Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to LDAP

About this guide Managing LDAP environments Synchronizing LDAP directories
Setting up initial LDAP directory synchronization Adjusting the synchronization configuration for LDAP environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing LDAP user accounts and identities Managing memberships in LDAP groups Login credentials for LDAP user accounts Mapping LDAP objects in One Identity Manager Handling of LDAP objects in the Web Portal Basic data for managing an LDAP environment Troubleshooting Configuration parameters for managing an LDAP environment Default project template for LDAP LDAP connector V2 settings

Active Directory Lightweight Directory Services project template for the LDAP connector V2

This project template is based on Active Directory Lightweight Directory Services (AD LDS). The project template uses mappings for the following schema types.

Table 41: Mapping schema types to tables in the One Identity Manager schema.
Schema type in AD LDS Table in the One Identity Manager schema

domainDNS

LDAPContainer

country

LDAPContainer

locality

LDAPContainer

organization

LDAPContainer

container

LDAPContainer

organizationalUnit

LDAPContainer

inetOrgPerson

LDAPAccount

user

LDAPAccount

userProxy

LDAPAccount

userProxyFull

LDAPAccount

foreignSecurityPrincipal

LDAPAccount

group

LDAPGroup

groupOfNames

LDAPGroup

Oracle Directory Server Enterprise Edition template for the LDAP connector V2

This project template is based on the Oracle Directory Server Enterprise Edition (DSEE). The project template uses mappings for the following schema types.

Table 42: Mapping schema types to tables in the One Identity Manager schema.
Schema type in LDAP Table in the One Identity Manager schema

country

LDAPContainer

domain LDPDomain
groupOfNames LDAPGroup
groupOfUniqueNames LDAPGroup
groupOfURLs LDAPGroup
inetOrgPerson LDAPAccount
locality LDAPContainer
organization LDAPContainer
organizationalUnit LDAPContainer

Generic project template for the LDAP connector V2

This template can be used as a base template if there is no system-specifc template. You may have to modify it.

NOTE: Check the project and correct any error before you use the synchronization project.

The project template uses mappings for the following schema types.

Table 43: Mapping schema types to tables in the One Identity Manager schema.
Schema type in LDAP Table in the One Identity Manager Schema
Container LDAPContainer

country

LDAPContainer

domain LDPDomain

groupOfEntries

LDAPGroup

groupOfNames LDAPGroup
groupOfUniqueNames LDAPGroup
groupOfURLs LDAPGroup
inetOrgPerson LDAPAccount
locality LDAPContainer
organization LDAPContainer
organizationalUnit LDAPContainer

LDAP connector V2 settings

The following settings are configured for the system connection with the LDAP connector V2.

NOTE: Some of the settings are only available if you set the Configure advanced settings option in the system connection wizard.

Table 44: LDAP connector V2 settings

Setting

Meaning

Server

IP address or full name of the LDAP server for connecting to the synchronization server to provide access to LDAP objects.

Variable: CP_SdspLdapDriverDescriptorServer

Port

Communications port on the server.

Default: 389

Variable: CP_SdspLdapDriverDescriptorPort

Authentication type

Authentication method for logging in to LDAP. The following are permitted:

  • Basic: Uses default authentication.

  • Negotiate: Uses Negotiate authentication from Microsoft.

  • Anonymous: Establishes a connection without passing login credentials.

  • Kerberos: Uses Kerberos authentication.

  • NTLM: Uses Windows NT Challenge/Response (NTLM) authentication.

  • External: Uses certificate-based authentication as the external method.

Default: Basic

Variable: CP_SdspLdapDriverDescriptorAuthenticationType

For more information about authentication types, see the MSDN Library.

User name

Name of the user account for logging in to LDAP.

Variable: CP_SdspLdapDriverDescriptorUsername

Password

The user account’s password.

Variable: CP_SdspLdapDriverDescriptorPassword

Enable sealing

Specifies whether sealing is enabled.

Variable: CP_SdspLdapDriverDescriptorUseSealing

Enable signing

Specifies whether signing is enabled.

Variable: CP_SdspLdapDriverDescriptorUseSigning

Use SSL

Specifies whether the connection is SSL/TLS encrypted.

Variable: CP_SdspLdapDriverDescriptorUseSsl

Use StartTLS

Specifies whether StartTLS is used for encryption.

Variable: CP_SdspLdapDriverDescriptorUseStartTls

Server certificate verification

Specifies whether the server certificate is checked with either SSL or StartTLS encryption.

NOTE: The server certificate must be valid. The root certification authority’s certificate must be the computer certificate ( Local Computer certificate store) either on the host that the Synchronization Editor was started on or on the Job server connected remotely. Ensure that the certificate is also installed on all Job servers that will connect to the LDAP system.

