Chat now with support
Chat with Support

Identity Manager 9.1 - Administration Guide for Connecting to LDAP

About this guide Managing LDAP environments Synchronizing LDAP directories
Setting up initial LDAP directory synchronization Adjusting the synchronization configuration for LDAP environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing LDAP user accounts and employees Managing memberships in LDAP groups Login information for LDAP user accounts Mapping LDAP objects in One Identity Manager Handling of LDAP objects in the Web Portal Basic data for managing an LDAP environment Troubleshooting Configuration parameters for managing an LDAP environment Default project template for LDAP LDAP connector V2 settings

Changing system connection settings of LDAP domains

When you set up synchronization for the first time, the system connection properties are set to default values that you can modify. There are two ways to do this:

  1. Specify a specialized variable set and change the values of the affected variables.

    The default values remain untouched in the default variable set. The variables can be reset to the default values at any time. (Recommended action).

  2. Edit the target system connection with the system connection wizard and change the effected values.

    The system connection wizard supplies additional explanations of the settings. The default values can only be restored under particular conditions.

Detailed information about this topic

Editing connection parameters in the variable set

The connection parameters were saved as variables in the default variable set when synchronization was set up. You can change the values in these variables to suit you requirements and assign the variable set to a start up configuration and a base object. This means that you always have the option to use default values from the default variable set.

NOTE: To guarantee data consistency in the connected target system, ensure that the start-up configuration for synchronization and the base object for provisioning use the same variable set. This especially applies if a synchronization project is used for synchronizing different LDAP domains.

To customize connection parameters in a specialized variable set

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > Target system category.

  3. Open the Connection parameters view.

    Some connection parameters can be converted to variables here. For other parameters, variables are already created.

  4. Select a parameter and click Convert.

  5. Select the Configuration > Variables category.

    All specialized variable sets are shown in the lower part of the document view.

  6. Select a specialized variable set or click on in the variable set view's toolbar.

    • To rename the variable set, select the variable set and click the variable set view in the toolbar . Enter a name for the variable set.

  7. Select the previously added variable and enter a new value.

  8. Select the Configuration > Start up configurations category.

  9. Select a start up configuration and click Edit.

  10. Select the General tab.

  11. Select the specialized variable set in the Variable set menu.

  12. Select the Configuration > Base objects category.

  13. Select the base object and click .

    - OR -

    To add a new base object, click .

  14. Select the specialized variable set in the Variable set menu.

  15. Save the changes.

For more information about using variables and variable sets, or restoring default values and adding base objects, see the One Identity Manager Target System Synchronization Reference Guide.

Related topics

Editing target system connection properties

The advanced settings of the target system connection can be changed using the system connection wizard. If variables are defined for the settings, the changes are transferred to the active variable set.

NOTE: In the following circumstances, the default values cannot be restored:

  • The connection parameters are not defined as variables.

  • The default variable set is selected as an active variable set.

In both these cases, the system connection wizard overwrites the default values. They cannot be restored at a later time.

To edit advanced settings with the system connection wizard

  1. In the Synchronization Editor, open the synchronization project.

  2. In the toolbar, select the active variable set to be used for the connection to the target system.

    NOTE: If the default variable set is selected, the default values are overwritten and cannot be restored at a later time.

  3. Select the Configuration > Target system category.

  4. Click Edit connection.

    This starts the system connection wizard.

  1. Follow the system connection wizard instructions and change the relevant properties.

  2. Save the changes.
Related topics

Extended schema configuration with the LDAP connector V2

By preconfiguring this connector that you can select in the system connection wizard, the required schema configuration is already set up. If, in exceptional cases, it becomes necessary to make changes you can use the system connection wizard to configure schema types, schema properties, and methods.

IMPORTANT: Changes to the schema configuration should only be carried out by experienced Synchronization Editor users and system administrators.

NOTE: To make advanced settings, on the start page of the system connection wizard, set the Configure advanced settings option.

On the Connector schema configuration page, a hierarchical meta schema is displayed showing the schema types that will be created. You can add, edit, or delete schema classes, schema properties, and methods. The information displayed is similar to the information in the Synchronization Editor.

