Identity Manager 8.2.1 - Administration Guide for Connecting to LDAP

The following settings are configured for the system connection with the generic LDAP connector.

NOTE: Some of the settings are only available if you set the Configure advanced settings (expert mode) option in the system connection wizard.

Table 47: Generic LDAP connector settings
Setting	Meaning
Server	IP address or full name of the LDAP server for connecting to the synchronization server to provide access to LDAP objects. Variable: CP_Server
Port	Communications port on the server. Default: 389 Variable: CP_Port
Authentication type	Authentication method for logging in to LDAP. The following are permitted: Basic: Uses default authentication. Negotiate: Uses Negotiate authentication from Microsoft. Anonymous: Establishes a connection without passing login credentials. Kerberos: Uses Kerberos authentication. NTLM: Uses Windows NT Challenge/Response (NTLM) authentication. Default: Basic Variable: CP_AuthenticationType For more information about authentication types, see the MSDN Library.
User name	Name of the user account for logging in to LDAP. Variable: CP_Username
Password	The user account’s password. Variable: CP_Password
Enable sealing	Specifies whether sealing is enabled.
Enable signing	Specifies whether signing is enabled.
Use SSL	Specifies whether the connection is SSL/TLS encrypted. Variable: CP_UseSsl
Use StartTLS	Specifies whether StartTLS is used for encryption. Variable: CP_UseStartTls
Protocol version	Version of the LDAP protocol. Default: 3
Search base	Root entry for the search query, normally the LDAP domain. Variable: CP_RootEntry
Request timeout	Timeout for LDAP requests in seconds. Default: 3600 Variable: CP_ClientTimeout
Use paged search	Specifies whether LDAP objects are loaded by page. If you use this option (default), enter the page size.
Page size	Maximum number of objects to load per page. Default: 500
Use DeleteTree control when deleting entries	Specifies if the LDAP server sends the DeleteTree control to delete entries with sub-entries during deletion. Variable:CP_LDAP_UseDeleteTree
Save LDAP schema in local cache	Specifies whether the LDAP schema should be kept in local cache. This accelerates synchronization and provisioning of LDAP objects. The cache is stored on the computer used to create the connection, under %Appdata%\...\Local\One Identity\One Identity Manager\Cache\LdapConnector. Default: False Variable: CP_CacheSchema
Object identification attribute	Attribute that can be used to uniquely identify the objects in LDAP. The attribute must be unique and set for all objects LDAP. Default: entryUUID Variable: CP_Guid_Attribute
Revision properties	Properties used for revision filtering. Default: createTimestamp, modifyTimestamp
Define auxiliary classes	You can use this schema function to change the type of an object class. This may be necessary if a non-RFC compliant LDAP system allows assignment of several structural object classes to one entry although only one structural class is allowed. Assigning more than one structural class means that an LDAP entry cannot be uniquely assigned to a schema type. If structural object classes have been defined that only serve as property extensions (meaning auxiliary classes), you can, with help from this option, set the connector to handle the object class as an auxiliary class. NOTE: Object classes that are configured as auxiliary are subsequently not handled as independent schema types and cannot, therefore, be synchronized separately.
Virtual classes	Additional virtual classes. These support LDAP system that are non-RFC compliant and allow more that one structural class for each object.
Server supports renaming of entries	Specifies whether the server supports renaming of entries. Default: False
Server supports moving of entries	Specifies whether the server supports moving of entries. Default: False
Auxiliary class assignment	Assigns additional auxiliary classes to structural classes. Auxiliary classes are classes of type Auxiliary and contain attributes for extending structural classes. Auxiliary class attributes are offered as optional attributes for structural classes in the schema. NOTE: To map the attributes of the auxiliary classes in One Identity Manager, custom extensions to the One Identity Manager schema may be necessary under certain circumstances. Use the Schema Extension program to do this.
Functional attributes	Attributes that are calculated for LDAP objects. Functional attributes are used for managing directories. Functional attributes are added to each schema class of the parent function. NOTE: To map the operational attributes in One Identity Manager, custom extensions to the One Identity Manager schema may be required. Use the Schema Extension program to do this.
Identity dynamic groups	Attributes that contain the URL with search data for determining members of dynamic groups, for example memberURL.
Password attribute	Attribute that represents the password of a user account, for example, userPassword.
Password change method	Method for changing passwords. Permitted values are: Default: Default method for changing the passwords. The password is written directly to the password attribute. ADLDS: A password change method used for systems that are based on Microsoft Active Directory Lightweight Directory Services (AD LDS).
LDAP domain	Unique identifier of the domain in the form: <DN part 1> (<server from connection parameters>) Variable: $IdentDomain$

The following settings are configured for the system connection with the LDAP connector V2.

NOTE: Some of the settings are only available if you set the Configure advanced settings option in the system connection wizard.

