Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to LDAP

Managing LDAP Environments Setting up LDAP Directory Synchronization Basic Configuration Data LDAP Domains LDAP User Accounts LDAP Groups LDAP Container Structures LDAP Computers Reports about LDAP Objects Appendix: Configuration Parameters for Managing LDAP Appendix: Default Project Template for LDAP Appendix: Authentication Modules for Logging into the One Identity Manager

Appendix: Default Project Template for LDAP

Appendix: Default Project Template for LDAP

A default project template ensures that all required information is added in the One Identity Manager. This includes mappings, workflows and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the .Synchronization EditorClosed

Detailed information about this topic

OpenDJ Basic Template

This project template is based on OpenDJ. The template uses mappings for the following schema types.

Table 54: MappingClosed schema types to tables in the One Identity Manager schema.
Schema typeClosed in LDAP Table in the One Identity Manager schema
domain LDPDomain
organization LDAPContainer
organizationalUnit LDAPContainer
locality LDAPContainer
container LDAPContainer
groupOfNames LDAPGroup
groupOfUniqueNames LDAPGroup
groupOfURLs LDAPGroup
inetOrgPerson LDAPAccount

Default Project Template for Active Directory Lightweight Directory Services

Default Project Template for Active Directory Lightweight Directory Services

This project template is based on Active Directory Lightweight Directory Services (AD LDS). The template uses mappings for the following schema types.

Table 55: MappingClosed schema types to tables in the One Identity Manager schema.
Schema typeClosed in AD LDS Table in the One Identity Manager schema
Container LDAPContainer
country LDAPContainer
domainDNS LDAPContainer
foreignSecurityPrincipal LDAPAccount
group LDAPGroup
groupOfNames LDAPGroup
inetOrgPerson LDAPAccount
organization LDAPContainer
organizationalUnit LDAPContainer
user LDAPAccount
userProxy LDAPAccount
userProxyFull LDAPAccount

Appendix: Authentication Modules for Logging into the One Identity Manager

Appendix: Authentication Modules for Logging into the One Identity Manager

The following authentication modules are available for logging into One Identity Manager in once this module has been installed.

LDAP user account (dynamic)

Login Data

Login name, identifier, distinguished name or user ID of an LDAP user account.

LDAP user account's password.

Prerequisites

The employee exists in the One Identity Manager database.

The LDAP user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If you log in using a login name, identifier or user ID, the corresponding user account is determined in the One Identity Manager database through the container's domain. Logging in with a distinguished name is done directly. One Identity Manager determines which employee is assigned to the LDAP user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

The application configuration data is used to determine a system user, which is automatically assigned to the employee. The user interface and write permissions are loaded through the system user that is dynamically assigned to the logged in employee.

Data modifications are attributed to the current user account.

Modify the following configuration parameters in the Designer to implement the authentication module.

Table 56: Configuration Parameters for the Authentication Module
Configuration parameter Meaning

TargetSystem\LDAP\Authentication

The configuration parameter allows configuration of the LDAP authentication module.

TargetSystem\LDAP\Authentication\Authentication

The configuration parameter specified the authentication mechanism. Permitted values are "Secure", "Encryption", "SecureSocketsLayer", "ReadonlyServer", "Anonymous", "FastBind", "Signing", "Sealing", "Delegation" and "ServerBind". The value can be combined with commas (,). For more information about authentication types, see the MSDN Library.

Default is ServerBind.

TargetSystem\LDAP\Authentication\Port

LDAP server's port. Default is port 389.

TargetSystem\LDAP\Authentication\RootDN

The configuration parameter contains the root domain's distinguished name.

Syntax:

dc=MyDomain

TargetSystem\LDAP\Authentication\Server

The configuration parameter contains the name of the LDAP server.

LDAP user account (role based)

Login Data

Login name, identifier, distinguished name or user ID of an LDAP user account.

LDAP user account's password.

Prerequisites

The employee exists in the One Identity Manager database.

The employee is assigned at least one application role.

The LDAP user account exists in the One Identity Manager database and the employee is entered in the user account's master data.

The configuration data for dynamically determining the system user is defined in the application. Thus, an employee can, for example, be assigned a system user dynamically depending on their department membership.

Set as default

No

Single Sign-On

No

Front-end login allowed

Yes

Web Portal login allowed

Yes

Remarks

If you log in using a login name, identifier or user ID, the corresponding user account is determined in the One Identity Manager database through the container's domain. Logging in with a distinguished name is done directly. One Identity Manager determines which employee is assigned to the LDAP user account.

If an employee owns more than one identity, the configuration parameter "QER\Person\MasterIdentity\UseMasterForAuthentication" controls which employee is used for authentication.

  • If this configuration parameter is set, the employee’s main identity is used for authentication.
  • If the parameter is not set, the employee’s subidentity is used for authentication.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

Data modifications are attributed to the current user account.

Modify the following configuration parameters in the Designer to implement the authentication module.

Table 57: Configuration Parameters for the Authentication Module
Configuration parameter Meaning

TargetSystem\LDAP\Authentication

The configuration parameter allows configuration of the LDAP authentication module.

TargetSystem\LDAP\Authentication\Authentication

The configuration parameter specified the authentication mechanism. Permitted values are "Secure", "Encryption", "SecureSocketsLayer", "ReadonlyServer", "Anonymous", "FastBind", "Signing", "Sealing", "Delegation" and "ServerBind". The value can be combined with commas (,). For more information about authentication types, see the MSDN Library.

Default is ServerBind.

TargetSystem\LDAP\Authentication\Port

LDAP server's port. Default is port 389.

TargetSystem\LDAP\Authentication\RootDN

The configuration parameter contains the root domain's distinguished name.

Syntax:

dc=MyDomain

TargetSystem\LDAP\Authentication\Server

The configuration parameter contains the name of the LDAP server.

Related Documents