Chat now with support
Chat with Support

Identity Manager 9.1.2 - Administration Guide for Connecting to LDAP

About this guide Managing LDAP environments Synchronizing LDAP directories
Setting up initial LDAP directory synchronization Adjusting the synchronization configuration for LDAP environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing LDAP user accounts and employees Managing memberships in LDAP groups Login information for LDAP user accounts Mapping LDAP objects in One Identity Manager Handling of LDAP objects in the Web Portal Basic data for managing an LDAP environment Troubleshooting Configuration parameters for managing an LDAP environment Default project template for LDAP LDAP connector V2 settings

Troubleshooting

Possible errors when synchronizing an OpenDJ environment

Issue

Error synchronizing an OpenDJ system if a password begins with an open curly bracket.

Cause

The LDAP server interprets a generated password of the form {<abc>}<def> as a hash value. However, the LDAP server does not allow hashed passwords to be passed.

Solution

The LDAP server can be configured so that a hashed password of the form {<algorithm>}hash can be passed.

  • On the LDAP server: Allow already hashed passwords to be passed.

  • In the synchronization project: Only pass hashed passwords. Use the script properties for mapping schema properties that contain passwords. Create the password's hash value in the script.

Errors connecting multiple LDAP systems with the same distinguished name

Issues

An error occurs when creating multiple synchronization projects for connecting an LDAP domain or when connecting instances with identical names.

The domain with the distinguished name '{0}' is already used in the synchronization project '{1}'. Only one synchronization project is allowed per domain and connector.

Cause

This problem occurs if the synchronization projects were created with an older One Identity Manager version.

The domain name (Ident_Domain) is used to search for LDAP domains in the database. In synchronization projects created with an older One Identity Manager version, LDAP domain names are formatted with <DN component 1>.

Solution

  • With newly created synchronization projects, the LDAP domain names are formed with <DN component 1> (<server from connection parameters>).

  • For existing synchronization projects created with the generic LDAP connector, apply the VPR#33513 patch. This creates a variable and value for $IdentDomain$ in all variable sets and changes the scope to DistinguishedName = '$CP_RootEntry$' and Ident_Domain='$IdentDomain$'.

    For more information about applying patches, see the One Identity Manager Target System Synchronization Reference Guide.

  • LDAP domains that are already in the database are not renamed. If necessary, manually adjust the LDAP domain names (Ident_Domain). For more information, see LDAP domains.

NOTE: Objects imported from different directory services that have the identical canonical names and distinguished names in the One Identity Manager database, could result in duplicate display values in current attestations, such as system entitlements, as well as in reports on target system objects and target system entitlements. Customizations may need to be made to attestation procedures and reports.

Configuration parameters for managing an LDAP environment

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 39: Configuration parameters for LDAP directory synchronization
Configuration parameters Description

TargetSystem | LDAP

Preprocessor relevant configuration parameter for controlling database model components for LDAP target system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

TargetSystem | LDAP | Accounts

Allows configuration of user account data.

TargetSystem | LDAP | Accounts
| InitialRandomPassword

Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | LDAP | Accounts |
InitialRandomPassword | SendTo

Employee to receive an email with the random generated password (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the TargetSystem | LDAP | DefaultAddress configuration parameter.

TargetSystem | LDAP | Accounts |
InitialRandomPassword | SendTo |
MailTemplateAccountName

Mail template name that is sent to supply users with the login credentials for the user account. The Employee - new user account created mail template is used.

TargetSystem | LDAP | Accounts |
InitialRandomPassword | SendTo |
MailTemplatePassword

Mail template name that is sent to supply users with the initial password. The Employee - initial password for new user account mail template is used.

TargetSystem | LDAP | Accounts |
MailTemplateDefaultValues

Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.

TargetSystem | LDAP | Accounts |
PrivilegedAccount

Allows configuration of privileged LDAP user account settings.

TargetSystem | LDAP | Accounts |
PrivilegedAccount | UserID_Postfix

Postfix for formatting the login name of privileged user accounts.

TargetSystem | LDAP | Accounts |
PrivilegedAccount | UserID_Prefix

Prefix for formatting a login name of privileged user accounts.

TargetSystem | LDAP | Authentication

Allows configuration of the LDAP authentication module.

For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

TargetSystem | LDAP | Authentication | Authentication

Authentication mechanism. Permitted values are Secure, Encryption, SecureSocketsLayer, ReadonlyServer, Anonymous, FastBind, Signing, Sealing, Delegation, and ServerBind. The value can be combined with commas (,). For more information about authentication types, see the MSDN Library.

Default: ServerBind

TargetSystem | LDAP | Authentication | Port

Communications port on the server.

Default: 389

TargetSystem | LDAP | Authentication | RootDN

Pipe (|) delimited list of root domains to be used to find the user account for authentication.

Syntax:

DC=<MyDomain>|DC=<MyOtherDomain>

Example:

DC=Root1,DC=com|DC=Root2,DC=de

TargetSystem | LDAP | Authentication | Server

Name of the LDAP server.

TargetSystem | LDAP | AuthenticationV2

Allows configuration of the LDAP authentication module.

For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.

TargetSystem | LDAP | AuthenticationV2 | AcceptSelfSigned

Specifies whether self-signed certificates are accepted.

TargetSystem | LDAP | AuthenticationV2 | Authentication

Authentication method for logging in to LDAP. The following are permitted:

  • Basic: Uses default authentication.

  • Negotiate: Uses Negotiate authentication from Microsoft.

  • Kerberos: Uses Kerberos authentication.

  • NTLM: Uses Windows NT Challenge/Response (NTLM) authentication.

Default: Basic

For more information about authentication types, see the MSDN Library.

TargetSystem | LDAP | AuthenticationV2 | ClientTimeout

Client timeout in seconds.

TargetSystem | LDAP | AuthenticationV2 | Port

Communications port on the server.

Default: 389

TargetSystem | LDAP | AuthenticationV2 | ProtocolVersion

Version of the LDAP protocol. The values 2 and 3 are permitted.

Default: 3

TargetSystem | LDAP | AuthenticationV2 | RootDN

Pipe (|) delimited list of root domains to be used to find the user account for authentication.

Syntax:

DC=<MyDomain>|DC=<MyOtherDomain>

Example:

DC=Root1,DC=com|DC=Root2,DC=de

TargetSystem | LDAP | AuthenticationV2 | Security

Connection security. Permitted values are None, SSL and STARTTLS.

TargetSystem | LDAP | AuthenticationV2 | Server

Name of the LDAP server.

TargetSystem | LDAP | AuthenticationV2 | UseSealing

Specifies whether sealing is enabled.

TargetSystem | LDAP | AuthenticationV2 | UseSigning

Specifies whether signing is enabled.

TargetSystem | LDAP | AuthenticationV2 | VerifyServerCertificate

Specifies whether to check the server certificate when encrypting with SSL.

TargetSystem | LDAP | DefaultAddress

Default email address of the recipient for notifications about actions in the target system.

TargetSystem | LDAP |
HardwareInGroupFromOrg

Specfies whether computers are added to groups based on group assignment to roles.

TargetSystem | LDAP |
MaxFullsyncDuration

Maximum runtime of a synchronization in minutes. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.

TargetSystem | LDAP |
PersonAutoDefault

Mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem | LDAP |
PersonAutoDisabledAccounts

Specifies whether employees are automatically assigned to disabled user accounts. User accounts are not given an account definition.

TargetSystem | LDAP |
PersonAutoFullSync

Mode for automatic employee assignment for user accounts that are added to or updated in the database by synchronization.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating