Connecting to LDAP Directories

Owned by Phillip Hanegan
Last updated: Jun 12, 2020
3 min read

This topic demonstrates how to add an LDAP Directory domain to the EmpowerID Identity Warehouse as a managed Account Store. EmpowerID provides connectors out of the box for the following LDAP directories. The process for connecting to each is the same.

  • IBM — IBM Tivoli Directory Server

  • NOVELL — Novell eDirectory

  • OpenDS — Open Directory Service (OpenDS)

  • OpenLDAP — Open LDAP

  • ORACLE — Oracle Internet Directory

  • Radiant Logic — Radiant Logic

  • SUN — Oracle Directory Server Enterprise Edition (SUN)

To connect EmpowerID to LDAP, the Proxy User or connection account must be an admin user account that has read access to the partition that holds the objects in the directory.

To create an LDAP account store in EmpowerID

  1. On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  2. On the Account Stores page, click Create Account Store.



  3. Search for Open LDAP and then click the record for Open LDAP to select that System type.

  4. Click Submit.

    This opens the LDAP Settings form, which is where you enter settings to connect EmpowerID to your LDAP directory.



  5. Enter the following information in the LDAP Settings form:

    • Name — Enter a name for the account store.

    • Display Name — Enter the name for the account store that appears in the user interfaces of EmpowerID.

    • LDAP server: (Add Port Number if other than 389): — Enter the name of the server on which the directory is installed and include the port number if it is other than 389.
      e.g. dc-exch:636

    • Partition Suffix — Enter the partition suffix for the directory. 
      e.g. dc=eiddoc,dc=com

    • Proxy User — Enter the admin user account that has read access to the partition that holds the objects in the directory. 

    • Password — Enter the password for the proxy account.

    • Is Remote (Required Cloud Gateway) — This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.

  6. Click Submit.

  7. EmpowerID creates the account store and the associated resource system. The next step is to configure the attribute flow between the account store and EmpowerID.

Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

To configure account store settings

  1. On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.

  2. Edit the account store as needed and then click Save to save your changes.

Next, enable the Account Inbox permanent workflow to allow the Account Inbox to provision or join the user accounts in the LDAP system to EmpowerID Persons as demonstrated below.

EmpowerID recommends using the Account Inbox for provisioning and joining.

IN THIS ARTICLE