Chat now with support
Chat mit Support

Identity Manager 8.1.3 - Administration Guide for Connecting to LDAP

Managing LDAP environments Synchronizing LDAP directories
Setting up initial LDAP directory synchronization Customizing the synchronization configuration Executing synchronization Tasks after a synchronization Troubleshooting
Basic configuration data LDAP domains LDAP user accounts LDAP groups LDAP container structures LDAP computers Reports about LDAP objects Configuration parameters for managing an LDAP environment Default project template for LDAP Generic LDAP connector settings

Information required for setting up a synchronization project

Have the following information available for setting up a synchronization project.

Table 4: Information required for setting up a synchronization project
Data Explanation

LDAP server's DNS name

IP address or full name of the LDAP server for connecting to the synchronization server to provide access to LDAP objects.

Syntax:

<Name of servers>.<Fully qualified domain name>

Authentication type

You can only connect to a target system if the correct type of authentication is selected. Authentication type Basic is taken as default.

For more information about authentication types, see the MSDN Library.

Communications port on the server

LDAP default communications port is 389.

User account and password for domain login

User account and password for domain login. This user account is used to access the domain. Make a user account available with sufficient permissions. For more information, see Users and permissions for synchronizing with LDAP.

Synchronization server for LDAP

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

The One Identity Manager Service with the LDAP connector must be installed on the synchronization server.

The synchronization server must be declared as a Job server in One Identity Manager. Use the following properties when you set up the Job server.

Table 5: Additional properties for the Job server
Property Value
Server function LDAP connector
Machine role Server | Jobserver | LDAP directories

For more information, see Setting up the LDAP synchronization server.

One Identity Manager database connection data
  • Database server

  • Database

  • SQL Server login and password

  • Specifies whether integrated Windows authentication is used. This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

Remote connection server

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization Editor is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. If direct access is not possible from the workstation, you can set up a remote connection.

The remote connection server and the workstation must be in the same Active Directory domain.

Remote connection server configuration:

  • One Identity Manager Service is started

  • RemoteConnectPlugin is installed

  • LDAP connector is installed

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

TIP: The remote connection server requires the same configuration as the synchronization server (with regard to the installed software and entitlements). Use the synchronization as remote connection server at the same time, by simply installing the RemoteConnectPlugin as well.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

Creating an initial synchronization project for an LDAP domain with the generic LDAP connector

NOTE: The following sequence describes how to configure a synchronization project if the Synchronization Editor is both:
  • Executed in default mode

  • Started from the Launchpad

If you execute the project wizard in expert mode or directly from the Synchronization Editor, additional configuration settings can be made. Follow the project wizard instructions through these steps.

To set up an initial synchronization project for an LDAP domain

  1. Start the Launchpad and log in to the One Identity Manager database.

    NOTE: If synchronization is executed by an application server, connect the database through the application server.
  2. Select the Target system type LDAP entry and click Start.

    This starts the Synchronization Editor's project wizard.

  1. On the Choose target system page, select the LDAP connector.

  1. On the System access page, specify how One Identity Manager can access the target system.

    • If access is possible from the workstation on which you started the Synchronization Editor, do not change any settings.

    • If access is not possible from the workstation on which you started the Synchronization Editor, you can set up a remote connection.

      Enable the Connect using remote connection server option and select the server to be used for the connection under Job server.

  1. Specify settings for the wizard using Configure advanced settings (expert mode) on the wizard's start page.

    • If you use a default project template, disable this option. The default templates automatically find which settings to use.

    • For customized LDAP systems, enable the option. You can set the following options for this case:

      • Definition of virtual classes for non-RFC compliant object mappings

      • Definition of auxiliary classes of Auxiliary type

      • Definition of system attributes for object identification, revision properties and additional operational attributes

      • Definition of additional attributes for supporting dynamic groups

      For more information, see Advanced settings of a generic LDAP connector.

  2. On the Network page, enter network settings for the LDAP server connection.

    1. In the Host pane, enter the connection settings for the LDAP server.

      • Server: IP address or full name of the LDAP server for connecting to the synchronization server to provide access to LDAP objects

      • Port: Communications port on the server. LDAP default communications port is 389.

    2. Click Test.

      The system tries to connect to the server.

