サポートと今すぐチャット
サポートとのチャット

Identity Manager 8.2.1 - Administration Guide for Connecting to LDAP

About this guide Managing LDAP environments Synchronizing LDAP directories
Setting up initial LDAP directory synchronization Adjusting the synchronization configuration for LDAP environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization
Managing LDAP user accounts and employees Managing memberships in LDAP groups Login information for LDAP user accounts Mapping LDAP objects in One Identity Manager Handling of LDAP objects in the Web Portal Basic data for managing an LDAP environment Troubleshooting Configuration parameters for managing an LDAP environment Default project template for LDAP Generic LDAP connector settings LDAP connector V2 settings

Generic LDAP connector settings

The following settings are configured for the system connection with the generic LDAP connector.

NOTE: Some of the settings are only available if you set the Configure advanced settings (expert mode) option in the system connection wizard.

Table 47: Generic LDAP connector settings

Setting

Meaning

Server

IP address or full name of the LDAP server for connecting to the synchronization server to provide access to LDAP objects.

Variable: CP_Server

Port

Communications port on the server.

Default: 389

Variable: CP_Port

Authentication type

Authentication method for logging in to LDAP. The following are permitted:

  • Basic: Uses default authentication.

  • Negotiate: Uses Negotiate authentication from Microsoft.

  • Anonymous: Establishes a connection without passing login credentials.

  • Kerberos: Uses Kerberos authentication.

  • NTLM: Uses Windows NT Challenge/Response (NTLM) authentication.

Default: Basic

Variable: CP_AuthenticationType

For more information about authentication types, see the MSDN Library.

User name

Name of the user account for logging in to LDAP.

Variable: CP_Username

Password

The user account’s password.

Variable: CP_Password

Enable sealing

Specifies whether sealing is enabled.

Enable signing

Specifies whether signing is enabled.

Use SSL

Specifies whether the connection is SSL/TLS encrypted.

Variable: CP_UseSsl

Use StartTLS

Specifies whether StartTLS is used for encryption.

Variable: CP_UseStartTls

Protocol version

Version of the LDAP protocol.

Default: 3

Search base

Root entry for the search query, normally the LDAP domain.

Variable: CP_RootEntry

Request timeout

Timeout for LDAP requests in seconds.

Default: 3600

Variable: CP_ClientTimeout

Use paged search

Specifies whether LDAP objects are loaded by page. If you use this option (default), enter the page size.

Page size

Maximum number of objects to load per page.

Default: 500

Use DeleteTree control when deleting entries

Specifies if the LDAP server sends the DeleteTree control to delete entries with sub-entries during deletion.

Variable:CP_LDAP_UseDeleteTree

Save LDAP schema in local cache

Specifies whether the LDAP schema should be kept in local cache. This accelerates synchronization and provisioning of LDAP objects.

The cache is stored on the computer used to create the connection, under %Appdata%\...\Local\One Identity\One Identity Manager\Cache\LdapConnector.

Default: False

Variable: CP_CacheSchema

Object identification attribute

Attribute that can be used to uniquely identify the objects in LDAP. The attribute must be unique and set for all objects LDAP.

Default: entryUUID

Variable: CP_Guid_Attribute

Revision properties

Properties used for revision filtering.

Default: createTimestamp, modifyTimestamp

Define auxiliary classes

You can use this schema function to change the type of an object class. This may be necessary if a non-RFC compliant LDAP system allows assignment of several structural object classes to one entry although only one structural class is allowed.

Assigning more than one structural class means that an LDAP entry cannot be uniquely assigned to a schema type. If structural object classes have been defined that only serve as property extensions (meaning auxiliary classes), you can, with help from this option, set the connector to handle the object class as an auxiliary class.

NOTE: Object classes that are configured as auxiliary are subsequently not handled as independent schema types and cannot, therefore, be synchronized separately.

Virtual classes Additional virtual classes. These support LDAP system that are non-RFC compliant and allow more that one structural class for each object.
Server supports renaming of entries

Specifies whether the server supports renaming of entries.

Default: False

Server supports moving of entries

Specifies whether the server supports moving of entries.

Default: False

Auxiliary class assignment

Assigns additional auxiliary classes to structural classes. Auxiliary classes are classes of type Auxiliary and contain attributes for extending structural classes. Auxiliary class attributes are offered as optional attributes for structural classes in the schema.

NOTE: To map the attributes of the auxiliary classes in One Identity Manager, custom extensions to the One Identity Manager schema may be necessary under certain circumstances. Use the Schema Extension program to do this.

Functional attributes

Attributes that are calculated for LDAP objects. Functional attributes are used for managing directories. Functional attributes are added to each schema class of the parent function.

NOTE: To map the operational attributes in One Identity Manager, custom extensions to the One Identity Manager schema may be required. Use the Schema Extension program to do this.

Identity dynamic groups Attributes that contain the URL with search data for determining members of dynamic groups, for example memberURL.

Password attribute

Attribute that represents the password of a user account, for example, userPassword.

Password change method

Method for changing passwords. Permitted values are:

  • Default: Default method for changing the passwords. The password is written directly to the password attribute.

  • ADLDS: A password change method used for systems that are based on Microsoft Active Directory Lightweight Directory Services (AD LDS).

LDAP domain

Unique identifier of the domain in the form:

<DN part 1> (<server from connection parameters>)

Variable: $IdentDomain$

LDAP connector V2 settings

The following settings are configured for the system connection with the LDAP connector V2.

NOTE: Some of the settings are only available if you set the Configure advanced settings option in the system connection wizard.

Table 48: LDAP connector V2 settings

Setting

Meaning

Server

IP address or full name of the LDAP server for connecting to the synchronization server to provide access to LDAP objects.

Variable: CP_SdspLdapDriverDescriptorServer

Port

Communications port on the server.

Default: 389

Variable: CP_SdspLdapDriverDescriptorPort

Authentication type

Authentication method for logging in to LDAP. The following are permitted:

  • Basic: Uses default authentication.

  • Negotiate: Uses Negotiate authentication from Microsoft.

  • Anonymous: Establishes a connection without passing login credentials.

  • Kerberos: Uses Kerberos authentication.

  • NTLM: Uses Windows NT Challenge/Response (NTLM) authentication.

  • External: Uses certificate-based authentication as the external method.

Default: Basic

Variable: CP_SdspLdapDriverDescriptorAuthenticationType

For more information about authentication types, see the MSDN Library.

User name

Name of the user account for logging in to LDAP.

Variable: CP_SdspLdapDriverDescriptorUsername

Password

The user account’s password.

Variable: CP_SdspLdapDriverDescriptorPassword

Enable sealing

Specifies whether sealing is enabled.

Variable: CP_SdspLdapDriverDescriptorUseSealing

Enable signing

Specifies whether signing is enabled.

Variable: CP_SdspLdapDriverDescriptorUseSigning

Use SSL

Specifies whether the connection is SSL/TLS encrypted.

Variable: CP_SdspLdapDriverDescriptorUseSsl

Use StartTLS

Specifies whether StartTLS is used for encryption.

Variable: CP_SdspLdapDriverDescriptorUseStartTls

Server certificate verification

Specifies whether the server certificate is checked with either SSL or StartTLS encryption.

NOTE: The server certificate must be valid. The root certification authority’s certificate must be the computer certificate ( Local Computer certificate store) either on the host that the Synchronization Editor was started on or on the Job server connected remotely. Ensure that the certificate is also installed on all Job servers that will connect to the LDAP system.

Variable: CP_SdspLdapDriverDescriptorVerifyServerCertificate

Protocol version

Version of the LDAP protocol.

Default: 3

Variable: CP_SdspLdapDriverDescriptorProtocolVersion

Search base

Root entry for the search query, normally the LDAP domain.

Variable: CP_LdapContextDescriptorBaseDn

Request timeout

Timeout for LDAP requests in seconds.

Variable: CP_SdspLdapDriverDescriptorClientTimeout

LDAP domain UID

Unique identifier for the LDAP domain in the LDPDomain table.

