LDAP

The LDAP application template allows you to provision users and groups to an LDAP directory.

Register the application

In the Advanced Identity Cloud admin console, go to Applications, and click grid_view Browse App Catalog.
In the Browse App Catalog modal, select an application, and click Next.

Select the latest application version.
Review the Application Integration information, and click Next.
In the Application Details window, specify the name, description, application owners, and logo for the application.
To make the application an Authoritative source of identity data, select the Authoritative check box. This option is not available for every application.
Click Create Application.

Configure provisioning

In the Advanced Identity Cloud admin console, on the Provisioning tab, click Set up Provisioning:
- If setting up provisioning for the first time:
  1. If you have not configured a remote server, click New Connector Server and follow the steps to create a server.
  2. If you configured one remote server, it is automatically selected.
  3. If you configured multiple remote servers, choose a server.
- When editing existing settings in the Connection area, click Settings.

Configure the following fields:

Field	Description
Host Name or IP	The hostname or IP address for the LDAP domain controller.
Port	The port for connecting to the LDAP domain controller.
Use SSL	Enable to use SSL to connect to the LDAP domain controller.
Login Account DN	The distinguished name for the login account.
Password	The password for the login account.
Base DNs for LDAP users and groups	The base context for LDAP users and groups.

Field

Description

Host Name or IP

The hostname or IP address for the LDAP domain controller.

Port

The port for connecting to the LDAP domain controller.

Use SSL

Enable to use SSL to connect to the LDAP domain controller.

The distinguished name for the login account.

Password

The password for the login account.

Base DNs for LDAP users and groups

The base context for LDAP users and groups.

Click Show advanced settings.
To filter users and groups:
- To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.
  - To apply a filter to users manually:
    
    Choose to assign to if All or Any conditions are met.
    
    Set the conditions for assigning filters.
    
    In the User Object Classes field, enter the names of object classes a user must have for inclusion.
  - To use a query to apply a filter to users:
    
    Click Advanced Editor.
    
    Edit the query code.
- To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.
  - To apply a filter to groups manually:
    
    Choose to assign to if All or Any conditions are met.
    
    Set the conditions for assigning filters.
  - To filter users and groups:
    
    Click Advanced Editor.
    
    Edit the query code.
To use block-based LDAP controls, enable Use Block-based controls.
To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is false.
To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is changeNumber.
To set the object classes that Advanced Identity Cloud uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is inetOrgPerson.
To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is uid.
To set the name of the attribute that holds the password, set the Password Attribute field. The default value is userPassword.
To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is true.
To have Advanced Identity Cloud modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is false.
To specify the group attribute to update with the DN of newly added users, set Group Member Attribute field. The default value is uniqueMember.
To specify the name of the attribute that maps to the OpenICF UID attribute, set UID Attribute field. The default value is entryUUID.
To use timestamps for liveSync operations instead of the changelog, select Timestamp for Sync Token.
To synchronize only the modified properties on a target resource, select Exclude Unmodified.
Click Connect.
Verify the information in the Details tab.

Provision side tabs

The object type determines the side tabs that display on the Provisioning tab. Use the object type list to select an object type, such as Group. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab.

Provisioning tab	Description	Related sections
Details	View and manage an application, including name, ID, and native type.	Select the specific application from Provision settings for an application.
Properties	View and manage properties for the selected object type.	Manage application attributes
Data	View data about the selected object type.	View user access data
Mapping	View and manage mappings from the Advanced Identity Cloud admin console properties to external system properties and from external system properties to the Advanced Identity Cloud admin console properties.	Manage mappings
Reconciliation	Preview mappings on target applications between external systems and the Advanced Identity Cloud admin console, and reconcile the data between the two systems. View and manage rules for the users and groups that use your application. View and manage schedules for Full and Incremental reconciliation.	Reconcile and synchronize end-user accounts
Privacy & Consent	Manage end-user data sharing and synchronization.	Configure end-user data sharing
Rules	View and manage provisioning rules for mappings between Advanced Identity Cloud and a target application.	Manage provisioning rules
Advanced Sync	Create and manage mappings between an identity profile and an application or between applications.	Manage advanced sync

Provisioning tab

Description

Related sections

Details

View and manage an application, including name, ID, and native type.

Select the specific application from Provision settings for an application.

Properties

View and manage properties for the selected object type.

Manage application attributes

Data

View data about the selected object type.

View user access data

Mapping

View and manage mappings from the Advanced Identity Cloud admin console properties to external system properties and from external system properties to the Advanced Identity Cloud admin console properties.

Manage mappings

Reconciliation

Preview mappings on target applications between external systems and the Advanced Identity Cloud admin console, and reconcile the data between the two systems.

View and manage rules for the users and groups that use your application.

View and manage schedules for Full and Incremental reconciliation.

Reconcile and synchronize end-user accounts

Privacy & Consent

Manage end-user data sharing and synchronization.

Configure end-user data sharing

Rules

View and manage provisioning rules for mappings between Advanced Identity Cloud and a target application.

Manage provisioning rules

Advanced Sync

Create and manage mappings between an identity profile and an application or between applications.

Manage advanced sync