Server |
IP address or full name of the LDAP server for connecting to the synchronization server to provide access to LDAP objects.
Variable: CP_SdspLdapDriverDescriptorServer |
Port |
Communications port on the server.
Default: 389
Variable: CP_SdspLdapDriverDescriptorPort |
Authentication type |
Authentication method for logging in to LDAP. The following are permitted:
-
Basic: Uses default authentication.
-
Negotiate: Uses Negotiate authentication from Microsoft.
-
Anonymous: Establishes a connection without passing login credentials.
-
Kerberos: Uses Kerberos authentication.
-
NTLM: Uses Windows NT Challenge/Response (NTLM) authentication.
-
External: Uses certificate-based authentication as the external method.
Default: Basic
Variable: CP_SdspLdapDriverDescriptorAuthenticationType
For more information about authentication types, see the MSDN Library. |
User name |
Name of the user account for logging in to LDAP.
Variable: CP_SdspLdapDriverDescriptorUsername |
Password |
The user account’s password.
Variable: CP_SdspLdapDriverDescriptorPassword |
Enable sealing |
Specifies whether sealing is enabled.
Variable: CP_SdspLdapDriverDescriptorUseSealing |
Enable signing |
Specifies whether signing is enabled.
Variable: CP_SdspLdapDriverDescriptorUseSigning |
Use SSL |
Specifies whether the connection is SSL/TLS encrypted.
Variable: CP_SdspLdapDriverDescriptorUseSsl |
Use StartTLS |
Specifies whether StartTLS is used for encryption.
Variable: CP_SdspLdapDriverDescriptorUseStartTls |
Server certificate verification |
Specifies whether the server certificate is checked with either SSL or StartTLS encryption.
NOTE: The server certificate must be valid. The root certification authority’s certificate must be the computer certificate ( Local Computer certificate store) either on the host that the Synchronization Editor was started on or on the Job server connected remotely. Ensure that the certificate is also installed on all Job servers that will connect to the LDAP system.
Variable: CP_SdspLdapDriverDescriptorVerifyServerCertificate |
Protocol version |
Version of the LDAP protocol.
Default: 3
Variable: CP_SdspLdapDriverDescriptorProtocolVersion |
Search base |
Root entry for the search query, normally the LDAP domain.
Variable: CP_LdapContextDescriptorBaseDn |
Request timeout |
Timeout for LDAP requests in seconds.
Default: 3600
Variable: CP_SdspLdapDriverDescriptorClientTimeout |
LDAP domain UID |
Unique identifier for the LDAP domain in the LDPDomain table.
Variable: UID_LDPDomain |
Default Searcher: Use paged search |
Specifies whether LDAP objects are loaded by page. This information is automatically queried through the selected preconfiguration or from the LDAP server. If the option is enabled, enter the page size.
Variable: CP_SdspDefaultSearchDescriptorUsePagedSearch |
Default Searcher: Page size |
Maximum number of objects to load per page.
Default: 500
Variable: CP_SdspDefaultSearchDescriptorPageSize |
AD (LDS) Search implementation: Chunk size |
If attributes with a large number of value are returned from a Microsoft based LDAP server, the server only sends a certain number of values back (normally 1500.) To query all the values, several queries with a scope limit are sent.
The chunk size determines how many value are return per query. If the select chunk size is larger than the maximum size that the server can process, it is adjusted automatically.
Default: 1000
Variable: CP_AdLdsSearchFeatureDescriptorChunkSize |
Default delete implementation: Use DeleteTree control when deleting entries |
Specifies if the LDAP server sends the DeleteTree control to delete entries with sub-entries during deletion. This information is automatically queried through the selected preconfiguration or from the LDAP server.
Variable:CP_SdspDefaultDeleteDescriptorUseDeleteTree |
Load schema from LDAP Server |
The schema is laded from the LDAP server. (default) |
Load schema from given LDIF string |
Alternative source to load the schema from if the LDAP server’s schema is not available. The LDIF string is saved in the system connection (DPRSystemConnection.ConnectionParameter.) The means the *.ldif file is not distributed. |
Remove spaces in distinguished names |
This function removes all spaces in distinguished name objects that, according to RFC, are not allowed or non-significant.
If the function does not exist, according to RFC, all spaces that are non allowed or non-significant are not removed from the distinguished name and can cause errors in certain circumstances.
Default: True |
Tolerate 'Attribute already exists' and 'no such attribute' and retry |
Use this function to tolerate existing or missing attributes in the LDAP system when an object is changed, for example, updating group memberships.
If this function is not available, changes to objects that affect existing or missing attribute in the LDAP system can cause errors.
Default: True |
Return operational attributes |
This schema function specifies, which attributes are additionally found for the LDAP objects. Functional attributes are used for managing directories. Functional attributes are added to each schema class of the parent function.
NOTE: To map the operational attributes in One Identity Manager, custom extensions to the One Identity Manager schema may be required. Use the Schema Extension program to do this. |
Auxiliary class assignment |
Use this schema function to assign additional auxiliary classes to structural classes. Auxiliary classes are classes of type Auxiliary and contain attributes for extending structural classes. Auxiliary class attributes are offered as optional attributes for structural classes in the schema.
NOTE: To map the attributes of the auxiliary classes in One Identity Manager, custom extensions to the One Identity Manager schema may be necessary under certain circumstances. Use the Schema Extension program to do this. |
Switch type of object class |
You can use this schema function to change the type of an object class. This may be necessary if a non-RFC compliant LDAP system allows assignment of several structural object classes to one entry although only one structural class is allowed.
Assigning more than one structural class means that an LDAP entry cannot be uniquely assigned to a schema type. If structural object classes have been defined that only serve as property extensions (meaning auxiliary classes), you can, with help from this option, set the connector to handle the object class as an auxiliary class.
NOTE: Object classes that are configured as auxiliary are subsequently not handled as independent schema types and cannot, therefore, be synchronized separately. |
Cache schema |
This schema function keeps the LDAP schema stored in local cache. It is recommended to queue this function after the schema has loaded. This accelerates synchronization and provisioning of LDAP objects.
The cache is stored on the computer used to create the connection, under %Appdata%\...\Local\One Identity\One Identity Manager\Cache\LdapConnector. |
Load AD LDS schema extension |
This schema function loads additional information required for synchronizing the Active Directory Lightweight Directory Service. |
Driver |
Driver to use for accessing the LDAP system.
Default: LDAP via Windows API (SdspLdapDriver) |
LDAP domain |
Unique identifier of the domain in the form:
<DN part 1> (<server from connection parameters>)
Variable: $IdentDomain$ |