Variable: UID_LDPDomain

Default Searcher: Use paged search

Specifies whether LDAP objects are loaded by page. This information is automatically queried through the selected preconfiguration or from the LDAP server. If the option is enabled, enter the page size.

Variable: CP_SdspDefaultSearchDescriptorUsePagedSearch

Default Searcher: Page size

Maximum number of objects to load per page.

Default: 500

Variable: CP_SdspDefaultSearchDescriptorPageSize

AD (LDS) Search implementation: Chunk size

If attributes with a large number of value are returned from a Microsoft based LDAP server, the server only sends a certain number of values back (normally 1500.) To query all the values, several queries with a scope limit are sent.

The chunk size determines how many value are return per query. If the select chunk size is larger than the maximum size that the server can process, it is adjusted automatically.

Default: 1000

Variable: CP_AdLdsSearchFeatureDescriptorChunkSize

Default delete implementation: Use DeleteTree control when deleting entries

Specifies if the LDAP server sends the DeleteTree control to delete entries with sub-entries during deletion. This information is automatically queried through the selected preconfiguration or from the LDAP server.

Variable:CP_SdspDefaultDeleteDescriptorUseDeleteTree

Load schema from LDAP Server

The schema is laded from the LDAP server. (default)

Load schema from given LDIF string

Alternative source to load the schema from if the LDAP server’s schema is not available. The LDIF string is saved in the system connection (DPRSystemConnection.ConnectionParameter.) The means the *.ldif file is not distributed.

Remove spaces in distinguished names

This function removes all spaces in distinguished name objects that, according to RFC, are not allowed or non-significant.

If the function does not exist, according to RFC, all spaces that are non allowed or non-significant are not removed from the distinguished name and can cause errors in certain circumstances.

Default: True

Tolerate 'Attribute already exists' and 'no such attribute' and retry

Use this function to tolerate existing or missing attributes in the LDAP system when an object is changed, for example, updating group memberships.

If this function is not available, changes to objects that affect existing or missing attribute in the LDAP system can cause errors.

Default: True

Return operational attributes

This schema function specifies, which attributes are additionally found for the LDAP objects. Functional attributes are used for managing directories. Functional attributes are added to each schema class of the parent function.

NOTE: To map the operational attributes in One Identity Manager, custom extensions to the One Identity Manager schema may be required. Use the Schema Extension program to do this.

Auxiliary class assignment

Use this schema function to assign additional auxiliary classes to structural classes. Auxiliary classes are classes of type Auxiliary and contain attributes for extending structural classes. Auxiliary class attributes are offered as optional attributes for structural classes in the schema.

NOTE: To map the attributes of the auxiliary classes in One Identity Manager, custom extensions to the One Identity Manager schema may be necessary under certain circumstances. Use the Schema Extension program to do this.

Switch type of object class

You can use this schema function to change the type of an object class. This may be necessary if a non-RFC compliant LDAP system allows assignment of several structural object classes to one entry although only one structural class is allowed.

Assigning more than one structural class means that an LDAP entry cannot be uniquely assigned to a schema type. If structural object classes have been defined that only serve as property extensions (meaning auxiliary classes), you can, with help from this option, set the connector to handle the object class as an auxiliary class.

NOTE: Object classes that are configured as auxiliary are subsequently not handled as independent schema types and cannot, therefore, be synchronized separately.

Cache schema

This schema function keeps the LDAP schema stored in local cache. It is recommended to queue this function after the schema has loaded. This accelerates synchronization and provisioning of LDAP objects.

The cache is stored on the computer used to create the connection, under %Appdata%\...\Local\One Identity\One Identity Manager\Cache\LdapConnector.

Load AD LDS schema extension

This schema function loads additional information required for synchronizing the Active Directory Lightweight Directory Service.

Driver

Driver to use for accessing the LDAP system.

Default: LDAP via Windows API (SdspLdapDriver)

LDAP domain

Unique identifier of the domain in the form:

<DN part 1> (<server from connection parameters>)

Variable: $IdentDomain$

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択