By default, Asset Bank's authentication plugins and LDAP integration expect details of a user who is attempting to login to be in its database already.
For LDAP, this is achieved by running a task periodically (as determined by the setting exchange-synchronise-period-millis) to search for users in the LDAP server (according to the settings ad-ldap-base-list and ad-user-search-criteria) and then to add each one that the LDAP search returns to Asset Bank's database.
This behaviour is usually desirable as it enables admin users to configure users - for example to add them to groups - while setting up Asset Bank, e.g. before any users have actually logged in.
However, in some circumstances you might not want users to be added to Asset Bank's database until the first time they try to login, for example if you have a potentially very large number of users and you don't want Asset Bank to be regularly running an LDAP search query that returns a very large result set. This can be a particular problem if your LDAP server does not support paging of search results (in which case you will have set ad-ldap-supports-paging=false).
In this case, you can configure Asset Bank so that it obtains a user's details from your LDAP server only when they login. The first time they login they will be added as a user; at subsequent logins their user profile details will be updated, if changed. To do this, change the following settings:
ad-ldap-on-the-fly-base-list=[Same as ad-ldap-base-list, but for on-the-fly mode]
The other LDAP settings should be the same as for the default 'regular synchronisation' mode.
Warning: Setting import-remote-users-on-the-fly is not compatible with hide-new-ad-users. This is because import-remote-users-on-the-fly will add the users to Asset Bank when they try to login, not on registration. This means that users who are not using IE on Windows will have to attempt to login at least once in order to be added to Asset Bank and will be added as hidden users.