Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 9.0 LTS - Administration Guide for Connecting to LDAP

Table of Contents

About this guide Managing LDAP environments

Architecture overview One Identity Manager users for managing LDAP Configuration parameters for managing LDAP environments

Synchronizing LDAP directories

Setting up initial LDAP directory synchronization

Users and permissions for synchronizing with LDAP Special cases for synchronizing Active Directory Lightweight Directory Services Special cases for synchronizing Oracle Directory Server Enterprise Edition Setting up the LDAP synchronization server

System requirements for the LDAP synchronization server Installing One Identity Manager Service with an LDAP connector

Creating a synchronization project for initial synchronization of an LDAP domain

Information required to set up a synchronization project Creating an initial synchronization project for an LDAP domain with the LDAP connector V2

Configuring the synchronization log

Adjusting the synchronization configuration for LDAP environments

Configuring synchronization in LDAP domains Configuring synchronization of several LDAP domains Changing system connection settings of LDAP domains

Editing connection parameters in the variable set Editing target system connection properties Extended schema configuration with the LDAP connector V2

Updating schemas Speeding up synchronization with revision filtering Configuring the provisioning of memberships Configuring single object synchronization Accelerating provisioning and single object synchronization

Running synchronization

Starting synchronization Displaying synchronization results Deactivating synchronization Synchronizing single objects

Tasks following synchronization

Post-processing outstanding objects Adding custom tables to the target system synchronization Managing LDAP user accounts through account definitions

Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)

Managing LDAP user accounts and employees

Account definitions for LDAP user accounts

Creating account definitions Editing account definitions Main data for account definitions Editing manage levels Creating manage levels Assigning manage levels to account definitions Main data for manage levels Creating mapping rules for IT operating data Entering IT operating data Modify IT operating data Assigning account definitions to employees

Assigning account definitions to departments, cost centers, and locations Assigning account definitions to business roles Assigning account definitions to all employees Assigning account definitions directly to employees Assigning account definitions to system roles Adding account definitions in the IT Shop

Assigning account definitions to LDAP domains Deleting account definitions

Assigning employees automatically to LDAP user accounts

Editing search criteria for automatic employee assignment Finding employees and directly assigning them to user accounts Changing manage levels for LDAP user accounts Assigning account definitions to linked LDAP user accounts

Manually linking employees to LDAP user accounts Supported user account types

Default user accounts Administrative user accounts

Providing administrative user accounts for one employee Providing administrative user accounts for several employees

Privileged user accounts

Specifying deferred deletion for LDAP user accounts

Managing memberships in LDAP groups

Assigning LDAP groups to LDAP user accounts and LDAP computers in One Identity Manager

Prerequisites for indirect assignment of LDAP groups Assigning LDAP groups to departments, cost centers, and locations Assigning LDAP groups to business roles Adding LDAP groups to system roles Adding LDAP groups to the IT Shop Assigning LDAP user accounts directly to LDAP groups Assigning LDAP groups directly to LDAP user accounts Assigning LDAP computers directly to LDAP groups Assigning LDAP groups directly to LDAP computers

Effectiveness of membership in LDAP user groups LDAP group inheritance based on categories Overview of all assignments

Login information for LDAP user accounts

Password policies for LDAP user accounts

Predefined password policies Using password policies Editing password policies Creating password policies General main data of password policies Policy settings Character classes for passwords Custom scripts for password requirements

Checking passwords with a script Generating passwords with a script

Editing the excluded list for passwords Checking passwords Testing the generation of passwords

Initial password for new LDAP user accounts Email notifications about login data

Mapping LDAP objects in One Identity Manager

Creating LDAP domains Editing main data of LDAP domains General main data for LDAP domains LDAP specific main data for LDAP domains Defining categories for inheritance by LDAP groups Editing the synchronization project for an LDAP domain Displaying the LDAP domain overview

LDAP container structures

Creating LDAP containers Editing main data of LDAP containers General main data for LDAP containers Contact data for LDAP containers Address information for LDAP containers Assigning extended properties to LDAP containers Displaying the LDAP container overview

LDAP user accounts

Creating LDAP user accounts Editing main data of LDAP user accounts General main data of LDAP user accounts Contact information for LDAP user accounts Address information for LDAP user accounts Organizational data for LDAP user accounts Miscellaneous data for LDAP user accounts Assigning extended properties to LDAP user accounts Disabling LDAP user accounts Deleting and restoring LDAP user accounts Displaying the LDAP user account overview

Creating LDAP groups Editing main data of LDAP groups LDAP group main data Assigning extended properties to LDAP groups Adding LDAP groups to LDAP groups Deleting LDAP groups Displaying the LDAP group overview

Creating LDAP computers Editing main data of LDAP computers Main data for LDAP computers Displaying the LDAP computer overview

Reports about LDAP objects

Handling of LDAP objects in the Web Portal Basic data for managing an LDAP environment

Target system managers for LDAP Job server for LDAP-specific process handling

Editing LDAP Job servers General main data of Job servers Specifying server functions

Troubleshooting

Possible errors when synchronizing an OpenDJ environment Errors connecting multiple LDAP systems with the same distinguished name

Configuration parameters for managing an LDAP environment Default project template for LDAP

OpenDJ project template for the LDAP connector V2 Active Directory Lightweight Directory Services project template for the LDAP connector V2 Oracle Directory Server Enterprise Edition template for the LDAP connector V2 Generic project template for the LDAP connector V2

LDAP connector V2 settings

Creating LDAP groups

To create a group

In the Manager, select the LDAP > Groups category.
Click in the result list.
On the main data form, edit the main data of the group.
Save the changes.

Related topics

Editing main data of LDAP groups

To edit group main data

In the Manager, select the LDAP > Groups category.
Select the group in the result list.
Select the Change main data task.
On the main data form, edit the main data of the group.
Save the changes.

Related topics

LDAP group main data

Enter the following main data:

Table 32: General main data
Property	Description
Distinguished name	Distinguished name of the group. The distinguished name is determined by template from the name of the group and the container and cannot be edited.
Name	Name of the group.
Display name	Name for displaying the group in the user interface of One Identity Manager tools.
Domain	Domain in which to create the group.
Container	Container in which to create the group.
Administrator	The group administrator.
Service item	Service item data for requesting the group through the IT Shop.
Business unit	Business unit to which the group is assigned.
See also	Link to another LDAP object.
Structural object class	Structural object class representing the object type. By default, containers in One Identity Manager are added with GROUPOFNAMES.
Object class	List of classes defining the attributes for this object. By default, containers in One Identity Manager are added with GROUPOFNAMES. However, in the input field, you can add object classes and auxiliary classes that are used by other LDAP and X.500 directory services.
Risk index	Value for evaluating the risk of assigning the group to user accounts. Set a value in the range 0 to 1. This input field is only visible if the QER \| CalculateRiskIndex configuration parameter is activated. For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.
Category	Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Select one or more categories from the menu.
Description	Text field for additional explanation.
Condition	LDAP filter for finding memberships in a dynamic group.
dynamic group	Specifies whether this is a dynamic group.
IT Shop	Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. The group can still be assigned directly to hierarchical roles.
Only for use in IT Shop	Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. Direct assignment of the group to hierarchical roles or user accounts is not permitted.

Related topics

Assigning extended properties to LDAP groups

Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.

For more information about setting up extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.

To specify extended properties for a group

In the Manager, select the LDAP > Groups category.
Select the group in the result list.
Select Assign extended properties.
In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended properties.

To remove an assignment
- Select the extended property and double-click .
Save the changes.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center