The PingDirectory server provides an identity mapper framework that allows it to identify the user entry that corresponds to a provided identifier such as a username or a Kerberos principal.
Out-of-the-box support is provided for two types of identity mappers:
- Exact Match
- The server performs an internal search to find entries in which the provided identifier
exactly matches the value of one of a specified set of attributes in the user’s
entry. The default instance of the exact match identity mapper is configured to
match any user entry whose
jdoe”, then the identity mapper would perform an internal search with a filter of “
- Regular Expression
- The server uses a regular expression to transform the provided identifier in some way, and
then looks for an entry that contains the resulting value in one of a specified
set of attributes. The default instance of the regular expression identity
mapper is configured to strip off an at sign and anything after it in the
provided username, and then to search for any entries that have the resulting
string as a value for the
uidattribute. For example, if the provided identifier is “
jdoe@EXAMPLE.COM”, then the mapper would perform an internal search with a filter of “
It is also possible to use the UnboundID Server SDK to create custom identity mapper implementations if those provided by the server are not sufficient.
The identity mapper must be able to identify exactly one entry that corresponds to the given identifier. If it cannot find any appropriate entries, or if it finds multiple matching entries, then the identity mapping attempt fails.