Table 48: LDAP connector V2 settings
Setting	Meaning
Server	IP address or full name of the LDAP server for connecting to the synchronization server to provide access to LDAP objects. Variable: CP_SdspLdapDriverDescriptorServer
Port	Communications port on the server. Default: 389 Variable: CP_SdspLdapDriverDescriptorPort
Authentication type	Authentication method for logging in to LDAP. The following are permitted: Basic: Uses default authentication. Negotiate: Uses Negotiate authentication from Microsoft. Anonymous: Establishes a connection without passing login credentials. Kerberos: Uses Kerberos authentication. NTLM: Uses Windows NT Challenge/Response (NTLM) authentication. External: Uses certificate-based authentication as the external method. Default: Basic Variable: CP_SdspLdapDriverDescriptorAuthenticationType For more information about authentication types, see the MSDN Library.
User name	Name of the user account for logging in to LDAP. Variable: CP_SdspLdapDriverDescriptorUsername
Password	The user account’s password. Variable: CP_SdspLdapDriverDescriptorPassword
Enable sealing	Specifies whether sealing is enabled. Variable: CP_SdspLdapDriverDescriptorUseSealing
Enable signing	Specifies whether signing is enabled. Variable: CP_SdspLdapDriverDescriptorUseSigning
Use SSL	Specifies whether the connection is SSL/TLS encrypted. Variable: CP_SdspLdapDriverDescriptorUseSsl
Use StartTLS	Specifies whether StartTLS is used for encryption. Variable: CP_SdspLdapDriverDescriptorUseStartTls
Server certificate verification	Specifies whether the server certificate is checked with either SSL or StartTLS encryption. NOTE: The server certificate must be valid. The root certification authority’s certificate must be the computer certificate ( Local Computer certificate store) either on the host that the Synchronization Editor was started on or on the Job server connected remotely. Ensure that the certificate is also installed on all Job servers that will connect to the LDAP system. Variable: CP_SdspLdapDriverDescriptorVerifyServerCertificate
Protocol version	Version of the LDAP protocol. Default: 3 Variable: CP_SdspLdapDriverDescriptorProtocolVersion
Search base	Root entry for the search query, normally the LDAP domain. Variable: CP_LdapContextDescriptorBaseDn
Request timeout	Timeout for LDAP requests in seconds. Variable: CP_SdspLdapDriverDescriptorClientTimeout
LDAP domain UID	Unique identifier for the LDAP domain in the LDPDomain table. Variable: UID_LDPDomain
Default Searcher: Use paged search	Specifies whether LDAP objects are loaded by page. This information is automatically queried through the selected preconfiguration or from the LDAP server. If the option is enabled, enter the page size. Variable: CP_SdspDefaultSearchDescriptorUsePagedSearch
Default Searcher: Page size	Maximum number of objects to load per page. Default: 500 Variable: CP_SdspDefaultSearchDescriptorPageSize
AD (LDS) Search implementation: Chunk size	If attributes with a large number of value are returned from a Microsoft based LDAP server, the server only sends a certain number of values back (normally 1500.) To query all the values, several queries with a scope limit are sent. The chunk size determines how many value are return per query. If the select chunk size is larger than the maximum size that the server can process, it is adjusted automatically. Default: 1000 Variable: CP_AdLdsSearchFeatureDescriptorChunkSize
Default delete implementation: Use DeleteTree control when deleting entries	Specifies if the LDAP server sends the DeleteTree control to delete entries with sub-entries during deletion. This information is automatically queried through the selected preconfiguration or from the LDAP server. Variable:CP_SdspDefaultDeleteDescriptorUseDeleteTree
Load schema from LDAP Server	The schema is laded from the LDAP server. (default)
Load schema from given LDIF string	Alternative source to load the schema from if the LDAP server’s schema is not available. The LDIF string is saved in the system connection (DPRSystemConnection.ConnectionParameter.) The means the *.ldif file is not distributed.
Remove spaces in distinguished names	This function removes all spaces in distinguished name objects that, according to RFC, are not allowed or non-significant. If the function does not exist, according to RFC, all spaces that are non allowed or non-significant are not removed from the distinguished name and can cause errors in certain circumstances. Default: True
Tolerate 'Attribute already exists' and 'no such attribute' and retry	Use this function to tolerate existing or missing attributes in the LDAP system when an object is changed, for example, updating group memberships. If this function is not available, changes to objects that affect existing or missing attribute in the LDAP system can cause errors. Default: True
Return operational attributes	This schema function specifies, which attributes are additionally found for the LDAP objects. Functional attributes are used for managing directories. Functional attributes are added to each schema class of the parent function. NOTE: To map the operational attributes in One Identity Manager, custom extensions to the One Identity Manager schema may be required. Use the Schema Extension program to do this.
Auxiliary class assignment	Use this schema function to assign additional auxiliary classes to structural classes. Auxiliary classes are classes of type Auxiliary and contain attributes for extending structural classes. Auxiliary class attributes are offered as optional attributes for structural classes in the schema. NOTE: To map the attributes of the auxiliary classes in One Identity Manager, custom extensions to the One Identity Manager schema may be necessary under certain circumstances. Use the Schema Extension program to do this.
Switch type of object class	You can use this schema function to change the type of an object class. This may be necessary if a non-RFC compliant LDAP system allows assignment of several structural object classes to one entry although only one structural class is allowed. Assigning more than one structural class means that an LDAP entry cannot be uniquely assigned to a schema type. If structural object classes have been defined that only serve as property extensions (meaning auxiliary classes), you can, with help from this option, set the connector to handle the object class as an auxiliary class. NOTE: Object classes that are configured as auxiliary are subsequently not handled as independent schema types and cannot, therefore, be synchronized separately.
Cache schema	This schema function keeps the LDAP schema stored in local cache. It is recommended to queue this function after the schema has loaded. This accelerates synchronization and provisioning of LDAP objects. The cache is stored on the computer used to create the connection, under %Appdata%\...\Local\One Identity\One Identity Manager\Cache\LdapConnector.
Load AD LDS schema extension	This schema function loads additional information required for synchronizing the Active Directory Lightweight Directory Service.
Driver	Driver to use for accessing the LDAP system. Default: LDAP via Windows API (SdspLdapDriver)
LDAP domain	Unique identifier of the domain in the form: <DN part 1> (<server from connection parameters>) Variable: $IdentDomain$

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Identity Manager 8.2.1 - Administration Guide for Connecting to LDAP

Generic LDAP connector settings

LDAP connector V2 settings