Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to LDAP

About this guide Managing LDAP environments Synchronizing LDAP directories
Setting up initial LDAP directory synchronization Adjusting the synchronization configuration for LDAP environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing LDAP user accounts and identities Managing memberships in LDAP groups Login credentials for LDAP user accounts Mapping LDAP objects in One Identity Manager Handling of LDAP objects in the Web Portal Basic data for managing an LDAP environment Troubleshooting Configuration parameters for managing an LDAP environment Default project template for LDAP LDAP connector V2 settings

Special cases for synchronizing Active Directory Lightweight Directory Services

There are various special cases to take into account when setting up a synchronization project for Active Directory Lightweight Directory Services (AD LDS).

AD LDS supports different authentication methods. For more information about AD LDS authentication, see the Microsoft TechNet Library.

Different settings arise, which need to be considered when setting up the synchronization project, depending on the authentication method you choose.

Authentication with AD LDS security principal

For this authentication method, you use a user account that is in AD LDS.

  • The user account must be a member in the Administrators group of the AD LDS instance.

  • The user account must have a password.

    If it does not have a password, authentication is anonymous. This causes the schema to load incorrectly and the synchronization project set up fails.

Take note of the following for setting up your synchronization project.

  • Authentication must use SSL encryption.

  • Basic must be used as authentication method.

  • Enter the distinguished LDAP name (DN) with the user account's user name for logging in to AD LDS.

    Syntax example: CN=Administrator,OU=Users,DC=Domain,DC=com

Authentication with Windows security principal

Use a user account for authentication that resides on a local computer or in an Active Directory domain.

  • The user account must be a member in the Administrators group of the AD LDS instance.

Take note of the following for setting up your synchronization project.

  • Negotiate must be used as the authentication method.

  • If SSL encoding is not being used, sealing and signing authentication modes must be enabled.

  • If SSL encoding is being used, sealing and signing authentication modes must not be enabled.

  • Enter the user principal name with the user account's user name for logging in to AD LDS.

    Syntax example: Administrator@<domain.com>

Authentication with AD LDS proxy object

Use a user account for authentication which exists in AD LDS and serves as binding for a local user account or a user account in an Active Directory domain. The local user account or the Active Directory user account is referenced in AD LDS as security ID (SID).

  • The user account (AD LDS proxy object) must be a member in the Administrators group of the AD LDS instance.

Take note of the following for setting up your synchronization project.

  • Authentication must use SSL encryption.

  • Basic must be used as authentication method.

  • Use the AD LDS proxy object user name for the AD LDS login.

  • Enter the distinguished LDAP name (DN) with the user name.

    Syntax example: CN=Administrator,OU=Users,DC=Domain,DC=com

  • The user account password referenced by the AD LDS proxy object is to be used as a login password.

Special cases for synchronizing Oracle Directory Server Enterprise Edition

Oracle Directory Server Enterprise Edition (DSEE) does not support searching by page. Because of this, the connector must be able to load a schema type’s list of synchronization objects, all at once. If using a conventional Oracle DSEE, LDAP user, limits on the server side are reached in large directories that cause this type of load action to fail.

Possible message:

Size Limit exceeded

Time Limit exceeded

There, limits for the synchronization user are removed. To achieve this, you must set the following LDAP attributes on the synchronization user in the directory:

  • nsTimeLimit: Maximum timeout for a search query in seconds. This value can be increased or decreased depending on the size of the directory. (Recommendation: 7200.)

  • nsSizeLimit: Maximum number of search results for a search query. This value can be increased or decreased depending on the size of the directory. (Recommendation: 500000.)

Setting up the LDAP synchronization server

All One Identity Manager Service actions are run against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

The One Identity Manager Service with the LDAP connector must be installed on the synchronization server.

Detailed information about this topic

System requirements for the LDAP synchronization server

To set up synchronization with an LDAP environment, a server has to be available that has the following software installed on it:

  • Windows operating system

    The following versions are supported:

    • Windows Server 2022

    • Windows Server 2019

    • Windows Server 2016

    • Windows Server 2012 R2

    • Windows Server 2012

  • Microsoft .NET Framework version 4.8 or later

    NOTE: Take the target system manufacturer's recommendations into account.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating