Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
This topic demonstrates how to add an LDAP Directory domain to the EmpowerID Identity Warehouse as a managed Account Store. We demonstrate this by connecting EmpowerID to Open LDAP, but the process is the same for connecting to other supported LDAP directories, including:
- IBM — IBM Tivoli Directory Server
- NOVELL — Novell eDirectory
- OpenDS — Open Directory Service (OpenDS)
- OpenLDAP — Open LDAP
- ORACLE — Oracle Internet Directory
- Radiant Logic — Radiant Logic
- SUN — Oracle Directory Server Enterprise Edition (SUN)
Info | ||
---|---|---|
| ||
The OpenLDAP system should be supporting LDAP controls -
Ascending sorting enabled on createTimeStamp attribute with a Matching Rule. ( * ) Mandatory |
Insert excerpt | ||||||
---|---|---|---|---|---|---|
|
To create an LDAP account store in the web application
- From the navigation sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
- Click the Actions tab, and then click the Create Account Store action.
- Search for open and then click the record for Open LDAP to select that System type.
Click Submit.
On the Choose Servers page that appears, select the EmpowerID server or servers to register and click Submit.
Note The Choose Servers page displays only those servers where the EmpowerID Web Role service is running. If you do not see your server on the page, check the following:
- Ensure that the server has been assigned either the All-in-One Server or Web Front-End server role.
- Ensure that the EmpowerID Web Role service is running.
(The LDAP Management Host Web Service is responsible for LDAP communications and is enabled by default on each server running the EmpowerID Web Role service.)
Warning All selected servers must be in the same forest and able to communicate with the LDAP system over LDAP port TCP 389.
The LDAP Settings page appears, where you enter settings to connect to your LDAP directory to allow EmpowerID to discover and connect to it.- On the LDAP Settings page, do the following:
- In the Name and Display Name fields, enter a name for the LDAP account store.
In the LDAP Server field, enter the name of the server on which the directory is installed and include the port number if it is other than 389.
e.g. dc-exch:636- In the Partition Suffix field, enter the partition suffix for the directory.
e.g. dc=eiddoc,dc=com In the Proxy User field, enter the admin user account that has read access to the partition that holds the objects in the directory.
Info This user account is saved as the connection credential for this account store. You can change it at any time.
- In the Password field, enter the password for the proxy account.
Click Submit.
The Account Store is created and appears in the list of Account Stores in both the web application and the Management Console and a corresponding Resource System is created.
To configure account store settings in the web app
- In the navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
- On the Account stores tab, search for the account store you just created and click the Account Store link to go to its details page.
- On the Account Store Details page, click the Edit button or the name of the account store.
- In the edit view of the page, you can edit values in any of the enabled fields on the Settings tab. In the General section, these are:
- Option 1 Specify an Account Proxy — Change the user name and password for the proxy connection.
- Option 2 Select a Vaulted Credential as Account Proxy — Click in this box and press Enter to see a list of shared credentials in your system to use for the proxy connection.
- Inventoried Directory Server — Select the server to inventory.
- Is Remote (Cloud Gateway Connection Required) — Select if you are using the EmpowerID Cloud Gateway.
- In the Authentication and Password Settings section, you can select any of these values:
- Use for Authentication — Select to allow users to log into EmpowerID with their credentials for this account.
- Allow Search for User Name in Authentication —
- Allow Password Sync — Toggle to allow EmpowerID to sync password changes discovered during inventory.
- Queue Password Changes — Toggle to have EmpowerID send password changes to the Account Password Reset Inbox for batch processing.
- Password Manager Policy for Accounts without Person — Select a password manager policy to use for the account. If not selected, it uses the Default Password Manager Policy.
- In the Provisioning Settings section, you can set any of the following:
- Allow Person Provisioning (Joiner Source) — Toggle to allow EmpowerID to create Person objects from the user records discovered during inventory.
- Allow Attribute Flow — Toggle to allow attribute changes to flow between EmpowerID and the account store.
- Allow Provisioning (By RET) — Toggle to allow EmpowerID to create new Groups in ServiceNow from requests discovered during inventory.
- Allow Deprovisioning (By RET) — Toggle to allow EmpowerID to delete Groups in ServiceNow based on requests discovered during inventory.
- Default User Creation Path — Select a location in which to create users if none is specified.
- Default Group Creation Path — Select a location in which to create groups if none is specified.
- EmpowerID Group Creation Path — Select a location in which to create EmpowerID groups if none is specified.
- Max Accounts per Person — Enter the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. We recommended setting this value to 1 unless users commonly have multiple accounts and you want them to be joined to the same person.
- Allow Account Creation on Membership Request — Toggle to allow users without accounts to request group membership and automatically have an account created.
- Recertify All Group Changes as Detected — Toggle to allow EmpowerID to generate recertification review tasks for all changes in account store groups.
- Allow Business Role and Location Re-Evaluation — Toggle if you have multiple account stores to manage and want to specify a priority for each.
- Business Role and Location Re-Evaluation Order — Enter a number to specify the priority of the account store for determining the Business Roles and Locations to assign to a Person. Account Stores with a higher value take precedence.
- Default Person Business Role — Set a default Business Role to assign people if none is specified.
- Default Person Location — Set a default Location to assign people if none is specified.
Image Modified
- In the Special Use Settings section, you can select any of the following:
- RBAC Assign Group Members On First Inventory —
- Automatically Join Account to a Person On Inventory (Skip Account Inbox) — Toggle to allow EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
- Automatically Create a Person On Inventory (Skip Account Inbox) — Toggle to allow EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
- Show in Tree — Toggle to show the account store in the Locations tree.
- Queue Password Changes on Failure — Toggle to have EmpowerID send password changes to the Account Password Reset Inbox only when the change fails.
- Use Secure LDAPS Binding — Toggle to bind accounts with encryption.
- In the Naming Fields section, you can set the following values:
- Application ID — If the account store is a one-to-one match with a Tracking Only application, enter the Application Resource GUID of the application. (This value is supplied automatically if you select the Create a New Account Directory option when creating a Tracking Only application.)
- Tenant ID — Enter the Tenant ID, if supplied by the connection account. (AWS uses this.)
- When you have finished editing, click Save, or keep this page open to continue setting up inventory, membership, projection, etc.
To set up and enable inventory and other workflows
This procedure continues on the Account Store Details page from the previous procedure, which was performed on the Settings tab.
- On the Account Store Details page, click the Inventory tab, where you can specify the following settings:
- Start and End dates — Specify a start and end date to run inventory on the system. Otherwise, it starts on the current date and runs for ten years (or indefinitely).
- Run Indefinitely — Selected by default, this allows inventory to run until it is intentionally disabled.
- Inventory Schedule Interval — Select one of the following values to set the type of interval to use:
- Once runs inventory once and then stops.
- Hour Interval runs inventory every so many hours, as specified in the Interval box.
- Weekly runs inventory every so many weeks, as specified in the Interval box.
- Minute Interval runs inventory every so many minutes, 10 by default, as specified in the Interval box.
- Daily runs inventory every so many days, as specified in the Interval box.
- Monthly runs inventory every so many months, as specified in the Interval box.
- Interval — Specify the number of minutes, hours, days, weeks, or months after which to run inventory again after the most recent run.
- Inventory Next Compilation Time — Specify a date and time at which to run inventory next.
- Inventory Batch Size — Specify the number of records to process in each batch, to avoid hanging up your system when large numbers of records are processed.
- Once you have your settings in place, select the Inventory Enabled checkbox at the top and click Save to allow EmpowerID to take inventory of accounts in the external system.
- On the Membership tab, group membership reconciliation is enabled by default to run every ten minutes, indefinitely. Here, you can specify the following settings:
- Start and End dates — Specify a start and end date to run inventory on the system. Otherwise, it starts on the current date and runs for ten years (or indefinitely).
- Run Indefinitely — Selected by default, this allows inventory to run until it is intentionally disabled.
- Inventory Schedule Interval — Select one of the following values to set the type of interval to use:
- Once runs inventory once and then stops.
- Hour Interval runs inventory every so many hours, as specified in the Interval box.
- Weekly runs inventory every so many weeks, as specified in the Interval box.
- Minute Interval runs inventory every so many minutes, 10 by default, as specified in the Interval box.
- Daily runs inventory every so many days, as specified in the Interval box.
- Monthly runs inventory every so many months, as specified in the Interval box.
- Interval — Specify the number of minutes, hours, days, weeks, or months after which to run inventory again after the most recent run.
- On the Projection tab, you can enable resource role reconciliation and the intervals at which to run it with the same settings as group membership reconciliation above.
- On the Rights Inventory tab, you can enable inventory of rights in the native system and the intervals at which to run it with the same settings as group membership reconciliation above.
- On the Deleted Object Detection tab, you can set the following options and enable EmpowerID to detect deleted objects in the system:
- Interval Minutes — Specify the number of minutes after the last check for deleted objects to run the check again.
- Threshold Max # of Deleted Objects — Specify the maximum number of deleted objects.
- When you have finished, click Save.
To create an account store for an LDAP Directory in EmpowerID Management Console
- Log in to the EmpowerID Management Console as an administrator.
- Click the application icon and select Configuration Manager from the menu.
- In Configuration Manager, select the Account Stores node and then click the Add New button above the grid.
- In the Add New Security Boundary window that opens, select the Open Directory Service (OpenDS) Security Boundary type from the drop-down list and then click OK.
This opens the OpenDS Directory window. - In the OpenDS Directory window, do the following:
- Enter the name of the server on which the directory is installed and include the port number—if it is other than 389—in the Ldap Server field.
- Enter the partition suffix in the Partition Suffix field.
- Enter the proxy information into the fields of the Proxy Information panel. The user account must have read access to the partition that holds the objects in the directory. The user account entered here is saved as the default proxy account (connection credential) used when managing these objects. You can change this at any time.
- Click the Choose button below the Proxy Information panel to open the Choose Servers window. This window provides the interface for selecting the server(s) where the EmpowerID LDAP Agent(s) reside.
- In the Choose Servers window that appears, toggle the Server button from a red sphere to a green checkbox for each server running the EmpowerID LDAP Agent. You must pick a server running the Agent that is in the same Forest and can communicate with the LDAP Directory over LDAP port TCP 389. Please note that the agent must be started on a server before the server will show in the Choose Servers window.
- Click OK to close the Choose Servers window and then click OK to close the OpenDS Directory window.
- In the Security Boundary Ldap Details screen that appears, change the Display Name from the server and port to something more friendly, such as OpenDS.
- Click the Account Stores tab to the left of the screen.
- From the grid to the right of the tab, double-click the OpenDS Security Boundary or right-click it and select Edit from the context menu. This opens the Account Store Ldap Details screen. This screen is used to configure the settings that EmpowerID uses to manage the domain. This is discussed in the below section.
To configure settings for the account store in the Management Console
- From the General pane of the Details tab, do the following:
- Click the Edit button to the right of Default User Creation Path and select a default location within your directory where EmpowerID is to create users in the event that one is not selected in a workflow process.
- Click the Edit button to the right of Default Group Creation Path and select a default location within your directory where EmpowerID is to create groups in the event that one is not selected in a workflow process.
- Click the Edit button to the right of EmpowerID Group Creation Path and select a default location within your directory where EmpowerID is to create the Domain Local groups it uses for granting native AD permissions assignments.
- Click the Edit button to the right of Maximum Accounts Per Person and specify that maximum number of accounts from the domain that a Person can have linked to them. Setting this prevents the possibility of a runaway error caused by a wrongly configured Join rule.
- If you are managing other account stores in addition to this one, click the Edit button to the right of Role and Location Re-Eval Order and enter a number to specify the priority of the account store for determining the Business Roles and Locations that should be assigned to a Person. Account Stores with a higher value take precedence.
- Toggle Enable Pass-Through Authentication to reflect your policy for the account store (red sphere for disable and green checkbox for enable). Pass-through Authentication allows domain authentication to be used for logging in to EmpowerID. Unless Simple Search is enable, the domain\username format needs to be used.
- Toggle Enable Simple Username Search for Pass-Through Authentication to reflect your policy for the account store (red sphere for disable and green checkbox for enable). Simple search works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the user name entered exists within its Identity Warehouse and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all account stores where simple search is enabled to find the correct user name and password combination.
- Toggle Allow Password Sync to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID synchronizes password changes to user accounts in the domain based on password changes for the joined Person or changes on another account owned by the Person.
- Toggle Queue Password Changes to send password changes to the Account Inbox.
- Toggle Use Secure Binding to bind accounts with encryption.
- Toggle Allow Person Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID auto-provisions a Person for accounts that have not yet had them provisioned.
- Toggle Allow RET Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID auto-provisions accounts for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.
- Toggle Allow RET De-Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID auto de-provisions accounts for users who have RET policy-assigned user accounts, but no longer receive a policy that grants them those user accounts in the domain.
- Allow Create Account On Membership Request — Select to allow users without accounts to request group membership and automatically have an account created.
- Toggle Enable Attribute Flow to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, changes occurring to user attributes in the account store will occur in EmpowerID and vice-versa depending on how you have set up your attribute flow rules. The default flow for most user attributes is bi-directional. You can change these as needed.
- From the Inventory pane of the Account Store Details screen, do the following:
Excerpt | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
The last action to perform on this screen is to enable inventory. However, before doing so, it is important to configure the attribute flow rules for the account store and to enable the Account Inbox if batch processing of those accounts is desired. To configure Attribute Flow rules
Now that the attribute flow has been set, the next steps includes turning on and monitoring inventory. To turn on inventory
If you are using the Account Inbox to provision or join the user accounts in Google to Empower Persons, you need to turn on the Account Inbox. This is demonstrated in the below section. To enable the Account Inbox permanent workflow
To monitor inventory
|
Div | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||
|