Chat now with support
Chat mit Support

Identity Manager 8.1.3 - Administration Guide for Connecting to LDAP

Managing LDAP environments Synchronizing LDAP directories
Setting up initial LDAP directory synchronization Customizing the synchronization configuration Executing synchronization Tasks after a synchronization Troubleshooting
Basic configuration data LDAP domains LDAP user accounts LDAP groups LDAP container structures LDAP computers Reports about LDAP objects Configuration parameters for managing an LDAP environment Default project template for LDAP Generic LDAP connector settings

Setting up initial LDAP directory synchronization

The Synchronization Editor provides a project template that can be used to set up the synchronization of user accounts and permissions for the LDAP environment. You use these project templates to create synchronization projects with which you import the data from an LDAP directory into your One Identity Manager database. In addition, the required processes are created that are used for the provisioning of changes to target system objects from the One Identity Manager database into the target system.

NOTE: Other schema and provisioning process adjustments can be made depending on the schema.

To load LDAP objects into the One Identity Manager database for the first time

  1. Prepare a user account with sufficient permissions for synchronization.

  2. One Identity Manager components for managing LDAP environments are available if the TargetSystem | LDAP configuration parameter is enabled.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.

  3. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  4. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Users and permissions for synchronizing with LDAP

The following users are involved in synchronizing One Identity Manager with LDAP.

Table 2: Users for synchronization
User Permissions
User for accessing the LDAP directory A reasonable minimal configuration for the synchronization user account cannot be recommended because the permissions depend which on the LDAP directory service is implemented. For more information about which permissions are required, see your LDAP directory service documentation.
One Identity Manager Service user account

The user account for One Identity Manager Service requires permissions to carry out operations at file level. For example, assigning permissions and creating and editing directories and files.

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires access permissions to the internal web service.

NOTE: If One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
  • %ProgramFiles%\One Identity (on 64-bit operating systems)
User for accessing the One Identity Manager database

The Synchronization default system user is provided to execute synchronization with an application server.

Related topics

Special cases for synchronizing Active Directory Lightweight Directory Services

There are various special cases to take into account when setting up a synchronization project for Active Directory Lightweight Directory Services (AD LDS).

AD LDS supports different authentication methods. For more detailed information about AD LDS authentication, see the Microsoft TechNet Library.

Different settings arise, which need to be considered when setting up the synchronization project, depending on the authentication method you choose.

Authentication with AD LDS security principal

For this authentication method, you use a user account that is in AD LDS.

  • The user account must be a member in the Administrators group of the AD LDS instance.

  • The user account must have a password.

    If it does not have a password, authentication is anonymous. This causes the schema to load incorrectly and the synchronization project set up fails.

Take note of the following for setting up your synchronization project.

  • Authentication must use SSL encryption.

  • Basic must be used as authentication method.

  • Enter the distinguished LDAP name (DN) with the user account's user name for logging in to AD LDS.

    Syntax example: CN=Administrator,OU=Users,DC=Doku,DC=Testlab,DC=dd

Authentication with Windows security principal

Use a user account for authentication that resides on a local computer or in an Active Directory domain.

  • The user account must be a member in the Administrators group of the AD LDS instance.

Take note of the following for setting up your synchronization project.

  • Negotiate must be used as the authentication method.

  • If SSL encoding is not being used, sealing and signing authentication modes must be enabled.

  • If SSL encoding is being used, sealing and signing authentication modes must not be enabled.

  • Enter the user principal name with the user account's user name for logging in to AD LDS.

    Syntax example: Administrator@Doku.Testlab.dd

Authentication with AD LDS proxy object

Use a user account for authentication which exists in AD LDS and serves as binding for a local user account or a user account in an Active Directory domain. The local user account or the Active Directory user account is referenced in AD LDS as security ID (SID).

  • The user account (AD LDS proxy object) must be a member in the Administrators group of the AD LDS instance.

Take note of the following for setting up your synchronization project.

  • Authentication must use SSL encryption.

  • Basic must be used as authentication method.

  • Use the AD LDS proxy object user name for the AD LDS login.

  • Enter the distinguished LDAP name (DN) with the user name.

    Syntax example: CN=Administrator,OU=Users,DC=Doku,DC=Testlab,DC=dd

  • The user account password referenced by the AD LDS proxy object is to be used as a login password.

Special cases for synchronizing Oracle Directory Server Enterprise Edition

Oracle Directory Server Enterprise Edition (DSEE) does not support searching by page. Because of this, the connector must be able to load a schema type’s list of synchronization objects, all at once. If using a conventional Oracle DSEE, LDAP user, limits on the server side are reached in large directories that cause this type of load action to fail.

Possible message:

Size Limit exceeded

Time Limit exceeded

There, limits for the synchronization user are removed. To achieve this, you must set the following LDAP attributes on the synchronization user in the directory:

  • nsTimeLimit: Maximum timeout for a search query in seconds. This value can be increased or decreased depending on the size of the directory. (Recommendation: 7200.)

  • nsSizeLimit: Maximum number of search results for a search query. This value can be increased or decreased depending on the size of the directory. (Recommendation: 500000.)

Verwandte Dokumente