Identity Manager 9.0 LTS - Administration Guide for Connecting to LDAP

Issues

An error occurs when creating multiple synchronization projects for connecting an LDAP domain or when connecting instances with identical names.

The domain with the distinguished name '{0}' is already used in the synchronization project '{1}'. Only one synchronization project is allowed per domain and connector.

Cause

This problem occurs if the synchronization projects were created with an older One Identity Manager version.

The domain name (Ident_Domain) is used to search for LDAP domains in the database. In synchronization projects created with an older One Identity Manager version, LDAP domain names are formatted with <DN component 1>.

Solution

With newly created synchronization projects, the LDAP domain names are formed with <DN component 1> (<server from connection parameters>).
For existing synchronization projects created with the generic LDAP connector, apply the VPR#33513 patch. This creates a variable and value for $IdentDomain$ in all variable sets and changes the scope to DistinguishedName = '$CP_RootEntry$' and Ident_Domain='$IdentDomain$'.

For more information about applying patches, see the One Identity Manager Target System Synchronization Reference Guide.
LDAP domains that are already in the database are not renamed. If necessary, manually adjust the LDAP domain names (Ident_Domain). For more information, see LDAP domains.

NOTE: Objects imported from different directory services that have the identical canonical names and distinguished names in the One Identity Manager database, could result in duplicate display values in current attestations, such as system entitlements, as well as in reports on target system objects and target system entitlements. Customizations may need to be made to attestation procedures and reports.

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 39: Configuration parameters for LDAP directory synchronization
Configuration parameters	Description
TargetSystem \| LDAP	Preprocessor relevant configuration parameter for controlling database model components for LDAP target system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
TargetSystem \| LDAP \| Accounts	Allows configuration of user account data.
TargetSystem \| LDAP \| Accounts \| InitialRandomPassword	Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.
TargetSystem \| LDAP \| Accounts \| InitialRandomPassword \| SendTo	Employee to receive an email with the random generated password (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the TargetSystem \| LDAP \| DefaultAddress configuration parameter.
TargetSystem \| LDAP \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplateAccountName	Mail template name that is sent to supply users with the login credentials for the user account. The Employee - new user account created mail template is used.
TargetSystem \| LDAP \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplatePassword	Mail template name that is sent to supply users with the initial password. The Employee - initial password for new user account mail template is used.
TargetSystem \| LDAP \| Accounts \| MailTemplateDefaultValues	Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.
TargetSystem \| LDAP \| Accounts \| PrivilegedAccount	Allows configuration of privileged LDAP user account settings.
TargetSystem \| LDAP \| Accounts \| PrivilegedAccount \| UserID_Postfix	Postfix for formatting the login name of privileged user accounts.
TargetSystem \| LDAP \| Accounts \| PrivilegedAccount \| UserID_Prefix	Prefix for formatting a login name of privileged user accounts.
TargetSystem \| LDAP \| Authentication	Allows configuration of the LDAP authentication module. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.
TargetSystem \| LDAP \| Authentication \| Authentication	Authentication mechanism. Permitted values are Secure, Encryption, SecureSocketsLayer, ReadonlyServer, Anonymous, FastBind, Signing, Sealing, Delegation, and ServerBind. The value can be combined with commas (,). For more information about authentication types, see the MSDN Library. Default: ServerBind
TargetSystem \| LDAP \| Authentication \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| Authentication \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| Authentication \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2	Allows configuration of the LDAP authentication module. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.
TargetSystem \| LDAP \| AuthenticationV2 \| AcceptSelfSigned	Specifies whether self-signed certificates are accepted.
TargetSystem \| LDAP \| AuthenticationV2 \| Authentication	Authentication method for logging in to LDAP. The following are permitted: Basic: Uses default authentication. Negotiate: Uses Negotiate authentication from Microsoft. Kerberos: Uses Kerberos authentication. NTLM: Uses Windows NT Challenge/Response (NTLM) authentication. Default: Basic For more information about authentication types, see the MSDN Library.
TargetSystem \| LDAP \| AuthenticationV2 \| ClientTimeout	Client timeout in seconds.
TargetSystem \| LDAP \| AuthenticationV2 \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| AuthenticationV2 \| ProtocolVersion	Version of the LDAP protocol. The values 2 and 3 are permitted. Default: 3
TargetSystem \| LDAP \| AuthenticationV2 \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| AuthenticationV2 \| Security	Connection security. Permitted values are None, SSL and STARTTLS.
TargetSystem \| LDAP \| AuthenticationV2 \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSealing	Specifies whether sealing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSigning	Specifies whether signing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| VerifyServerCertificate	Specifies whether to check the server certificate when encrypting with SSL.
TargetSystem \| LDAP \| DefaultAddress	Default email address of the recipient for notifications about actions in the target system.
TargetSystem \| LDAP \| HardwareInGroupFromOrg	Specfies whether computers are added to groups based on group assignment to roles.
TargetSystem \| LDAP \| MaxFullsyncDuration	Maximum runtime of a synchronization in minutes. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.
TargetSystem \| LDAP \| PersonAutoDefault	Mode for automatic employee assignment for user accounts added to the database outside synchronization.
TargetSystem \| LDAP \| PersonAutoDisabledAccounts	Specifies whether employees are automatically assigned to disabled user accounts. User accounts are not given an account definition.
TargetSystem \| LDAP \| PersonAutoFullSync	Mode for automatic employee assignment for user accounts that are added to or updated in the database by synchronization.

Configuration parameters	Description
TargetSystem \| LDAP	Preprocessor relevant configuration parameter for controlling database model components for LDAP target system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
TargetSystem \| LDAP \| Accounts	Allows configuration of user account data.
TargetSystem \| LDAP \| Accounts \| InitialRandomPassword	Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.
TargetSystem \| LDAP \| Accounts \| InitialRandomPassword \| SendTo	Employee to receive an email with the random generated password (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the TargetSystem \| LDAP \| DefaultAddress configuration parameter.
TargetSystem \| LDAP \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplateAccountName	Mail template name that is sent to supply users with the login credentials for the user account. The Employee - new user account created mail template is used.
TargetSystem \| LDAP \| Accounts \| InitialRandomPassword \| SendTo \| MailTemplatePassword	Mail template name that is sent to supply users with the initial password. The Employee - initial password for new user account mail template is used.
TargetSystem \| LDAP \| Accounts \| MailTemplateDefaultValues	Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.
TargetSystem \| LDAP \| Accounts \| PrivilegedAccount	Allows configuration of privileged LDAP user account settings.
TargetSystem \| LDAP \| Accounts \| PrivilegedAccount \| UserID_Postfix	Postfix for formatting the login name of privileged user accounts.
TargetSystem \| LDAP \| Accounts \| PrivilegedAccount \| UserID_Prefix	Prefix for formatting a login name of privileged user accounts.
TargetSystem \| LDAP \| Authentication	Allows configuration of the LDAP authentication module. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.
TargetSystem \| LDAP \| Authentication \| Authentication	Authentication mechanism. Permitted values are Secure, Encryption, SecureSocketsLayer, ReadonlyServer, Anonymous, FastBind, Signing, Sealing, Delegation, and ServerBind. The value can be combined with commas (,). For more information about authentication types, see the MSDN Library. Default: ServerBind
TargetSystem \| LDAP \| Authentication \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| Authentication \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| Authentication \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2	Allows configuration of the LDAP authentication module. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide.
TargetSystem \| LDAP \| AuthenticationV2 \| AcceptSelfSigned	Specifies whether self-signed certificates are accepted.
TargetSystem \| LDAP \| AuthenticationV2 \| Authentication	Authentication method for logging in to LDAP. The following are permitted: Basic: Uses default authentication. Negotiate: Uses Negotiate authentication from Microsoft. Kerberos: Uses Kerberos authentication. NTLM: Uses Windows NT Challenge/Response (NTLM) authentication. Default: Basic For more information about authentication types, see the MSDN Library.
TargetSystem \| LDAP \| AuthenticationV2 \| ClientTimeout	Client timeout in seconds.
TargetSystem \| LDAP \| AuthenticationV2 \| Port	Communications port on the server. Default: 389
TargetSystem \| LDAP \| AuthenticationV2 \| ProtocolVersion	Version of the LDAP protocol. The values 2 and 3 are permitted. Default: 3
TargetSystem \| LDAP \| AuthenticationV2 \| RootDN	Pipe (\|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>\|DC=<MyOtherDomain> Example: DC=Root1,DC=com\|DC=Root2,DC=de
TargetSystem \| LDAP \| AuthenticationV2 \| Security	Connection security. Permitted values are None, SSL and STARTTLS.
TargetSystem \| LDAP \| AuthenticationV2 \| Server	Name of the LDAP server.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSealing	Specifies whether sealing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| UseSigning	Specifies whether signing is enabled.
TargetSystem \| LDAP \| AuthenticationV2 \| VerifyServerCertificate	Specifies whether to check the server certificate when encrypting with SSL.
TargetSystem \| LDAP \| DefaultAddress	Default email address of the recipient for notifications about actions in the target system.
TargetSystem \| LDAP \| HardwareInGroupFromOrg	Specfies whether computers are added to groups based on group assignment to roles.
TargetSystem \| LDAP \| MaxFullsyncDuration	Maximum runtime of a synchronization in minutes. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.
TargetSystem \| LDAP \| PersonAutoDefault	Mode for automatic employee assignment for user accounts added to the database outside synchronization.
TargetSystem \| LDAP \| PersonAutoDisabledAccounts	Specifies whether employees are automatically assigned to disabled user accounts. User accounts are not given an account definition.
TargetSystem \| LDAP \| PersonAutoFullSync	Mode for automatic employee assignment for user accounts that are added to or updated in the database by synchronization.

Identity Manager 9.0 LTS - Administration Guide for Connecting to LDAP

Troubleshooting

Possible errors when synchronizing an OpenDJ environment

Issue

Cause

Solution

Errors connecting multiple LDAP systems with the same distinguished name

Issues

Configuration parameters for managing an LDAP environment

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Identity Manager 9.0 LTS - Administration Guide for Connecting to LDAP

Troubleshooting

Possible errors when synchronizing an OpenDJ environment

Issue

Cause

Solution

Errors connecting multiple LDAP systems with the same distinguished name

Issues

Configuration parameters for managing an LDAP environment