Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to LDAP

Managing LDAP Environments Setting up LDAP Directory Synchronization Basic Configuration Data LDAP Domains LDAP User Accounts LDAP Groups LDAP Container Structures LDAP Computers Reports about LDAP Objects Appendix: Configuration Parameters for Managing LDAP Appendix: Default Project Template for LDAP Appendix: Authentication Modules for Logging into the One Identity Manager

Assigning a Password Policy

The password policy "LDAP password policy" is predefined for LDAP. You can apply this password policy to LDAP user accounts passwords (LDAPAccount.UserPassword) of an LDAP domain or an LDAP container.

If the domains' or containers' password requirements differ, it is recommended that you set up your own password policies for each domain or container.

IMPORTANT: If you are not working with target system specific password policies, the default policy applies. In this case, ensure that the password policy "One Identity Manager password policy" does not violate the target system requirements.

To reassign a password policy

  1. Select the category Manager | Basic configuration data | Password policies in the LDAP.

  2. Select the password policy in the result list.
  3. Select Assign objects in the task view.
  4. Click Add in the Assignments section and enter the following data.

    Table 23: Assigning a Password Policy

    Property

    Description

    Apply to

    Application scope of the password policy.

    To specify an application scope

    1. Click next to the text box.
    2. Select the table which contains the password column under Table.
    3. Select the specific target system under Apply to.
    4. Click OK.

    Password column

    The password column's identifier.

    Password policy

    The identifier of the password policy to be used.

  5. Save the changes.

To change a password policy's assignment

  1. Select the category Manager | Basic configuration data | Password policies in the LDAP.

  2. Select the password policy in the result list.
  3. Select Assign objects in the task view.
  4. Select the assignment you want to change in Assignments.
  5. Select the new password policy to apply from the Password Policies menu.
  6. Save the changes.

Initial Password for New LDAP User Accounts

Initial Password for New LDAP User Accounts

Table 24: Configuration Parameters for Formatting Initial Passwords for User Accounts
Configuration parameter Meaning
QER\Person\UseCentralPassword

This configuration parameter specifies whether the employee's central password is used in the user accounts. The employee’s central password is automatically mapped to the employee’s user account in all permitted target systems. This excludes privileged user accounts, which are not updated.

QER\Person\UseCentralPassword\PermanentStore

This configuration parameter controls the storage period for central passwords. If the parameter is set, the employee’s central password is permanently stored. If the parameter is not set, the central password is only used for publishing to existing target system specific user accounts and is subsequently deleted from the One Identity Manager database.

TargetSystem\LDAP\Accounts
InitialRandomPassword

This configuration parameter specifies whether a random generated password is issued when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

You have the following possible options for issuing an initial password for a new LDAP user account.

  1. User the employee's central password. The employee’s central password is mapped to the user account password.
    • Set the configuration parameter "QER\Person\UseCentralPassword" in the Designer.

      If the configuration parameter "QER\Person\UseCentralPassword" is set, the employee's central password is automatically mapped to an employee's user account in each of the target systems. This excludes privileged user accounts, which are not updated.

    • Use the configuration parameter "QER\Person\UseCentralPassword\PermanentStore" in the Designer to specify whether an employee’s central password is permanently saved in the One Identity Manager database or only until the password has been published in the target system.

    The password policy "Employee central password policy" is used to format the central password.

    IMPORTANT: Ensure that the password policy "Employee central password policy" does not violate the target system specific password requirements.

  2. Create user accounts manually and enter a password in their master data.
  3. Specify an initial password to be used when user accounts are created automatically.
    • Apply the target system specific password policies and enter an initial password in the password policies.
  4. Assign a randomly generated initial password to enter when you create user accounts.

    • Set the configuration parameter "TargetSystem\LDAP\Accounts\InitialRandomPassword" in the Designer.
    • Apply target system specific password policies and define the character sets that the password must contain.
    • Specify which employee will receive the initial password by email.
Related Topics

Email Notifications about Login Data

Email Notifications about Login Data

Table 25: Configuration Parameters for Notifications about Login Data
Configuration parameter Meaning

TargetSystem\LDAP\Accounts\
InitialRandomPassword\SendTo

This configuration parameter specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the configuration parameter "TargetSystem\LDAP\DefaultAddress".

TargetSystem\LDAP\Accounts\
InitialRandomPassword\SendTo\
MailTemplateAccountName

This configuration parameter contains the name of the mail template sent to inform users about their initial login data (name of the user account). Use the mail template "Employee - new account created".

