This topic demonstrates how to add an LDAP Directory domain to the EmpowerID Identity Warehouse as a managed Account Store. We demonstrate this by connecting EmpowerID to Open LDAP, but the process is the same for connecting to other supported LDAP directories, including:

  • IBM — IBM Tivoli Directory Server
  • NOVELL — Novell eDirectory
  • OpenDS — Open Directory Service (OpenDS)
  • OpenLDAP — Open LDAP
  • ORACLE — Oracle Internet Directory
  • Radiant Logic — Radiant Logic
  • SUN — Oracle Directory Server Enterprise Edition (SUN)

The OpenLDAP system should be supporting LDAP controls - 

  1. Server Side Sort Control *
  2. Simple Page Results Control */ Virtual List View Control
  3. Permissive Modify

Ascending sorting enabled on createTimeStamp attribute with a Matching Rule.

( * ) Mandatory


To create an LDAP account store in the web application

  1. From the navigation sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
  2. Click the Actions tab, and then click the Create Account Store action.



  3. Search for open and then click the record for Open LDAP to select that System type.



  4. Click Submit.

  5. On the Choose Servers page that appears, select the EmpowerID server or servers to register and click Submit.

    The Choose Servers page displays only those servers where the EmpowerID Web Role service is running. If you do not see your server on the page, check the following:

    • Ensure that the server has been assigned either the All-in-One Server or Web Front-End server role.
    • Ensure that the EmpowerID Web Role service is running.

    (The LDAP Management Host Web Service is responsible for LDAP communications and is enabled by default on each server running the EmpowerID Web Role service.)


    All selected servers must be in the same forest and able to communicate with the LDAP system over LDAP port TCP 389.




    The LDAP Settings page appears, where you enter settings to connect to your LDAP directory to allow EmpowerID to discover and connect to it.



  6. On the LDAP Settings page, do the following:
    1. In the Name and Display Name fields, enter a name for the LDAP account store.
    2. In the LDAP Server field, enter the name of the server on which the directory is installed and include the port number if it is other than 389.
      e.g. dc-exch:636

    3. In the Partition Suffix field, enter the partition suffix for the directory. 
      e.g. dc=eiddoc,dc=com
    4. In the Proxy User field, enter the admin user account that has read access to the partition that holds the objects in the directory. 

      This user account is saved as the connection credential for this account store. You can change it at any time.


    5. In the Password field, enter the password for the proxy account.
    6. Click Submit.

      The Account Store is created and appears in the list of Account Stores in both the web application and the Management Console and a corresponding Resource System is created.

To configure account store settings in the web app

  1. In the navigation Sidebar, expand Admin, then Applications and Directories, and click Account Stores and Systems.
  2. On the Account stores tab, search for the account store you just created and click the Account Store link to go to its details page.



  3. On the Account Store Details page, click the Edit button or the name of the account store.



  4. In the edit view of the page, you can edit values in any of the enabled fields on the Settings tab. In the General section, these are:
    • Option 1 Specify an Account Proxy — Change the user name and password for the proxy connection.
    • Option 2 Select a Vaulted Credential as Account Proxy — Click in this box and press Enter to see a list of shared credentials in your system to use for the proxy connection.
    • Inventoried Directory Server — Select the server to inventory.
    • Is Remote (Cloud Gateway Connection Required) — Select if you are using the EmpowerID Cloud Gateway.



  5. In the Authentication and Password Settings section, you can select any of these values:
    • Use for Authentication — Select to allow users to log into EmpowerID with their credentials for this account.
    • Allow Search for User Name in Authentication — 
    • Allow Password Sync — Toggle to allow EmpowerID to sync password changes discovered during inventory.
    • Queue Password Changes — Toggle to have EmpowerID send password changes to the Account Password Reset Inbox for batch processing.
    • Password Manager Policy for Accounts without Person — Select a password manager policy to use for the account. If not selected, it uses the Default Password Manager Policy.



  6. In the Provisioning Settings section, you can set any of the following:
    • Allow Person Provisioning (Joiner Source) — Toggle to allow EmpowerID to create Person objects from the user records discovered during inventory.
    • Allow Attribute Flow — Toggle to allow attribute changes to flow between EmpowerID and the account store.
    • Allow Provisioning (By RET) — Toggle to allow EmpowerID to create new Groups in ServiceNow from requests discovered during inventory.
    • Allow Deprovisioning (By RET) — Toggle to allow EmpowerID to delete Groups in ServiceNow based on requests discovered during inventory.
    • Default User Creation Path  — Select a location in which to create users if none is specified.
    • Default Group Creation Path — Select a location in which to create groups if none is specified.
    • EmpowerID Group Creation Path — Select a location in which to create EmpowerID groups if none is specified.
    • Max Accounts per Person — Enter the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. We recommended setting this value to 1 unless users commonly have multiple accounts and you want them to be joined to the same person.
    • Allow Account Creation on Membership Request — Toggle to allow users without accounts to request group membership and automatically have an account created.
    • Recertify All Group Changes as Detected — Toggle to allow EmpowerID to generate recertification review tasks for all changes in account store groups.
    • Allow Business Role and Location Re-Evaluation — Toggle if you have multiple account stores to manage and want to specify a priority for each.
    • Business Role and Location Re-Evaluation Order — Enter a number to specify the priority of the account store for determining the Business Roles and Locations to assign to a Person. Account Stores with a higher value take precedence.
    • Default Person Business Role — Set a default Business Role to assign people if none is specified.
    • Default Person Location — Set a default Location to assign people if none is specified.



  7. In the Special Use Settings section, you can select any of the following:
    • RBAC Assign Group Members On First Inventory — 
    • Automatically Join Account to a Person On Inventory (Skip Account Inbox) — Toggle to allow EmpowerID to join newly discovered accounts to people during the inventory process if they meet the Join Rule as specified by the Custom_Account_InventoryInboxJoinBulk SQL stored procedure.
    • Automatically Create a Person On Inventory (Skip Account Inbox) — Toggle to allow EmpowerID to provision EmpowerID people for new accounts discovered during the inventory process if they meet the Provision Rule specified by the Custom_Account_InventoryInboxGetAccountsToProvision SQL stored procedure.
    • Show in Tree — Toggle to show the account store in the Locations tree.
    • Queue Password Changes on Failure — Toggle to have EmpowerID send password changes to the Account Password Reset Inbox only when the change fails.
    • Use Secure LDAPS Binding — Toggle to bind accounts with encryption.



  8. In the Naming Fields section, you can set the following values:
    • Application ID — If the account store is a one-to-one match with a Tracking Only application, enter the Application Resource GUID of the application. (This value is supplied automatically if you select the Create a New Account Directory option when creating a Tracking Only application.)
    • Tenant ID — Enter the Tenant ID, if supplied by the connection account. (AWS uses this.)



  9. When you have finished editing, click Save, or keep this page open to continue setting up inventory, membership, projection, etc.

To set up and enable inventory and other workflows

This procedure continues on the Account Store Details page from the previous procedure, which was performed on the Settings tab.

  1. On the Account Store Details page, click the Inventory tab, where you can specify the following settings:
    • Start and End dates — Specify a start and end date to run inventory on the system. Otherwise, it starts on the current date and runs for ten years (or indefinitely). 
    • Run Indefinitely — Selected by default, this allows inventory to run until it is intentionally disabled.
    • Inventory Schedule Interval — Select one of the following values to set the type of interval to use:
      • Once runs inventory once and then stops.
      • Hour Interval runs inventory every so many hours, as specified in the Interval box.
      • Weekly runs inventory every so many weeks, as specified in the Interval box.
      • Minute Interval runs inventory every so many minutes, 10 by default, as specified in the Interval box.
      • Daily runs inventory every so many days, as specified in the Interval box.
      • Monthly runs inventory every so many months, as specified in the Interval box.
    • Interval — Specify the number of minutes, hours, days, weeks, or months after which to run inventory again after the most recent run. 
    • Inventory Next Compilation Time — Specify a date and time at which to run inventory next.
    • Inventory Batch Size — Specify the number of records to process in each batch, to avoid hanging up your system when large numbers of records are processed. 



  2. Once you have your settings in place, select the Inventory Enabled checkbox at the top and click Save to allow EmpowerID to take inventory of accounts in the external system.
  3. On the Membership tab, group membership reconciliation is enabled by default to run every ten minutes, indefinitely. Here, you can specify the following settings:
    • Start and End dates — Specify a start and end date to run inventory on the system. Otherwise, it starts on the current date and runs for ten years (or indefinitely). 
    • Run Indefinitely — Selected by default, this allows inventory to run until it is intentionally disabled.
    • Inventory Schedule Interval — Select one of the following values to set the type of interval to use:
      • Once runs inventory once and then stops.
      • Hour Interval runs inventory every so many hours, as specified in the Interval box.
      • Weekly runs inventory every so many weeks, as specified in the Interval box.
      • Minute Interval runs inventory every so many minutes, 10 by default, as specified in the Interval box.
      • Daily runs inventory every so many days, as specified in the Interval box.
      • Monthly runs inventory every so many months, as specified in the Interval box.
    • Interval — Specify the number of minutes, hours, days, weeks, or months after which to run inventory again after the most recent run. 



  4. On the Projection tab, you can enable resource role reconciliation and the intervals at which to run it with the same settings as group membership reconciliation above.
  5. On the Rights Inventory tab, you can enable inventory of rights in the native system and the intervals at which to run it with the same settings as group membership reconciliation above.
  6. On the Deleted Object Detection tab, you can set the following options and enable EmpowerID to detect deleted objects in the system:
    • Interval Minutes — Specify the number of minutes after the last check for deleted objects to run the check again.
    • Threshold Max # of Deleted Objects — Specify the maximum number of deleted objects.



  7. When you have finished, click Save.

To create an account store for an LDAP Directory in EmpowerID Management Console

  1. Log in to the EmpowerID Management Console as an administrator.
  2. Click the application icon and select Configuration Manager from the menu.
  3. In Configuration Manager, select the Account Stores node and then click the Add New button above the grid.




  4. In the Add New Security Boundary window that opens, select the Open Directory Service (OpenDS) Security Boundary type from the drop-down list and then click OK.




    This opens the OpenDS Directory window.



  5. In the OpenDS Directory window, do the following:
    1. Enter the name of the server on which the directory is installed and include the port number—if it is other than 389—in the Ldap Server field.
    2. Enter the partition suffix in the Partition Suffix field.
    3. Enter the proxy information into the fields of the Proxy Information panel. The user account must have read access to the partition that holds the objects in the directory. The user account entered here is saved as the default proxy account (connection credential) used when managing these objects. You can change this at any time.
    4. Click the Choose button below the Proxy Information panel to open the Choose Servers window. This window provides the interface for selecting the server(s) where the EmpowerID LDAP Agent(s) reside.
    5. In the Choose Servers window that appears, toggle the Server button from a red sphere to a green checkbox for each server running the EmpowerID LDAP Agent. You must pick a server running the Agent that is in the same Forest and can communicate with the LDAP Directory over LDAP port TCP 389. Please note that the agent must be started on a server before the server will show in the Choose Servers window.
    6. Click OK to close the Choose Servers window and then click OK to close the OpenDS Directory window.

  6. In the Security Boundary Ldap Details screen that appears, change the Display Name from the server and port to something more friendly, such as OpenDS.
  7. Click the Account Stores tab to the left of the screen.
  8. From the grid to the right of the tab, double-click the OpenDS Security Boundary or right-click it and select Edit from the context menu. This opens the Account Store Ldap Details screen. This screen is used to configure the settings that EmpowerID uses to manage the domain. This is discussed in the below section.


To configure settings for the account store in the Management Console

  1. From the General pane of the Details tab, do the following:
    1. Click the Edit  button to the right of Default User Creation Path and select a default location within your directory where EmpowerID is to create users in the event that one is not selected in a workflow process.
    2. Click the Edit  button to the right of Default Group Creation Path and select a default location within your directory where EmpowerID is to create groups in the event that one is not selected in a workflow process.
    3. Click the Edit  button to the right of EmpowerID Group Creation Path and select a default location within your directory where EmpowerID is to create the Domain Local groups it uses for granting native AD permissions assignments.
    4. Click the Edit  button to the right of Maximum Accounts Per Person and specify that maximum number of accounts from the domain that a Person can have linked to them. Setting this prevents the possibility of a runaway error caused by a wrongly configured Join rule.
    5. If you are managing other account stores in addition to this one, click the Edit  button to the right of Role and Location Re-Eval Order and enter a number to specify the priority of the account store for determining the Business Roles and Locations that should be assigned to a Person. Account Stores with a higher value take precedence.
    6. Toggle Enable Pass-Through Authentication to reflect your policy for the account store (red sphere for disable and green checkbox for enable). Pass-through Authentication allows domain authentication to be used for logging in to EmpowerID. Unless Simple Search is enable, the domain\username format needs to be used.
    7. Toggle Enable Simple Username Search for Pass-Through Authentication to reflect your policy for the account store (red sphere for disable and green checkbox for enable). Simple search works in conjunction with pass-through authentication to allow users to log in without specifying a domain name. When this is enabled, EmpowerID first checks to see if the user name entered exists within its Identity Warehouse and if so attempts to authenticate as that user. If a matching logon name exists but the login fails, EmpowerID then searches through all account stores where simple search is enabled to find the correct user name and password combination.
    8. Toggle Allow Password Sync to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID synchronizes password changes to user accounts in the domain based on password changes for the joined Person or changes on another account owned by the Person.
    9. Toggle Queue Password Changes to send password changes to the Account Inbox.
    10. Toggle Use Secure Binding to bind accounts with encryption.
    11. Toggle Allow Person Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID auto-provisions a Person for accounts that have not yet had them provisioned.
    12. Toggle Allow RET Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID auto-provisions accounts for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.
    13. Toggle Allow RET De-Provisioning to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, EmpowerID auto de-provisions accounts for users who have RET policy-assigned user accounts, but no longer receive a policy that grants them those user accounts in the domain.
    14. Allow Create Account On Membership Request — Select to allow users without accounts to request group membership and automatically have an account created.
    15. Toggle Enable Attribute Flow to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled, changes occurring to user attributes in the account store will occur in EmpowerID and vice-versa depending on how you have set up your attribute flow rules. The default flow for most user attributes is bi-directional. You can change these as needed.

  2. From the Inventory pane of the Account Store Details screen, do the following:


EmpowerID recommends using the Account Inbox to provision Person objects from user accounts. The below information is included to make you aware of the option to provision during inventory.


  • Toggle Allow Automatic Person Provision On Inventory to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled (and Allow Person Provisioning is enabled for the account store), EmpowerID will provision Person objects for all new accounts discovered during inventory in real-time, if they meet the conditions of your Provision rules.



    When provisioning people during inventory, the following options can be set:

    • Business Role for New Inventory Provision - This allows you to select an EmpowerID Business Role for all Persons provisioned during inventory. By default, EmpowerID assigns these people to the Temporary Business Role; however, you can pick others by clicking the Edit  button to the right of the line and selecting the desired Business Role from the Business Role Selector window that appears. If you pick another and wish to remove it in favor of the default, you can do so by clicking the red sphere to the right of the Edit button.

      The following image shows the Business Role Selector window with Standard Employee selected. This means that each Person provisioned will given the Standard Employee Business Role rather than the default Temporary Role.



      EmpowerID includes the Standard Employee and Temporary Role Business Roles out of the box; however, if you wish to assign new Persons to another Business Role before inventory occurs, you can easily do so. You simply need to create them first. Once created, those additional Business Roles will appear in the Business Role Selector.

      For information on creating Business Roles see Creating Business Roles.


    • Location for New Inventory Provision - This allows you to select the location that is to be the primary location for the each Person provisioned during inventory.





  • Toggle Allow Automatic Person Join On Inventory to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled (and Allow Person Provisioning is enabled for the account store), EmpowerID will attempt to join any new accounts discovered during inventory — if it finds one that matches the conditions of the Join rules for the account store. If this setting is not enabled, EmpowerID will not join secondary accounts to an EmpowerID Person, but will instead provision new EmpowerID Persons for each of those additional accounts.


The last action to perform on this screen is to enable inventory. However, before doing so, it is important to configure the attribute flow rules for the account store and to enable the Account Inbox if batch processing of those accounts is desired.

To configure Attribute Flow rules



EmpowerID supports the configuration of attribute synchronization rules for flowing attribute changes between directories and the EmpowerID Identity Warehouse. Attribute Flow rules are visually configured and are always relative to the relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse. Attribute Flow rules define the specific fields and attributes that are synchronized between the EmpowerID Identity Warehouse person objects and the external user accounts to which they are linked. Additionally, Attribute Flow rules can be weighted by account store. For example, if you have connected EmpowerID to an HR system as well as LDAP, and you want any changes made to an attribute in the HR system to take priority over changes made in LDAP or EmpowerID (while allowing changes to be made in any system), you would give a higher score for each CRUD operation originating from the HR account store and correspondingly lower scores for the LDAP account store.


The following flow rules are available:

  • No Sync - When this option is selected, no information flows between EmpowerID and the native system.
  • Bidirectional Flow - When this option is selected, changes made within EmpowerID update the native system and vice-versa. For most attributes, this is the default setting.
  • Account Store Changes Only - When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.
  • EmpowerID Changes Only - When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.

The following CRUD operations are available:

  • Create - This operation is used to create an attribute value for an existing attribute when the value of that attribute is null.
  • Update - This operation is used to update the value of an attribute.
  • Delete - This operation is used to delete the value of an attribute.




  1. Open a browser and log in to the EmpowerID Web application.
  2. From the Navigation Sidebar, expand Admin > Applications and Directories and click Attribute Flow Rules.
  3. From the Attribute Flow Rules page, click the Advanced Search drop-down button, enter the name of the account store for which you want to configure the flow rules and then click Search to filter the rules shown in the grid.




    The attributes from the EmpowerID Person object are displayed in the left column with the corresponding attributes from the account store displayed in the right column.


  4. To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.



    EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and Google Apps were being inventoried by EmpowerID.


Now that the attribute flow has been set, the next steps includes turning on and monitoring inventory.


To turn on inventory

  1. Return to the Account Store Details screen in Configuration Manager.

  2. Look over your settings one last time and when satisfied, turn on inventory by toggling the Enable Inventory button from a red sphere to a green check box.

If you are using the Account Inbox to provision or join the user accounts in Google to Empower Persons, you need to turn on the Account Inbox. This is demonstrated in the below section.

To enable the Account Inbox permanent workflow

  1. From the Navigation Sidebar of the EmpowerID Web interface, expand Admin > EmpowerID Servers and Settings and click Permanent Workflows.
  2. From the Permanent Workflows page, click the Display Name link for Account Inbox.



  3. From the View One page for the workflow that appears, click the edit link for the workflow.



  4. From the Permanent Workflow Details form that appears, select Enabled and then click Save. Based on the default settings applied to the workflow, EmpowerID will process 1000 of the user accounts in the Account Inbox every ten minutes, provisioning Person objects from those user accounts and joining them together based on the Join and Provision rules applied to the account store.


To monitor inventory

  1. From Navigation Sidebar, expand System Logs > Policy Inbox Logs and click Account Inbox.

    The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.


  • Dashboard - This tab provides a quick summary of account inbox activity.
  • Not Processed - This tab displays a grid view of all inventoried user accounts not yet used to provision a new EmpowerID Person or joined to an existing Person. Any accounts that fail to meet the Join and Provision rules are displayed here as well.
  • Failed - This tab displays a grid view of any account joining or provisioning failures.
  • Ignored - This tab displays a grid view of all accounts ignored by the account inbox. Accounts are ignored if they do not qualify as user accounts.
  • Joined - This tab displays a grid view of all accounts joined to an EmpowerID Person. Joins occur based on the Join rules applied to the account store.
  • Processed - This tab displays a grid view of all accounts that have been used to either provision a new EmpowerID Person or joined to an existing EmpowerID Person.
  • Provisioned - This tab displays a grid view of all accounts that have been used to provision an EmpowerID Person. Provisioning occurs based on the Provision rules applied to the account store.
  • Orphans - This tab displays a grid view of all user accounts without an EmpowerID Person.
  • All - This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.






concepts:

Overview of the EmpowerID Identity Warehouse

Overview of Inventory

Account Inbox Overview

Overview of Attribute Flow

Overview of Projection and Enforcement



tasks:

Managing User Accounts and Groups









In this article