LDAP Preferences

FileWave supports connecting an LDAP directory, such as Active Directory, Open Directory, or eDirectory, to your FileWave Server. FileWave can use that directory information in Smart Groups and parameterized profiles. LDAP can also be used for enrollment authentication, which lets you track which LDAP user enrolled a device.

Creating an LDAP server entry in Preferences

NpvWrgvjjkbJ88ZX-embedded-image-opsacxcb.png

Use the [+] button to create an LDAP server entry, then enter the connection details:

For LDAPS or STARTSSL, use a trusted LDAP certificate whenever possible.

How these settings work together for removal

These settings are separate controls, but removing missing LDAP-backed items depends on all three:

  1. Refresh Interval controls cadence only. Changing it makes LDAP extractions eligible to run more or less often, but it does not by itself approve removals.
  2. Change Limit decides whether an extraction with missing/orphaned entries is accepted. If the missing entries exceed the configured percentage, the sync is rejected and those results are not committed.
  3. Remove Missing items after decides how many accepted syncs an item must be missing from before FileWave removes it. If the value is 0, removal can happen on the first accepted sync where the item is missing.

For example, if a missing OU represents 25% of the LDAP directory, FileWave will not accept those removals when Change Limit (%) is set from 1% through 25%. If Change Limit (%) is set to 26%, FileWave can accept that extraction; the actual removal still follows the Remove Missing items after threshold.

Watch the Change Limit value: A very low setting, such as 1%, can cause otherwise valid LDAP changes to be treated as invalid whenever more than that percentage of entries changes or disappears. In that case, shortening the refresh interval will only make FileWave retry more often; it will not make the rejected changes commit.

Remove Missing items after timing: For safety, set this to a value equivalent to roughly 24 hours.

(Refresh Interval / 60 seconds / 60 minutes) * x = 24 hours

For a refresh interval of 1800 seconds, or 30 minutes, set this value to 48.

Enable Automatic Group updates for this LDAP creates visible Smart Groups in the Clients pane under an LDAP designator. FileWave updates these Smart Groups at the configured refresh interval.
The LDAP information shown in the Clients pane is a one-way view of the directory server. Changes made on the LDAP server are reflected in FileWave, but changes made in FileWave Central do not change the LDAP directory.

Automatic Group updates can put heavy load on the LDAP server in environments with more than a few hundred records. Enable it deliberately and watch LDAP server performance after the first sync.


The Test Connection button checks whether the server is online, but it does not verify every LDAP setting. Use an LDAP browser tool to verify the directory path and bind account before relying on the configuration.
You can create entries for multiple LDAP servers. An LDAP server can also run on the same device or VM as the FileWave Server.

An LDAP server can be chosen as the Authentication server. In that case, FileWave uses that directory for profiles that support parameterized settings. Selecting use it for extraction adds the directory information to the FileWave database. You can view LDAP settings in Assistants > LDAP Browser in FileWave Central.

The Synchronize Now option at the bottom-right of the LDAP server pane lets you synchronize all LDAP servers, one LDAP server, or only LDAP Custom Fields.

iuX9yMsywqtsn5iS-embedded-image-djfbjkt1.png


Revision #6
Created 2023-07-12 01:49:21 UTC by Josh Levitsky
Updated 2026-06-02 21:07:50 UTC by Josh Levitsky