Use these setting to:

  • Specify which schema property is used for revision filtering.

  • Specify which schema property is used to uniquely identify an object.

  • Define virtual schema types if necessary.

Implementation types

NOTE: Global settings for implementing read and write access are stored in the Schema entry on the Connector schema configuration.

Table 6: Implementation

Implementation

Meaning

Implementation for queries

Implementation used for calling up entries from the LDAP server.

The DefaultQueryStrategy implementation uses the configured LDAP connection to call up entries.

Implementation for type resolution

The implementation that inspects LDAP entries returned by LDAP servers to determine and assign the connector schema type for the resulting connector object.

This option can only be changed in the through the user with the Request & Fulfillment | | Administrators application role.

Implementation for read access

Implementation converts a schema property’s values based on an LDAP entry.

Reference handling

Implementation for creating or resolving reference values of an LDAP entry’s schema property. A reference in LDAP is usually a property pointing to another entry through a distinguished name.

Implementation for commit

The implementation to be used when entries are saved by the connector to the LDAP server.

The DefaultCommitStrategy implementation calls the methods Insert, Update, or Delete depending on the state of the object.

Implementation for insert method

Implementation to be used for the Insert method of the schema types.

The DefaultInsertMethodStrategy implementation will send add requests to the LDAP server to publish new entries.

Implementation for update method

Implementation to be used for the Update method of the schema types.

The DefaultUpdateMethodStrategy implementation sends modify and modifydn requests to the LDAP server to publish changes to existing entries.

Implementation for delete method

Implementation to be used for the Delete method of the schema types.

The DefaultDeleteMethodStrategy implementation sends delete requests to the LDAP server to delete existing entries.

Schema property handler

Handler

Meaning

DNBackLinkPropertyHandler

Backlink handler. This handler resolves backlinks between schema properties.

Example:

This handler is configured for the group’s Member schema property. The MemberOf schema property is selected as Backlink property.

If a user account is assigned to a group, the user account is entered in the in the target system in the group’s Member schema property. The handler determines the referenced object, in this case, the user account and enters the group reference in the MemberOf schema property.

MirrorPropertyHandler

Mirror property handler This handler transfers values and changes of a schema property, for which the handler is defined, to the schema property given under Mirror property.

Example:

This handler is configured for the group’s Member schema property. The equivalentToMe schema property is selected as Mirror property.

If a user account is assigned to a group, the user account is entered in the in the target system in the group’s Member schema property. This is also added to the equivalentToMe schema property.

RdnPropertyHandler

This handler handles the vrtEntryRDN virtual schema property. The vrtEntryRDN schema property represents the relative distinguished names of the entry. The distinguished name is made up of one or more pairs of attribute name and attribute value combined, with the syntax <attribute name>=<attribute value>[+<attribute name>=<attribute value>]

Examples:

CN=Pat Identity1

OU=Sales

CN=Jo User1+UID=char

The handler ensures that when the vrtEntryRDN is set, the matching referenced property of the LDAP entry is set the same.

Example:

If the vrtEntryRDN has the value CN=Pat Identity1, the CN property is set to Pat Identity1.

If the vrtEntryRDN has the value OU=Sales, the OU property is set to Sales.

If the vrtEntryRDN has the value CN=Jo User1+UID=char, the CN property is set to Jo User1UID and the UID is given the value char.

DefaultValueModificationHandler

This handler ensures that there is always at least one defined default value is written to a schema property. This can currently be free text or the distinguished name of the object that the value is defined on, such as a group.

A CheckForDefaultValueAction operation is queued at the start and when changes are made to the schema property that was assigned to the handler.

The handler ensure the following behavior:

  • If the object was just added, it checks that the schema property contains a value. If this is not the case, the default value is written to the schema property.

  • If this is a change, first the property is loaded from the target system.

    There are the following possible cases:

    • In LDAP, the schema property is already set to the default value. The pending change will allocate another (additional) value to the schema property.

      The default value is removed from the schema property in LDAP and the new value is allocated to the schema property.

    • In LDAP, the schema property is not set to the default value yet. The pending change will clear the schema property or delete the last value, for example.

      In LDAP, the default value is allocated to the schema property.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating