Chat now with support
Chat mit Support

Identity Manager 8.1.3 - Administration Guide for Connecting to LDAP

Managing LDAP environments Synchronizing LDAP directories
Setting up initial LDAP directory synchronization Customizing the synchronization configuration Executing synchronization Tasks after a synchronization Troubleshooting
Basic configuration data LDAP domains LDAP user accounts LDAP groups LDAP container structures LDAP computers Reports about LDAP objects Configuration parameters for managing an LDAP environment Default project template for LDAP Generic LDAP connector settings

General master data for LDAP domains

Enter the following data on the General tab.

Table 22: Domain master data

Property

Description

Domain

NetBIOS domain name.

Full domain name

Name of the domain confirming to DNS syntax.

Name of this domain.name of parent domain.name of default domain

Example

Docu.Testlab.dd

LDAP system type

Type of the LDAP system.

Display name

The display name is used to display the domain in the user interface. This is preset with the domain NetBIOS name; however, the display name can be changed.

Object class List of classes defining the attributes for this object. The default object class is DOMAIN. However, in the input field, you can add object classes and auxiliary classes that are used by other LDAP and X.500 directory services.

Distinguished name

Distinguished name of the domain. The distinguished name is determined using a template from the full domain name and cannot be edited.

Canonical name Canonical name of the domain.

Account definition (initial)

Initial account definition for creating user accounts. This account definition is used if automatic assignment of employees to user accounts is used for this domain and if user accounts are to be created that are already managed (Linked configured). The account definition's default manage level is applied.

User accounts are only linked to the employee (Linked state) if no account definition is given. This is the case on initial synchronization, for example.

Target system managers

Application role in which target system managers are specified for the domain. Target system managers only edit the objects from domains that are assigned to them. Therefore, each domain can have a different target system manager assigned to it.

Select the One Identity Manager application role whose members are responsible for administration of this domain. Use the button to add a new application role.

Synchronized by

Type of synchronization through which the data is synchronized between the domain and One Identity Manager. You can no longer change the synchronization type once objects for these domains are present in One Identity Manager.

If you create a domain with the Synchronization Editor, One Identity Manager is used.

Table 23: Permitted values
Value Synchronization by Provisioned by

One Identity Manager

LDAP connector

LDAP connector

No synchronization

none

none

NOTE: If you select No synchronization, you can define custom processes to exchange data between One Identity Manager and the target system.

Description

Text field for additional explanation.

Structural object class Structural object class representing the object type.
Related topics

LDAP specific master data for LDAP domains

Enter the following master data on the LDAP tab.

Table 24: LDAP data
Property Description

Full domain name

Name of the domain confirming to DNS syntax.

Name of this domain.name of parent domain.name of default domain

Example

Docu.Testlab.dd

Distinguished name

Distinguished name of the domain. The distinguished name is determined using a template from the full domain name and cannot be edited.

Structural object class Structural object class representing the object type.
Object class List of classes defining the attributes for this object. The default object class is DOMAIN. However, in the input field, you can add object classes and auxiliary classes that are used by other LDAP and X.500 directory services.
Search mask Search mask for another LDAP object.

Specifying categories for inheriting LDAP groups

In One Identity Manager, groups can be selectively inherited by user accounts. For this purpose, the groups and the user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The template contains two tables; the user account table and the group table. Use the user account table to specify categories for target system dependent user accounts. In the group table enter your categories for the target system-dependent groups. Each table contains the Position 1 to Position 31 category positions.

To define a category

  1. In the Manager, select the domain in the LDAP | Domains category.

  2. Select the Change master data task.
  3. Switch to the Mapping rule category tab.
  4. Extend the relevant roots of the user account table or group table.
  5. To enable the category, double-click .
  6. Enter a category name of your choice for user accounts and groups in the login language that you use.
  7. Save the changes.
Detailed information about this topic

Editing synchronization projects

Synchronization projects in which a domain is already used as a base object can also be opened in the Manager. You can, for example, check the configuration or view the synchronization log in this mode. The Synchronization Editor is not started with its full functionality. You cannot run certain functions, such as, running synchronization or simulation, starting the target system browser and others.

NOTE: The Manager is locked for editing throughout. To edit objects in the Manager, close the Synchronization Editor.

To open an existing synchronization project in the Synchronization Editor

  1. In the Manager, select the LDAP | Domains category.
  2. Select the domain in the result list. Select the Change master data task.
  3. Select the Edit synchronization project... task.
Related topics
Verwandte Dokumente