This topic demonstrates how to add an LDAP Directory domain to the EmpowerID Identity Warehouse as a managed Account Store. We demonstrate this by connecting EmpowerID to OpenDS, however the the process outlined here can be followed for connecting to other supported LDAP directories as well, including Sun, OpenLDAP, IBM Tivoli Directory Server, etc.
This topic provides a quick overview of the process for connecting to LDAP directories. For a more detailed presentation of the process for connecting EmpowerID to user directories, see Connecting to Active Directory.
To add a connection for an LDAP Directory
From the EmpowerID Management Console, click the EmpowerID icon, and select Configuration Manager from the menu.
In Configuration Manager, expand the User Directories node in the navigation tree, and then click
Click the Add New button above the grid.
In the Add New Security Boundary window that opens, select the Open Directory Service (OpenDS) Security Boundary type from the drop-down list and then click OK.
This opens the OpenDS Directory window.
In the OpenDS Directory window, do the following:
Enter the name of the server on which the directory is installed and include the port number if it is other than 389 in to the Ldap Server field.
Enter the partition suffix in the Partition Suffix field.
Enter the proxy information into the fields of the Proxy Information panel. The user account must have read access to the partition that holds the objects in the directory. The user account entered here is saved as the default proxy account (connection credential) used when managing these objects. You can change this at any time.
Click the Choose button below the Proxy Information panel to open the Choose Servers window. This window provides the interface for selecting the server(s) where the EmpowerID LDAP Agent(s) reside.
In the Choose Servers window that appears, toggle the Server button from a red sphere to a green checkbox for each server running the EmpowerID LDAP Agent. You must pick a server running the Agent that is in the same Forest and can communicate with the LDAP Directory over LDAP port TCP 389. Please note that the agent must be started on a server before the server will show in the Choose Servers window.
Click OK to close the Choose Servers window and then click OK to close the OpenDS Directory window.
In the Security Boundary Ldap Details screen that appears, change the Display Name from the server and port to something more friendly, such as OpenDS.
Click the Account Stores tab to the left of the screen.
From the grid to the right of the tab, double-click the OpenDS Security Boundary or right-click it and select Edit from the context menu. This opens the Account Store Ldap Details screen. This screen is used to configure the settings that EmpowerID uses to manage the domain. This is discussed in the below section.
To configure EmpowerID settings for the account store
Before configuring EmpowerID to manage the account store, you should determine whether or not you want EmpowerID to provision Person objects from the user accounts it discovers in the account store. If so, then you should be able to answer the following questions before turning on inventory.
When do you want EmpowerID to provision Person objects for those user accounts? At inventory or at a later point in time?
If inventory provisioning is desired, in what Business Role and Location should those Person objects be placed?
How many user accounts can one Person have in the account store?
If people can have more that one user account in the account store, do you want EmpowerID to attempt to automatically join any user accounts meeting the conditions of your Join rules to an existing Person during inventory?
Do you want attribute flow to occur between EmpowerID and the account store? If so, what rules do you want to apply?
If you have Resource Entitlement policies in place, do you want EmpowerID to apply them to the account store?
From the General pane of the Details tab, do the following:
Click the Edit button to the right of Default User Creation Path and select a default location within your directory where EmpowerID is to create users in the event that one is not selected in a workflow process.
Click the Edit button to the right of Default Group Creation Path and select a default location within your directory where EmpowerID is to create groups in the event that one is not selected in a workflow process.
Click the Edit button to the right of EmpowerID Group Creation Path and select a default location within your directory where EmpowerID is to create the Domain Local groups it uses for granting native AD permissions assignments.
Click the Edit button to the right of Maximum Accounts Per Person and specify that maximum number of accounts from the domain that a Person can have linked to them. Setting this prevents the possibility of a runaway error caused by a wrongly configured Join rule.
If you are managing other account stores in addition to this one, click the Edit button to the right of Role and Location Re-Eval Order and enter a number to specify the priority of the account store for determining the Business Roles and Locations that should be assigned to a Person. Account Stores with a higher value take precedence.
Toggle Enable Pass-Through Authentication to reflect your policy for the account store (red sphere for disable and green checkbox for enable). Pass-through Authentication allows domain authentication to be used for logging in to EmpowerID. Unless Simple Search is enable, the domain\username format needs to be used.
Toggle Enable Simple Username Search for Pass-Through Authentication to reflect your policy for the account store (red sphere for disable and green checkbox for enable). Simple search works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the user name entered exists within its Identity Warehouse and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all account stores where simple search is enabled to find the correct user name and password combination.
Simple search can cause long delays during the login process in environments with a large number of domains.
Toggle Allow Password Sync to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID synchronizes password changes to user accounts in the domain based on password changes for the joined Person or changes on another account owned by the Person.
Toggle Allow RET Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID auto-provisions accounts for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.
This setting only applies if you have RET policies in place for the account store. For task-based help on setting up Resource Entitlement polices, see Configuring Provisioning Policies.
Toggle Allow RET De-Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID auto de-provisions accounts for users who have RET policy-assigned user accounts, but no longer receive a policy that grants them those user accounts in the domain.
De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to
Toggle Enable Attribute Flow to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, changes occurring to user attributes in the account store will occur in EmpowerID and vice-versa depending on how you have set up your attribute flow rules. The default flow for most user attributes for active directory is bi-directional. You can change these as needed.
From the Inventory pane of the Account Store Details screen, do the following:
Toggle Allow Automatic Person Provision On Inventory to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled (and Allow Person Provisioning is enabled for the account store), EmpowerID will provision Person objects for all new accounts discovered during inventory in real-time, if they meet the conditions of your Provision rules.
When provisioning people during inventory, you have the following options that can be set:
Business Role for New Inventory Provision - This allows you to select an EmpowerID Business Role for all Persons provisioned during inventory. By default, EmpowerID assigns these people to the Temporary Business Role; however, you can pick others by clicking the Edit button to the right of the line and selecting the desired Business Role from the Business Role Selector window that appears. If you pick another and wish to remove it in favor of the default, you can do so by clicking the red sphere to the right of the Edit button.
The following image shows the Business Role Selector window with Standard Employee selected. This means that each person provisioned will given the Standard Employee Business Role rather than the default Temporary Role.
EmpowerID includes the Standard Employee and Temporary Role Business Roles out of the box; however, if you wish to assign new Persons to another Business Role before inventory occurs, you can easily do so. You simply need to create them first. Once created, those additional Business Roles will appear in the Business Role Selector. For information on creating Business Roles see Creating Business Roles.
Location for New Inventory Provision - This allows you to select the location that is to be the primary location for the each Person provisioned during inventory. By default, EmpowerID uses the Active Directory OU of the user object as the primary location. If you map these locations to EmpowerID locations before turning on inventory (recommended), the Person objects will be provisioned in the mapped locations. This makes it easier to manage users as the EmpowerID locations mirror your external locations. We discuss mapping locations in the next section below.
Toggle Allow Automatic Person Join On Inventory to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled (and Allow Person Provisioning is enabled for the account store), EmpowerID will attempt to join any new accounts discovered during inventory if it finds one that matches the conditions of the Join rules for the account store. If this setting is not enabled, EmpowerID will not join secondary accounts to an EmpowerID Person, but will instead provision new EmpowerID Persons for each of those additional accounts.
The last action to perform on this screen is to enable inventory. However, before doing so, it is important to review the attribute flow rules for the account store. Once you are satisfied with the rules, turn on inventory by toggling the button the left of the line from a red sphere to a green check.