Exclusions are very important to the directory synchronization process. Exclusions are used to filter or limit the information you move between directories.
IMPORTANT NOTE Any time you are making changes to parameters that may affect the scope of the Source, like Exclusions, it is very important to disable Sync and enable Discovery and Simulation only. Run the connection with the Log File level set to 3-Detailed to confirm desired results before re-enabling Sync.
To add Exclude rules
- Open the desired connection, select the Custom tab and click the Exclude button.
- Add a single Exclude rule on each line.
- Click Save.
- Each line in the Exclude file is considered a rule, one rule per line. *The beginning of the rule defines the LDAP attribute to compare to (i.e. mail, dn, cn).
- A colon (:) should be used in most cases, as this is a basic string compare. An equal sign (=) may be used if you truly want to look for an exact value. Wild cards (*) and question marks (?) are not accepted.
- The exclusion using a colon simply checks to see if the string is embedded ANYWHERE in the attribute.
- All exclusion rules are case insensitive (case does NOT matter).
Uses for Exclusions
|Attribute:Value to Exclude||This performs an exclude if the value appears anywhere in the attribute data|
|Attribute=Exact Value to Exclude||This performs an exclude if the exact value is the attribute data.|
|Mail:ExcludeThisDomain||This performs an exclude if the domain appears in the primary mail value.|
|Description: Do Not Sync||This performs and exclude if ‘Do Not Sync’ appears anywhere in the attribute value. You can do this with any available attribute.|
|Company=ABC Co.||This performs an exclude if the company value matches exactly|
|DN:ou=ContainerX||Excludes any instance of ou=ContainerX|
|DN:cn=John Smith,ou=Users,dc=domain,dc=com||Exclude a single, specific object|
Avoid looping when you are syncing bi-directionally:
When you are running a synchronization between two or more directories you will want to avoid returning entries back to their original Source. For example, if DirectoryA sends to DirectoryB, DirectoryB should not return the entries originating on DirectoryA. To do this you’ll want to exclude the Sync Container via an exclusion rule.
For Active Directory and other LDAP directories
The rule is in this format:
Fully qualified (FQDN) example:
Exclude specific OU’s
You may wish to exclude other Source containers from your sync for another reason. In this case, the format is exactly the same as described above. We recommend using the FQDN. For example, your Source has a container, Local Admins, which you want to exclude from your Sync:
Exclude on null value
There are times you may want to exclude an object if a specific attribute is blank. Use this format:
IMPORTANT NOTE: The use of the = character is required, as is the text ‘null.’ This exclude is only applied on the Sync phase. You will see Discovery still pulls object with the null SN, however Sync Excludes will prevent the object from being added to the Destination.
By default, all Excludes are applied quietly; they do not produce an error at Sync time. The objects to be excluded are identified and simply ignored, and the Sync will end with no errors reported. Generally, this is the desired functionality.
In some cases, you may want instances of Excludes to cause the Sync process to log an error condition, so you are alerted to the fact a Special Exclude has taken place.
IMPORTANT NOTE *If Simulation is enabled, it will log instances of these Special Excludes but will not abort the Sync phase.
To implement a Special Exclude, precede the exclude rule with an exclamation mark character, as shown:
When a Sync processes this Special Exclude the Sync phase will throw an error, alerting the UnitySync Admin that any instance of company=ABC was detected and excluded during the Sync. The rest of the Sync will process normally assuming no other errors are reported.