Error synchronizing an OpenDJ system if a password begins with an open curly bracket.
The LDAP server interprets a generated password of the form {<abc>}<def> as a hash value. However, the LDAP server does not allow hashed passwords to be passed.
The LDAP server can be configured so that a hashed password of the form {<algorithm>}hash can be passed.
On the LDAP server: Allow already hashed passwords to be passed.
In the synchronization project: Only pass hashed passwords. Use the script properties for mapping schema properties that contain passwords. Create the password's hash value in the script.
An error occurs when creating multiple synchronization projects for connecting an LDAP domain or when connecting instances with identical names.
The domain with the distinguished name '{0}' is already used in the synchronization project '{1}'. Only one synchronization project is allowed per domain and connector.
Cause
This problem occurs if the synchronization projects were created with an older One Identity Manager version.
The domain name (Ident_Domain) is used to search for LDAP domains in the database. In synchronization projects created with an older One Identity Manager version, LDAP domain names are formatted with <DN component 1>.
Solution
With newly created synchronization projects, the LDAP domain names are formed with <DN component 1> (<server from connection parameters>).
For existing synchronization projects created with the generic LDAP connector, apply the VPR#33513 patch. This creates a variable and value for $IdentDomain$ in all variable sets and changes the scope to DistinguishedName = '$CP_RootEntry$' and Ident_Domain='$IdentDomain$'.
For more information about applying patches, see the One Identity Manager Target System Synchronization Reference Guide.
LDAP domains that are already in the database are not renamed. If necessary, manually adjust the LDAP domain names (Ident_Domain). For more information, see LDAP domains.
NOTE: Objects imported from different directory services that have the identical canonical names and distinguished names in the One Identity Manager database, could result in duplicate display values in current attestations, such as system entitlements, as well as in reports on target system objects and target system entitlements. Customizations may need to be made to attestation procedures and reports.
The following configuration parameters are additionally available in One Identity Manager after the module has been installed.
Configuration parameters | Description |
---|---|
TargetSystem | LDAP |
Preprocessor relevant configuration parameter for controlling database model components for LDAP target system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled. If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide. |
TargetSystem | LDAP | Accounts |
Allows configuration of user account data. |
TargetSystem | LDAP | Accounts |
Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy. |
TargetSystem | LDAP | Accounts | |
Employee to receive an email with the random generated password (manager cost center/department/location/business role, employee’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the TargetSystem | LDAP | DefaultAddress configuration parameter. |
TargetSystem | LDAP | Accounts | |
Mail template name that is sent to supply users with the login credentials for the user account. The Employee - new user account created mail template is used. |
TargetSystem | LDAP | Accounts | |
Mail template name that is sent to supply users with the initial password. The Employee - initial password for new user account mail template is used. |
TargetSystem | LDAP | Accounts | |
Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used. |
TargetSystem | LDAP | Accounts | |
Allows configuration of privileged LDAP user account settings. |
TargetSystem | LDAP | Accounts | |
Postfix for formatting the login name of privileged user accounts. |
TargetSystem | LDAP | Accounts | |
Prefix for formatting a login name of privileged user accounts. |
TargetSystem | LDAP | Authentication |
Allows configuration of the LDAP authentication module. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide. |
TargetSystem | LDAP | Authentication | Authentication |
Authentication mechanism. Permitted values are Secure, Encryption, SecureSocketsLayer, ReadonlyServer, Anonymous, FastBind, Signing, Sealing, Delegation, and ServerBind. The value can be combined with commas (,). Default: ServerBind |
TargetSystem | LDAP | Authentication | Port |
Communications port on the server. Default: 389 |
TargetSystem | LDAP | Authentication | RootDN |
Pipe (|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>|DC=<MyOtherDomain> Example: DC=Root1,DC=com|DC=Root2,DC=de |
TargetSystem | LDAP | Authentication | Server |
Name of the LDAP server. |
TargetSystem | LDAP | AuthenticationV2 |
Allows configuration of the LDAP authentication module. For more information about One Identity Manager authentication modules, see the One Identity Manager Authorization and Authentication Guide. |
TargetSystem | LDAP | AuthenticationV2 | AcceptSelfSigned |
Specifies whether self-signed certificates are accepted. |
TargetSystem | LDAP | AuthenticationV2 | Authentication |
Authentication method for logging in to LDAP. The following are permitted:
Default: Basic |
TargetSystem | LDAP | AuthenticationV2 | ClientTimeout |
Client timeout in seconds. |
TargetSystem | LDAP | AuthenticationV2 | Port |
Communications port on the server. Default: 389 |
TargetSystem | LDAP | AuthenticationV2 | ProtocolVersion |
Version of the LDAP protocol. The values 2 and 3 are permitted. Default: 3 |
TargetSystem | LDAP | AuthenticationV2 | RootDN |
Pipe (|) delimited list of root domains to be used to find the user account for authentication. Syntax: DC=<MyDomain>|DC=<MyOtherDomain> Example: DC=Root1,DC=com|DC=Root2,DC=de |
TargetSystem | LDAP | AuthenticationV2 | Security |
Connection security. Permitted values are None, SSL and STARTTLS. |
TargetSystem | LDAP | AuthenticationV2 | Server |
Name of the LDAP server. |
TargetSystem | LDAP | AuthenticationV2 | UseSealing |
Specifies whether sealing is enabled. |
TargetSystem | LDAP | AuthenticationV2 | UseSigning |
Specifies whether signing is enabled. |
TargetSystem | LDAP | AuthenticationV2 | VerifyServerCertificate |
Specifies whether to check the server certificate when encrypting with SSL. |
TargetSystem | LDAP | DefaultAddress |
Default email address of the recipient for notifications about actions in the target system. |
TargetSystem | LDAP | |
Specfies whether computers are added to groups based on group assignment to roles. |
TargetSystem | LDAP | |
Maximum runtime of a synchronization in minutes. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated. |
TargetSystem | LDAP | |
Mode for automatic employee assignment for user accounts added to the database outside synchronization. |
TargetSystem | LDAP | |
Specifies whether employees are automatically assigned to disabled user accounts. User accounts are not given an account definition. |
TargetSystem | LDAP | |
Mode for automatic employee assignment for user accounts that are added to or updated in the database by synchronization. |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center