login name to add, type a unique login name and click "OK".
If you picked multiple login names, you can either Skip
it (causing the conflict to remain), or type a unique login name, and
click "OK" to go to the next name.
Do this until you resolve all the duplicate-name conflicts. eRoom creates
new members for each new login name you specified.
To cancel the login-conflict-resolution task
before you add or skip each member, click "Done" and the "Conflicts"
link remains. If you add or skip each member, any duplicate names you
skipped remain flagged as conflicts until you resolve them. In this case,
the "Conflicts" link reappears the next
time the directory syncs (either nightly or when you click ).
If a sync operation does not complete due to errors, an "Errors" link appears in the Directories table in the row for the connection that did not complete (also, the date and time for "Last Sync" does not update in this case). Click the link to open the Directory Sync Errors page for more information.