Variable: CP_SdspLdapDriverDescriptorVerifyServerCertificate

Protocol version

Version of the LDAP protocol.

Default: 3

Variable: CP_SdspLdapDriverDescriptorProtocolVersion

Search base

Root entry for the search query, normally the LDAP domain.

Variable: CP_LdapContextDescriptorBaseDn

Request timeout

Timeout for LDAP requests in seconds.

Default: 3600

Variable: CP_SdspLdapDriverDescriptorClientTimeout

LDAP domain UID

Unique identifier for the LDAP domain in the LDPDomain table.

Variable: UID_LDPDomain

Default Searcher: Use paged search

Specifies whether LDAP objects are loaded by page. This information is automatically queried through the selected preconfiguration or from the LDAP server. If the option is enabled, enter the page size.

Variable: CP_SdspDefaultSearchDescriptorUsePagedSearch

Default Searcher: Page size

Maximum number of objects to load per page.

Default: 500

Variable: CP_SdspDefaultSearchDescriptorPageSize

AD (LDS) Search implementation: Chunk size

If attributes with a large number of value are returned from a Microsoft based LDAP server, the server only sends a certain number of values back (normally 1500.) To query all the values, several queries with a scope limit are sent.

The chunk size determines how many value are return per query. If the select chunk size is larger than the maximum size that the server can process, it is adjusted automatically.

Default: 1000

Variable: CP_AdLdsSearchFeatureDescriptorChunkSize

Default delete implementation: Use DeleteTree control when deleting entries

Specifies if the LDAP server sends the DeleteTree control to delete entries with sub-entries during deletion. This information is automatically queried through the selected preconfiguration or from the LDAP server.

Variable:CP_SdspDefaultDeleteDescriptorUseDeleteTree

Load schema from LDAP Server

The schema is loaded from the LDAP server. (default)

Load schema from given LDIF string

Alternative source to load the schema from if the LDAP server’s schema is not available. The LDIF string is saved in the system connection (DPRSystemConnection.ConnectionParameter.) The means the *.ldif file is not distributed.

Remove spaces in distinguished names

This function removes all spaces in distinguished name objects that, according to RFC, are not allowed or non-significant.

If the function does not exist, according to RFC, all spaces that are non allowed or non-significant are not removed from the distinguished name and can cause errors in certain circumstances.

Default: False

Tolerate 'Attribute already exists' and 'no such attribute' and retry

Use this function to tolerate existing or missing attributes in the LDAP system when an object is changed, for example, updating group memberships.

If this function is not available, changes to objects that affect existing or missing attribute in the LDAP system can cause errors.

Default: True

Return operational attributes

This schema function specifies, which attributes are additionally found for the LDAP objects. Functional attributes are used for managing directories. Functional attributes are added to each schema class of the parent function.

NOTE: To map the operational attributes in One Identity Manager, custom extensions to the One Identity Manager schema may be required. Use the Schema Extension program to do this.

Auxiliary class assignment

Use this schema function to assign additional auxiliary classes to structural classes. Auxiliary classes are classes of type Auxiliary and contain attributes for extending structural classes. Auxiliary class attributes are offered as optional attributes for structural classes in the schema.

NOTE: To map the attributes of the auxiliary classes in One Identity Manager, custom extensions to the One Identity Manager schema may be necessary under certain circumstances. Use the Schema Extension program to do this.

Switch type of object class

You can use this schema function to change the type of an object class. This may be necessary if a non-RFC compliant LDAP system allows assignment of several structural object classes to one entry although only one structural class is allowed.

Assigning more than one structural class means that an LDAP entry cannot be uniquely assigned to a schema type. If structural object classes have been defined that only serve as property extensions (meaning auxiliary classes), you can, with help from this option, set the connector to handle the object class as an auxiliary class.

NOTE: Object classes that are configured as auxiliary are subsequently not handled as independent schema types and cannot, therefore, be synchronized separately.

Cache schema

This schema function keeps the LDAP schema stored in local cache. It is recommended to queue this function after the schema has loaded. This accelerates synchronization and provisioning of LDAP objects.

The cache is stored on the computer used to create the connection, under %Appdata%\...\Local\One Identity\One Identity Manager\Cache\LdapConnector.

Load AD LDS schema extension

This schema function loads additional information required for synchronizing the Active Directory Lightweight Directory Service.

Driver

Driver to use for accessing the LDAP system.

Default: LDAP via Windows API (SdspLdapDriver)

LDAP domain

Unique identifier of the domain in the form:

<DN part 1> (<server from connection parameters>)

Variable: $IdentDomain$

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating