This topic demonstrates how to add an LDAP Directory domain to the EmpowerID Identity Warehouse as a managed Account Store. EmpowerID provides connectors out of the box for the following LDAP directories. The process for connecting to each is the same.
IBM — IBM Tivoli Directory Server
NOVELL — Novell eDirectory
OpenDS — Open Directory Service (OpenDS)
OpenLDAP — Open LDAP
ORACLE — Oracle Internet Directory
Radiant Logic — Radiant Logic
SUN — Oracle Directory Server Enterprise Edition (SUN)
To connect EmpowerID to LDAP, the Proxy User or connection account must be an admin user account that has read access to the partition that holds the objects in the directory.
To create an LDAP account store in EmpowerID
On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.
On the Account Stores page, click Create Account Store.
Search for Open LDAP and then click the record for Open LDAP to select that System type.
This opens the LDAP Settings form, which is where you enter settings to connect EmpowerID to your LDAP directory.
Enter the following information in the LDAP Settings form:
Name — Enter a name for the account store.
Display Name — Enter the name for the account store that appears in the user interfaces of EmpowerID.
LDAP server: (Add Port Number if other than 389): — Enter the name of the server on which the directory is installed and include the port number if it is other than 389. e.g. dc-exch:636
Partition Suffix — Enter the partition suffix for the directory. e.g. dc=eiddoc,dc=com
Proxy User — Enter the admin user account that has read access to the partition that holds the objects in the directory.
Password — Enter the password for the proxy account.
Is Remote (Required Cloud Gateway) — This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.
EmpowerID creates the account store and the associated resource system. The next step is to configure the attribute flow between the account store and EmpowerID.
Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.
To configure account store settings
On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.
Edit the account store as needed and then click Save to save your changes.
Next, enable the Account Inbox permanent workflow to allow the Account Inbox to provision or join the user accounts in the LDAP system to EmpowerID Persons as demonstrated below.
EmpowerID recommends using the Account Inbox for provisioning and joining.