    3. On the Additional settings pane, enter the additional settings for communication with the LDAP server.

      • Protocol version: Version of the LDAP protocol. The default value is 3.

      • No encryption: No encryption is used.

      • SSL/TLS encryption: An SSL/TLS encrypted connection is established.

      • Use StartTLS: StartTLS is used.

  3. Enter authentication data on the Authentication page.

    1. In the Authentication method pane, select the authentication type for the login to the target system.

      • Authentication method: Select the authentication type for logging in to the LDAP system. The following are permitted:

        • Basic: Uses default authentication.

        • Negotiate: Uses Negotiate authentication from Microsoft.

        • Anonymous: Establishes a connection without passing login credentials.

        • Kerberos: Uses Kerberos authentication.

        • NTLM: Uses Windows NT Challenge/Response (NTLM) authentication.

    2. Depending on the selected authentication method, additional information may be required. Enter this information under Credentials.

      • User name: Name of the user account for logging in to LDAP.

      • Password: Password for the user account.

      • Enable sealing: Sealing is enabled. Set this option if the selected authentication method supports sealing.

      • Enable signing: Signing is enabled. Set this option if the selected authentication method supports signing.

    3. On the Verify LDAP connection pane, click Test connection.

      An attempt is made to log into the server.

  4. The LDAP server information page displays the information about the LDAP schema.

  5. On the Search options page, specify the search parameters for finding the LDAP objects to be loaded.

    Table 6: Find options
    Property Description

    Base DN

    Root entry for the search query, normally the LDAP domain.

    Save LDAP schema in local cache

    Specifies whether the LDAP schema should be kept in local cache. This accelerates synchronization and provisioning of LDAP objects.

    The cache is stored on the computer used to create the connection, under %Appdata%\...\Local\One Identity\One Identity Manager\Cache\GenericLdapConnector.

    Request timeout (seconds)

    Timeout for LDAP requests in seconds.

    Default: 3600

    Use paged search

    Specifies whether LDAP objects are loaded by page. If you set this option, you include the page size.

    Page size

    Maximum number of objects to load per page.

    Default: 500

  6. On the Modification capabilities page, specify the kind of write operations supported by the LDAP server.

    • Enable the Server supports renaming of entries option if the LDAP server supports renaming of entries.

    • Enable the Server supports moving of entries option if the LDAP server supports moving of entries.

      NOTE: Some servers only support renaming of entries on leaf nodes. In this case, you will get an error message when trying to rename other nodes.

    • Enable the Use DeleteTree control when deleting entries option if you want the LDAP server to sent the DeleteTree control to delete entries with sub-entries during deletion.

  7. Specify additional password settings for user accounts on the Password settings page. Enter the following settings.

    • Password attribute: An attribute that represents the password of a user account, for example, userPassword.

    • Password change method: A method you can use to change passwords. Permitted values are:

      • Default: Default method for changing the passwords. The password is written directly to the password attribute.

      • ADLDS: A password change method used for systems that are based on Microsoft Active Directory Lightweight Directory Services (AD LDS).

  8. You can save the connection data on the last page of the system connection wizard.

    • Set the Save connection locally option to save the connection data. This can be reused when you set up other synchronization projects.

    • Click Finish, to end the system connection wizard and return to the project wizard.

  1. On the One Identity Manager Connection tab, test the data for connecting to the One Identity Manager database. The data is loaded from the connected database. Reenter the password.

    NOTE: If you use an unencrypted One Identity Manager database and have not yet saved any synchronization projects to the database, you need to enter all connection data again. This page is not shown if a synchronization project already exists.
  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.

  1. Select a project template on the Select project template page to use for setting up the synchronization configuration.

    Table 7: Standard project templates
    Project template Description

    OpenDJ synchronisation

    This project template is based on OpenDJ. Use this project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

    AD LDS synchronisation

    This project template is based on Active Directory Lightweight Directory Services (AD LDS).

  1. On the Restrict target system access page, specify how system access should work. You have the following options:
    Table 8: Specify target system access
    Option Meaning

    Read-only access to target system.

    Specifies that a synchronization workflow is only to be set up for the initial loading of the target system into the One Identity Manager database.

    The synchronization workflow has the following characteristics:

    • Synchronization is in the direction of One Identity Manager.
    • Processing methods in the synchronization steps are only defined for synchronization in the direction of One Identity Manager.

