PingDirectory

Identity mapping

The PingDirectory server provides an identity mapper framework that allows it to identify the user entry that corresponds to a provided identifier such as a username or a Kerberos principal.

Out-of-the-box support is provided for two types of identity mappers:

Exact Match

The server performs an internal search to find entries in which the provided identifier exactly matches the value of one of a specified set of attributes in the user’s entry. The default instance of the exact match identity mapper is configured to match any user entry whose uid or mail attribute contains a value that matches the provided identifier. For example, if the provided identifier is “jdoe”, then the identity mapper would perform an internal search with a filter of “(|(uid=jdoe)(mail=jdoe))”.

Regular Expression

The server uses a regular expression to transform the provided identifier in some way, and then looks for an entry that contains the resulting value in one of a specified set of attributes. The default instance of the regular expression identity mapper is configured to strip off an at sign and anything after it in the provided username, and then to search for any entries that have the resulting string as a value for the uid attribute. For example, if the provided identifier is “jdoe@EXAMPLE.COM”, then the mapper would perform an internal search with a filter of “(uid=jdoe)”.

It is also possible to use the UnboundID Server SDK to create custom identity mapper implementations if those provided by the server are not sufficient.

The identity mapper must be able to identify exactly one entry that corresponds to the given identifier. If it cannot find any appropriate entries, or if it finds multiple matching entries, then the identity mapping attempt fails.