Create a change freeze with the relevant team – no changes will be made to groups and users already synced to the CMA. Check and confirm the number of users deleted and users remaining following the removal of the Domain Users AD group. If you removed users from LDAP, check the actual number of users.
Note: The speed of the migration depends on the IdP performance at the time of migration.
-
From the group lists, extract the number of users for each group.
-
Disable LDAP sync in the CMA.
Note: This step is only mandatory if you want to use LDAP for other users or groups.
If you are continuing to use LDAP for syncing users to Cato, make sure that you don't sync the same user or group that is already synced with SCIM.
-
Start the migration of the groups with currently assigned SDP licenses (in groups of 5) from LDAP to SCIM.
-
Continue the migration of the remaining groups (gradually) from LDAP to SCIM
-
Check each group against the extract taken in step 1 to ensure the number of migrated users is the same as the extract.
-
Check each group inside the firewall rules (Internet / WAN), Network Rules, Client Connectivity Policy, and Always On policy.
-
Monitor SCIM sync logs for errors in the IdP and the CMA events.
If you need to roll back your migration to SCIM and restore LDAP user provisioning, please contact Cato Support.
If you need to remove a large number of domain users and user groups, follow these steps:
-
Uncheck the options that limit the removal/disabling of users and group membership updates.
-
Remove the Domain Users group.
-
During the nightly LDAP sync, all users and groups will be updated and deleted as necessary. It's not necessary to use the Sync Now button if you have a high number of users.
-
In case of an issue or failure, please contact Support.
0 comments
Article is closed for comments.