LDAP Connector

Owned by
Phillip Hanegan
Last updated: Apr 11, 2022
3 min read

This topic demonstrates how to add an LDAP Directory domain to the EmpowerID Identity Warehouse as a managed Account Store. EmpowerID provides connectors out of the box for the following LDAP directories. The process for connecting to each is the same.

  • IBM – IBM Tivoli Directory Server

  • NOVELL – Novell eDirectory

  • OpenDS – Open Directory Service (OpenDS)

  • OpenLDAP – Open LDAP

  • ORACLE – Oracle Internet Directory

  • Radiant Logic – Radiant Logic

  • SUN – Oracle Directory Server Enterprise Edition (SUN)

To connect EmpowerID to LDAP, the Proxy User or connection account must be an admin user account that has read access to the partition that holds the objects in the directory.

Step 1 – Create an LDAP account store in EmpowerID

  1. On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.

  2. On the Account Stores page, select the Actions tab and click Create Account Store.

     

  3. Search for an LDAP system, such as Open LDAP.

  4. Click the record for chosen LDAP system to select the type and then click Submit.

     

    This opens the LDAP Settings form, which is where you enter settings to connect EmpowerID to your LDAP directory.



  5. Enter the following information in the LDAP Settings form:

    • Name – Enter a name for the account store.

    • Display Name – Enter the name for the account store that appears in the user interfaces of EmpowerID.

    • LDAP server: (Add Port Number if other than 389): – Enter the name of the server on which the directory is installed and include the port number if it is other than 389.
      e.g. dc-exch:636

    • Partition Suffix – Enter the partition suffix for the directory. 
      e.g. dc=eiddoc,dc=com

    • Proxy User – Enter the admin user account that has read access to the partition that holds the objects in the directory. 

    • Password – Enter the password for the proxy account.

    • Is Remote (Required Cloud Gateway) – This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.

  6. Click Submit.

EmpowerID creates the account store and the associated resource system. The next step is to configure the attribute flow between the account store and EmpowerID.

Step 2 – Configure attribute flow

Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

Step 3 – Configure account store settings

 

Next, enable the Account Inbox permanent workflow to allow the Account Inbox to provision or join the user accounts in the LDAP system to EmpowerID Persons as demonstrated below.

EmpowerID recommends using the Account Inbox for provisioning and joining.

IN THIS ARTICLE