Configuring LDAP provider

Configuring LDAP provider with custom attribute to identify users in target system

By default, when using the LDAP sync provider, the source account in Active Directory, in the attribute specified in name mapping contains the distinguished name of the corresponding account in the target system.

However, there can be other scenarios, where, for example, a known attribute from the source system contains an account identifier other than the distinguished name. In those cases a search can be done instead to find matching accounts.

The following procedure describes an example of such a setup.

Example scenario

Suppose the “employeeID” attribute in Active Directory for the source system contains users’ social security number.Suppose the “department” attribute in the directory (e.g. Active Directory or OpenLDAP) also contains the users’ social security number.

It is critically important that the attributes configured in “Name mapping settings” for the source system and the “Target Search Identifier Attribute” for the target system aren’t writable by users. That would compromise security and possibly enable resetting another user’s password and gain access to that account.
  1. Configure “Name mapping settings” in the Sync Point to use custom attribute and enter employeeID.
  2. Configure “Target Search Identifier Attribute” for the Ldap provider to department.
  3. Configure the locations in the target directory where users can be found. It is recommended to not search the entire directory, but only location/locations where the users can be found. If possible, do not include high paths where high privilege accounts reside. This should be a valid LDAP path, or multiple LDAP paths separated with semicolon (;). For instance: LDAP://CN=users,DC=acme,DC=org or LDAP://CN=Sales,CN=users,DC=acme,DC=org; LDAP://CN=Finance,CN=users,DC=acme,DC=org

See also LDAP Provider section on this page.