TargetSystem\LDAP\Accounts\
InitialRandomPassword\SendTo\
MailTemplatePassword

This configuration parameter contains the name of the mail template sent to inform users about their initial login data (initial password). Use the mail template "Employee - initial password for new user account".

TargetSystem\LDAP\DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system.

You can configure the login information for new user accounts to be sent by email to a specified person. In this case, two messages are sent with the user name and the initial password. Mail templates are used to generate the messages. The mail text in a mail template is defined in several languages, which means the recipient’s language can be taken into account when the email is generated. Mail templates are supplied in the default installation with which you can configure the notification procedure.

To use email notifications about login data

  1. Ensure that the email notification system is configured in One Identity Manager. For more detailed information, see the .One Identity Manager Configuration Guide
  2. Enable the configuration parameter "Common\MailNotification\DefaultSender" in the Designer and enter the email address for sending the notification.
  3. Ensure that all employees have a default email address. Notifications are sent to this address. For more detailed information, see the .One Identity Manager Identity Management Base Module Administration Guide
  4. Ensure that a language culture can be determined for all employees. Only then can they receive email notifications in their own language. For more detailed information, see the .One Identity Manager Identity Management Base Module Administration Guide

When a randomly generated password is issued for the new user account, the initial login data for a user account is sent by email to a previously specified person.

To send initial login data by email

  1. Set the configuration parameter "TargetSystem\LDAP\Accounts\InitialRandomPassword" in the Designer.
  2. Set the configuration parameter "TargetSystem\LDAP\Accounts\InitialRandomPassword\SendTo" in the Designer and enter the message recipient as the value.
  3. Set the configuration parameter "TargetSystem\LDAP\Accounts\InitialRandomPassword\SendTo\MailTemplateAccountName" in the Designer.

    By default, the message sent uses the mail template "Employee - new account created". The message contains the name of the user account.

  4. Set the confiugration parameter "TargetSystem\LDAP\Accounts\InitialRandomPassword\SendTo\MailTemplatePassword" in the Designer.

    By default, the message sent uses the mail template "Employee - initial password for new user account". The message contains the initial password for the user account.

TIP: Change the value of the configuration parameter in order to use custom mail templates for these mails.

Target system managers

For more detailed information about implementing and editing application roles, see the One Identity Manager Application Roles Administration Guide.

Implementing Application Roles for Target System Managers
  1. The One Identity Manager administrator assigns employees to be target system managers.
  2. These target system managers add employees to the default application role for target system managers.

    The default application role target system managers are entitled to edit all domains in One Identity Manager.

  3. Target system managers can authorize more employees as target system managers, within their scope of responsibilities and create other child application roles and assign individual domains.
Table 26: Default Application Roles for Target System Managers
User Task

Target SystemClosed Managers

 

Target system managers must be assigned to the application role Target systems | LDAP or a sub application role.

Users with this application role:

  • Assume administrative tasks for the target system.
  • Create, change or delete target system objects, like user accounts or groups.
  • Edit password policies for the target system.
  • Prepare groups for adding to the IT Shop.
  • Configure synchronization in the Synchronization EditorClosed and defines the mapping for comparing target systems and One Identity Manager.
  • Edit the synchronization's target system types and outstanding objects.
  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

To initially specify employees to be target system administrators

  1. Log in to the Manager as One Identity Manager administrator (application role Base role | Administrators)
  2. Select the category One Identity Manager Administration | Target systems | Administrators.
  3. Select Assign employees in the task view.
  4. Assign the employee you want and save the changes.

To add the first employees to the default application as target system managers.

  1. Log yourself into the Manager as target system administrator (application role Target systems | Administrator).
  2. Select the category One Identity Manager Administration | Target systems | LDAP.
  3. Select Assign employees in the task view.
  4. Assign the employees you want and save the changes.

To authorize other employees as target system managers when you are a target system manager

  1. Login to the Manager as target system manager.
  2. Select the application role in the category LDAP | Basic configuration data | Target system managers.
  3. Select Assign employees in the task view.
  4. Assign the employees you want and save the changes.

To define target system managers for individual domains.

  1. Login to the Manager as target system manager.
  2. Select the category LDAP | Domains.
  3. Select the domain in the result list.
  4. Select Change master data in the task view.
  5. Select the application role on the General tab in the Target system manager menu.

    - OR -

    Click next to the Target system manager menu to create a new application role.

    • Enter the application role name and assign the parent application role Target system | LDAP.
    • Click OK to add the new application role.
  6. Save the changes.
  7. Assign the application role to employees, who are authorized to edit the domain in One Identity Manager.

Note: You can also specify target system managers for individual containers. Target system managers for a container are authorized to edit objects in this container.
Related Topics
Related Documents