Configuring LDAP provider
Configuring LDAP provider with custom attribute to identify users in target system
By default, when using the LDAP sync provider, the source account in Active Directory, in the attribute specified in name mapping contains the distinguished name of the corresponding account in the target system.
However, there can be other scenarios, where, for example, a known attribute from the source system contains an account identifier other than the distinguished name. In those cases a search can be done instead to find matching accounts.
The following procedure describes an example of such a setup.
Suppose the “employeeID” attribute in Active Directory for the source system contains users’ social security number.Suppose the “department” attribute in the directory (e.g. Active Directory or OpenLDAP) also contains the users’ social security number.
- Configure “Name mapping settings” in the Sync Point to use custom attribute and enter employeeID.
- Configure “Target Search Identifier Attribute” for the Ldap provider to department.
- Configure the locations in the target directory where users can be found. It is recommended to not search the entire directory, but only location/locations where the users can be found. If possible, do not include high paths where high privilege accounts reside. This should be a valid LDAP path, or multiple LDAP paths separated with semicolon (;). For instance: LDAP://CN=users,DC=acme,DC=org or LDAP://CN=Sales,CN=users,DC=acme,DC=org; LDAP://CN=Finance,CN=users,DC=acme,DC=org
See also LDAP Provider section on this page.