Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to LDAP

Managing LDAP Environments Setting up LDAP Directory Synchronization Basic Configuration Data LDAP Domains LDAP User Accounts LDAP Groups LDAP Container Structures LDAP Computers Reports about LDAP Objects Appendix: Configuration Parameters for Managing LDAP Appendix: Default Project Template for LDAP Appendix: Authentication Modules for Logging into the One Identity Manager

Assigning LDAP Computers directly to LDAP Groups

Assigning LDAP Computers directly to LDAP Groups

Groups can be assigned directly or indirectly to a computer. Indirect assignment is carried out by allocating the device with which a computer is connected and groups to company structures, like departments, cost centers, locations or business roles.

To react quickly to special requests, you can assign groups directly to a computer.

NOTE: Computers cannot be manually added to dynamic groups. Memberships in a dynamic group are determined through the condition of the dynamic group.

To assign a computer directly to groups

  1. Select the category LDAP | Computers.
  2. Select the computer in the result list.
  3. Select Assign groups in the task view.
  4. Assign groups in Add assignments.

    The view- OR -

    Remove groups from Remove assignments.

  5. Save the changes.
Related Topics

Reports about LDAP Objects

Reports about LDAP Objects

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for LDAP.

NOTE: Other sections may be available depending on the which modules are installed.
Table 51: Reports for the Target SystemClosed

Report

Description

Overview of all assignments (domain)

This report finds all roles containing employees with at least one user account in the selected domain.

Overview of all assignments (container)

This report finds all roles containing employees with at least one user account in the selected container.

Overview of all assignments (group)

This report finds all roles containing employees with the selected group.

Show orphaned user accounts

This report shows all user accounts in the domain, which are not assigned to an employee. The report contains group memberships and risk assessment.

Show employees with multiple user accounts

This report shows all employees with more than one user account in the domain. The report is a risk assessment.

Show unused user accounts

This report shows all user accounts in the domain, which have not been used in the last few months. The report contains group memberships and risk assessment.

Show entitlement drifts

This report shows all groups in the domain that are the result of manual operations in the target system rather than using the One Identity Manager.

Show user accounts with an above average number of system entitlements

This report contains all user accounts in the domain with an above average number of group memberships.

LDAP user account and group administration

This report contains a summary of user account and group distribution in all domains. You can find this report in the category My One Identity Manager.

Data quality summary for LDAP user accounts

This report contains different evaluations of user account data quality in all domains. You can find this report in the category My One Identity Manager.

Related Topics

Overview of all Assignments

Overview of all Assignments

The report "Overview of all Assignments" is displayed for certain objects, for example, permissions, compliance rules or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles and IT Shop structures in which there are employee who own the selected base object. In this case, direct as well as indirect base object assignments are included.

Example
  • If the report is created for a resource, all roles are determined in which there are employees with this resource.
  • If the report is created for a group, all roles are determined in which there are employees with this group.
  • If the report is created for a compliance rule, all roles are determined in which there are employees with this compliance rule.
  • If the report is created for a department, all roles are determined in which employees of the selected department are also members.
  • If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.

To display detailed information about assignments

  • To display the report, select the base object from the navigation or the result list and select the report Overview of all assignments.
  • Use the Used by button in the report's toolbar to select the role class (department, location, business role or IT Shop structure) for which you determine if roles exist in which there are employees with the selected base object.

    All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. In the report's toolbar, click to open the legend.

  • Double-click a control to show all child roles belonging to the selected role.
  • By clicking the button in a role's control, you display all employees in the role with the base object.
  • Use the small arrow next to to start a wizard that allows you to bookmark this list of employee for tracking. This creates a new business role to which the employees are assigned.

Figure 3: Toolbar for Report "Overview of all assignments"

Table 52: Meaning of Icons in the Report Toolbar
Icon Meaning
Show the legend with the meaning of the report control elements
Saves the current report view as a graphic.
Selects the role class used to generate the report.

Displays all roles or only the affected roles.

Appendix: Configuration Parameters for Managing LDAP

Appendix: Configuration Parameters for Managing LDAP

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 53: Configuration Parameter for LDAP Directory SynchronizationClosed
Configuration Parameter Description

TargetSystem\LDAP

Preprocessor relevant configuration parameter for controlling the database model components for the administration of the target system LDAP. If the parameter is set, the target system components are available. Changes to the parameter require recompiling the database.

TargetSystem\LDAP\Accounts

This configuration parameter permits configuration of user account data.

TargetSystem\LDAP\Accounts
\InitialRandomPassword

This configuration parameter specifies whether a random generated password is issued when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem\LDAP\Accounts
InitialRandomPassword\SendTo

This configuration parameter specifies to which employee the email with the random generated password should be sent (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the configuration parameter "TargetSystem\LDAP\DefaultAddress".

TargetSystem\LDAP\Accounts
InitialRandomPassword\SendTo\
MailTemplateAccountName

This configuration parameter contains the name of the mail template sent to inform users about their initial login data (name of the user account). Use the mail template "Employee - new account created".

TargetSystem\LDAP\Accounts
InitialRandomPassword\SendTo\
MailTemplatePassword

This configuration parameter contains the name of the mail template sent to inform users about their initial login data (initial password). Use the mail template "Employee - initial password for new user account".

TargetSystem\LDAP\Accounts
MailTemplateDefaultValues

This configuration parameter contains the mail template used to send notifications if default IT operating data mapping values are used for automatically creating a user account. Use the mail template "Employee - new user account with default properties created".

TargetSystem\LDAP\Accounts
PrivilegedAccount

This configuration parameter allows configuration of settings for privileged LDAP user accounts.

TargetSystem\LDAP\Accounts
PrivilegedAccount\UserID_Postfix

This configuration parameter contains the postfix for formatting login names for privileged user accounts.

TargetSystem\LDAP\Accounts
PrivilegedAccount\UserID_Prefix

This configuration parameter contains the prefix for formatting login names for privileged user accounts.

TargetSystem\LDAP\Authentication

The configuration parameter allows configuration of the LDAP authentication module.

TargetSystem\LDAP\Authentication\Authentication

The configuration parameter specified the authentication mechanism. Permitted values are "Secure", "Encryption", "SecureSocketsLayer", "ReadonlyServer", "Anonymous", "FastBind", "Signing", "Sealing", "Delegation" and "ServerBind". The value can be combined with commas (,). For more information about authentication types, see the MSDN Library.

Default is ServerBind.

TargetSystem\LDAP\Authentication\Port

LDAP server's port. Default is port 389.

TargetSystem\LDAP\Authentication\RootDN

The configuration parameter contains the root domain's distinguished name.

Syntax:

dc=MyDomain

TargetSystem\LDAP\Authentication\Server

The configuration parameter contains the name of the LDAP server.

TargetSystem\LDAP\DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system.

TargetSystem\LDAP\
HardwareInGroupFromOrg

This configuration parameter specifies whether computers are added in groups based on group assignment to roles.

TargetSystem\LDAP\
MaxFullsyncDuration

This configuration parameter contains the maximum runtime for synchronization. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.

TargetSystem\LDAP\
PersonAutoDefault

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to the database outside synchronization.

TargetSystem\LDAP\
PersonAutoDisabledAccounts

This configuration parameters specifies whether employees are automatically assigned to disable user accounts. User accounts do not obtain an account definition.

TargetSystem\LDAP\
PersonAutoFullSync

This configuration parameter specifies the mode for automatic employee assignment for user accounts added to or updated in the database through synchronization.

Related Documents