Data provisioning
Prerequisites
For LDAP provisioning, an account with administrative access is required. The account should have rights to create, update, and delete relevant objects.
Provisioning configuration
| Setting | Description |
|---|---|
| Host | Type a proper host name for the LDAP system. |
| Port | Type the relevant port number for the host name. |
| Use SSL | Enable this to connect using a secured connection. Remember to update the port accordingly. |
| Skip certificate check | Enable this option to avoid checking the certificate. This can be useful when you use self-signed certificates. |
| Base DN | Type the name of a Base DN to associate with this query. If you leave this field empty, the query uses the Base DN that you typed in under Connection details. |
| Authentication | Select an authentication protocol. You can select: Anonymous, Basic, Digest, Dpa, External, Kerberos, Msn, Negotiate, Ntlm, Sicily |
| User name | Type the name of the user name to use for provisioning. If you leave this field blank, the user name specified for importing is used. Bear in mind that some LDAP directories require this username to be a DistinguishedName. |
| Password | Type the password associated with the user if you have entered a user name in the field above. |
| Domain | Type the name of the domain to associate with the LDAP connector. |
| Common name attribute | Type the name of the common name attribute, for example CN. |
| Search attribute | Type the name of the attribute to use for object search. |
| Scope of search | Choose the scope for searching among existing objects in the menu. You can choose: Base, One-level, Sub-tree |
| Disable schema validation | Enable this setting to disable that the connector validates the database schema. |
| Request timeout | Specify the allowed number of seconds a request may take. |
| Test connection | Enable this setting to allow the system to check if the connection details are correct. |
Data model
The data model for the LDAP connector is decided by the schema used at the particular directory. For each object, you must perform operations before you create an objectType and add property elements for each attribute to maintain on the object.
Each object must have a property with the name DN, which is the DistinguishedName of the object. Each object must also have a property that has the same name as was chosen as CN attribute in the connector configuration.
Object type details
The LDAP connector has three different object type details that you can specify for the different objects. The parameters are used to control search for existing objects. All of the parameters are optional.
| Name | Description |
|---|---|
| multiObject | When you create new objects with the LDAP connector, you can specify from which classes you create them. Add the following property to the data model: <property name="objectClass" multiValued="true" /> |
| searchBaseDn | If you specify a searchBaseDn, the lookup of an existing object is done from this location rather than the base DN specified on the connector. |
| searchScope | Use this to override the search scope specified for the connector. The possible values are: Base (search only the specified base object.), OneLevel (search the child objects of the base object, but not the base object itself.), Subtree (search the base object and all child objects.) |
| searchTemplate | Lookup the object by using the following LDAP query:< (&({**0**}={**1**})(objectClass={**2**})) The numbers in curly brackets are place holders for the following values: 0 the specified searchAttribute, 1: the object ID on the task, 2: the object type Use this parameter to override the LDAP query. You can leave out place holders and use them multiple times. |
Task Mappings
Omada LDAP Connectivity does not provide any standard mappings for LDAP directories.
Advanced provisioning configuration
Move and rename
The LDAP connector supports moving and renaming of objects. The connector automatically detects if an object should be moved, by first performing a lookup of the object. The lookup is done using the ObjectID on the provisioning task. The value of the object’s ID is matched against the attribute specified as Search attribute in the configuration of the connector.
Task mappings
You can add your custom values into the task mapping in this way:
<fieldMapping name="objectClass" dataType="stringType" multiValued="true" action="add" mappingType="Constant">User</fieldMapping>
<fieldMapping name="objectClass" dataType="stringType" multiValued="true" action="add" mappingType="Constant">SecurityPrincipal</fieldMapping>