Skip to main content

LDAP Connector

This article demonstrates how to add an LDAP Directory domain to the EmpowerID Identity Warehouse as a managed Account Store. EmpowerID provides out-of-the-box connectors for the following LDAP directories:

  • IBM – IBM Tivoli Directory Server
  • NOVELL – Novell eDirectory
  • OpenDS – Open Directory Service (OpenDS)
  • OpenLDAP – Open LDAP
  • ORACLE – Oracle Internet Directory
  • Radiant Logic – Radiant Logic
  • SUN – Oracle Directory Server Enterprise Edition (SUN)

The process for connecting each directory to EmpowerID is the same.

Prerequisites

To connect EmpowerID to an LDAP directory, the Proxy User or connection account must be an administrator with read access to the partition containing directory objects.

Step 1: Create an LDAP Account Store

  1. Navigate to Admin > Applications and Directories and select Account Stores and Systems.
  2. On the Account Stores page, open the Actions tab and click Create Account Store.
  3. Search for an LDAP system (e.g., Open LDAP).
  4. Select the appropriate LDAP system type and click Submit.
  5. In the LDAP Settings form, enter the following details:
    • Name: A unique name for the account store.
    • Display Name: The name displayed in the EmpowerID interface.
    • LDAP Server (with Port Number if other than 389): Example: dc-exch:636
    • Partition Suffix: Example: dc=eiddoc,dc=com
    • Proxy User: The admin user account with read access.
    • Password: The password for the proxy account.
    • Is Remote (Required Cloud Gateway): Enable this option if using a Cloud Gateway Connection.
  6. Click Submit to create the account store and its associated resource system.

The next step is configuring the attribute flow between the LDAP account store and EmpowerID.

Step 2: Configure Attribute Flow

EmpowerID supports attribute synchronization between directories and the Identity Warehouse. Attribute flow rules define how attributes are synchronized between the LDAP directory and EmpowerID.

Attribute Flow Options

  • No Sync: No information flows between EmpowerID and the LDAP system.
  • Bidirectional Flow: Changes update both EmpowerID and the LDAP system.
  • Account Store Changes Only: Changes can only be made in the LDAP system and are then passed to EmpowerID.
  • EmpowerID Changes Only: Changes can only be made in EmpowerID and are then passed to the LDAP system.

CRUD Operations for Attributes

  • Create: Adds a value if the attribute is null.
  • Update: Updates an existing attribute value.
  • Delete: Removes an attribute value.

To configure attribute flow:

  1. Navigate to the Account Stores and Systems page.
  2. Search for the newly created LDAP account store and click its Account Store link.
  3. Open the Attribute Flow Rules tab to view available attributes.
  4. Adjust the attribute flow settings as needed:
    • Click the Attribute Flow dropdown to select the desired synchronization direction.
    • Modify CRUD operation scores to prioritize changes from specific systems (e.g., HR over Active Directory).

Once attribute flow is configured, proceed to account store settings.

Step 3: Configure Account Store Settings

EmpowerID provides various configuration settings for managing an LDAP account store. These settings are categorized as follows:

General Settings

  • IT Environment Type: Defines the environment type.
  • Account Store Type: Specifies the type of account store.
  • Use Secure LDAPS Binding: Enables LDAP encryption.
  • Is Remote (Cloud Gateway Connection Required): Uses Cloud Gateway for remote account stores.
  • Is Visible in IAM Shop: Enables visibility for resource filtering.

Authentication and Password Settings

  • Use for Authentication: Allows LDAP credentials for EmpowerID authentication.
  • Allow Search for Username in Authentication: Enables domain-less authentication.
  • Allow Password Sync: Enables password synchronization.
  • Queue Password Changes: Queues password changes for batch processing.
  • Password Manager Policy for Accounts without Person: Assigns a password policy for orphaned accounts.

Provisioning Settings

  • Allow Person Provisioning: Enables account-based EmpowerID Person provisioning.
  • Allow Attribute Flow: Enables attribute synchronization.
  • Allow Provisioning (By RET): Auto-provisions accounts via Resource Entitlement (RET) policies.
  • Allow Deprovisioning (By RET): Auto-deprovisions accounts based on RET policy changes.
  • Default User Creation Path: Specifies the default location for new accounts.
  • Max Accounts per Person: Limits the number of linked user accounts per person.

Business Role Settings

  • Allow Business Role and Location Re-Evaluation: Enables role re-evaluation.
  • Inventory Auto-Provision OUs as IT System Locations: Maps external OUs to IT locations.
  • Inventory Auto-Provision External Roles as Business Roles: Maps LDAP roles to EmpowerID Business Roles.

Group Settings

  • Allow Account Creation on Membership Request: Creates accounts when users request membership.
  • Recertify External Group Changes: Triggers recertification for external group changes.
  • Set Group of Groups to Monitor for Real-Time Recertification: Defines monitored groups for recertification.
  • Default Group Creation Path: Specifies the default OU for new groups.

Directory Cleanup Settings

  • Directory Cleanup Enabled: Moves terminated accounts to a special OU before deletion.
  • Report Only Mode: Logs actions without executing them.
  • OU to Move Stale Accounts: Specifies the directory for terminated accounts.

Special Use Settings

  • RBAC Assign Group Members on First Inventory: Converts user accounts into role assignments.
  • Automatically Join Account to a Person on Inventory: Joins accounts to existing EmpowerID Persons.
  • Automatically Create a Person on Inventory: Creates new EmpowerID Persons from discovered accounts.
  • Show in Location Tree: Displays the account store in the UI.

Inventory and Membership Settings

  • Inventory Schedule Interval: Sets the inventory frequency (default: 10 minutes).
  • Enable Group Membership Reconciliation: Manages group membership based on policies.
  • Deleted Object Detection: Monitors and processes deleted objects.

Step 4: Enable Account Inbox for Provisioning and Joining

To ensure proper account provisioning and joining, enable the Account Inbox workflow:

  1. Navigate to System Logs > Policy Inbox Logs and click Account Inbox.
  2. Review account processing status under the following tabs:
    • Dashboard: Summary of account processing.
    • Not Processed: Accounts awaiting provisioning or joining.
    • Failed: Accounts that failed to process.
    • Ignored: Non-user accounts excluded from processing.
    • Joined: Successfully joined accounts.
    • Processed: Accounts that were either provisioned or joined.
    • Provisioned: Accounts used to create EmpowerID Persons.
    • Orphans: User accounts without a linked EmpowerID Person.
    • All: Overview of all inventoried accounts.

Once the LDAP account store is configured and inventoried, EmpowerID can manage authentication, provisioning, attribute flow, and group membership based on your organization's policies. Regularly monitor the Account Inbox to ensure proper synchronization and account lifecycle management.