We have approximately 60,000 users who we want to migrate to SSPR. All
users (who will be part of the password policy) are in a single OU (the
eDIrectory acts as an LDAP for our NAM protected B2B portal) which is
also a partition.
While it seems to make sense to have the searchbase set to the user OU
we want to rollout gradually over 6-8 weeks and the plan would be to
make SSPR available via country or countries. Would it be best to setup
the LDAP profile to be an OR LDAP search,adding each country group as we
Password Policy Profile Match
LDAP Profile default
LDAP group DN cn=country1,ou=groups,o=company

LDAP Profile default
LDAP GROUP DN cn=country2,ou=groups,o=company

etc. etc.

Or would we be better to create a new boolean attribute e.g.
activateSSPR and add the attribute to users as they are migrated
Password Policy Profile Match
LDAP Profile default
LDAP Search Filter (activateSSPR=True)
LDAP Base DN ou=users,o=company


ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55910