    Read/write access to target system. Provisioning available.

    Specifies whether a provisioning workflow is to be set up in addition to the synchronization workflow for the initial loading of the target system.

    The provisioning workflow displays the following characteristics:

    • Synchronization is in the direction of the Target system.
    • Processing methods are only defined in the synchronization steps for synchronization in the direction of the Target system.
    • Synchronization steps are only created for such schema classes whose schema types have write access.
  1. On the Synchronization server page, select a synchronization server to execute synchronization.

    If the synchronization server is not declared as a Job server in the One Identity Manager database yet, you can add a new Job server.

    1. Click to add a new Job server.

    2. Enter a name for the Job server and the full server name conforming to DNS syntax.

    3. Click OK.

      The synchronization server is declared as a Job server for the target system in the One Identity Manager database.

      NOTE: After you save the synchronization project, ensure that this server is set up as a synchronization server.
  1. Enter the general setting for the synchronization project under General.

    NOTE: This step is only displayed if the selected project template supports several script languages.
    Table 9: General properties of the synchronization project

    Property

    Description

    Display name

    Display name for the synchronization project.

    Script language

    Language in which the scripts for this synchronization project are written.

    Scripts are implemented at various points in the synchronization configuration. Specify the script language when you set up an empty project.

    IMPORTANT: You cannot change the script language once the synchronization project has been saved.

    If you use a project template, the template's script language is used.

    Description

    Text field for additional explanation.
  1. To close the project wizard, click Finish.

    This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.

    The synchronization project is created, saved, and enabled immediately.

    NOTE: If enabled, a consistency check is carried out. If errors occur, a message appears. You can decide whether the synchronization project can remain activated or not.

    Check the errors before you use the synchronization project. To do this, in the General view on the Synchronization Editor‘s start page, click Verify project.

    NOTE: If you do not want the synchronization project to be activated immediately, disable the Activate and save the new synchronization project automatically option. In this case, save the synchronization project manually before closing the Synchronization Editor.

    NOTE: The connection data for the target system is saved in a variable set and can be modified in the Configuration | Variables category in the Synchronization Editor.
Related topics

Configuring the synchronization log

All the information, tips, warnings, and errors that occur during synchronization are recorded in the synchronization log. You can configure the type of information to record separately for each system connection.

To configure the content of the synchronization log

  1. To configure the synchronization log for target system connection, select the Configuration | Target system category in Synchronization Editor.

    - OR -

    To configure the synchronization log for the database connection, select the Configuration | Synchronization Editor connection category in One Identity Manager.

  2. Select the General view and click Configure.

  3. Select the Synchronization log view and set Create synchronization log.

  4. Enable the data to be logged.

    NOTE: Some content generates a particularly large volume of log data!

    The synchronization log should only contain data required for error analysis and other analyzes.

  5. Click OK.

Synchronization logs are stored for a fixed length of time.

To modify the retention period for synchronization logs

  • In the Designer, enable the DPR | Journal | LifeTime configuration parameter and enter the maximum retention period.

Related topics

Customizing the synchronization configuration

Having used the Synchronization Editor to set up a synchronization project for initial synchronization of an LDAP domain, you can use the synchronization project to load LDAP objects into the One Identity Manager database. If you manage user accounts and their authorizations with One Identity Manager, changes are provisioned in the LDAP environment.

You must customize the synchronization configuration to be able to regularly compare the database with the LDAP environment and to synchronize changes.

  • To use One Identity Manager as the master system during synchronization, create a workflow with synchronization in the direction of the Target system.
  • You can use variables to create generally applicable synchronization configurations that contain the necessary information about the synchronization objects when synchronization starts. Variables can be implemented in base objects, schema classes, or processing methods, for example.
  • To specify which LDAP objects and database objects are included in synchronization, edit the scope of the target system connection and the One Identity Manager database connection. To prevent data inconsistencies, define the same scope in both systems. If no scope is defined, all objects will be synchronized.

  • Use variables to set up a synchronization project for synchronizing different domains. Store a connection parameter as a variable for logging in to the domain.

  • Update the schema in the synchronization project if the One Identity Manager schema or target system schema has changed. Then you can add the changes to the mapping.

For more detailed information about configuring synchronization, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic
Verwandte Dokumente