Integrating LDAP

Lightweight Directory Access Protocol (LDAP) is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. It is often used for authentication and storing information about users, groups, and applications. OneAccess allows you to import user and organization information from LDAP and synchronize the information in real time via LDAPv3.

This section describes how to integrate an LDAP identity source with OneAccess.

1. Add an identity source in OneAccess.
   1. Log in to the administrator portal.
   2. In the top navigation pane, choose Users > Identity Sources.
   3. On the Identity Sources page, click Add Identity Source in the Operation column of the row that contains LDAP, enter an identity source name, and click OK.

2. Configure import settings.
   1. In the LDAP identity source list, click View Details in the row that contains the target identity source.

      

   2. Click the Import Settings tab, set import parameters, and click Save.
      • Basic Settings: Connection parameters of your LDAP server to be connected to OneAccess.

        Table 1 Basic settings

        Parameter	Description
        * Host	Host name or IP address of the LDAP server. NOTE: OneAccess can be accessed only over public networks. Provide the public network address of your LDAP server.
        *TCP Port	TCP/IP port of the LDAP server. The default port is 636.
        SSL	Default value: true, which indicates that SSL is used to connect the LDAP server.
        StartTLS	Whether to enable startTLS for encrypted communication. true: StartTLS is enabled, and SSL cannot be set to true. false: Disable StartTLS.
        Verifying certificate	Whether to verify the certificate. This parameter is valid only when SSL or StartTLS is set to true. true: Verify the certificate. false: Do not verify the certificate. The certificate must be authenticated by the public network. Self-signed certificates cannot be used.
        Protocol Version	Default value: TLSv1.2. Recommended: TLSv1.3 and TLSv1.2.
        Principal	Account name used for LDAP server authentication. The input parameter will contain the domain name, for example, admin@test.com and TEST\admin.
        Password	Password of the principal account.
        * Base Contexts	One or more root nodes in the LDAP tree to be considered as the beginning for synchronizing data. Searching for specific users or user groups in the LDAP server will start from these nodes. For example, OU=huaweitest,DC=test,DC=com.
        UID Attribute	Name of the LDAP attribute mapped to the UID attribute.
        Account Object Classes	One or more object classes to be used when a new user object is created in the LDAP tree. If you enter multiple object classes, each item occupies a line. Do not use commas (,) or semicolons (;) to separate multiple object classes. Some object classes may require you to specify all object classes in the class hierarchy.

      • Optional Settings: Whether to synchronize passwords, password attributes to be synchronized, and account and organization object classes. Modify these settings if a synchronization error occurs. For certain parameters, you may retain the default values.

        Table 2 Optional settings

        Parameter	Description
        Domain	If a domain name exists, it should be excluded from the reclaimed username. If there are multiple domain names, separate them with commas (,). The default user name excludes the domain name.
        Account Username Attributes	Saves one or more attributes of an account username. During authentication, these attributes are used to search for the LDAP entry of the username to be authenticated.
        Organization Object Classes	One or more object classes that will be used when a new organization object is created in the LDAP tree. If you enter multiple object classes, each item occupies a line. Do not use commas (,) or semicolons (;) to separate multiple object classes. Some object classes may require you to specify all object classes in the class hierarchy.
        Organization Name Attributes	Stores one or more attributes of the organization name. During authentication, these attributes are used to search for the LDAP entry of the organization name to be authenticated.
        Failover Servers	Lists all servers that will be used for failover when the preferred server fails. If the preferred server fails, JNDI will connect to the next available server in the list. Lists all servers in the "ldap://ldap.example.com:389/" format (compliant with the standard LDAP v3 URL described in RFC 2255). Only the host and port parts of the URL are relevant in this setting.
        Password Attribute	Name of the LDAP attribute used to store passwords. When the password of a user is changed, a new password will be set for this attribute.
        LDAP Filter	Optional LDAP filter used to control the accounts returned from LDAP resources. If no filter is specified, only accounts containing all specified object classes are returned.
        Password Hash Algorithm	Algorithm used by the identity system to hash passwords. Currently, SSHA, SHA, SMD5, and MD5 are supported. A null value indicates that the system does not hash the password. Unless the LDAP server performs hashing (Netscape Directory Server and iPlanet Directory Server perform hashing), this will result in plaintext passwords being stored in LDAP.
        Respect Resource Password Policy Change-After-Reset	If this resource is specified in the login module (i.e., this resource is the passing verification target) and the password policy of the resource is configured to change after reset, users who have reset the resource account password for management purpose need to change the password after successful verification.
        Use VLV Controls	Whether to force the use of VLV controls on standard LDAP controls. The default value is false.
        VLV Sort Attribute	Sorting attribute used for VLV indexes on resources.
        Read Schema	If the value is TRUE, the connector reads the schema from the server. If FALSE, the connector provides a default schema based on the object class in the configuration. To use the extended object class, this attribute must be set to TRUE.
        Base Contexts to Synchronize	One or more starting points in the LDAP tree that are used to determine whether changes should be synchronized. If this attribute is not set, the base context attribute is used to synchronize changes.
        Object Classes to Synchronize	Object classes to be synchronized. The change log is for all objects; it filters updates based on the listed object classes. You should not list the superclasses of an object class unless you want to synchronize the object with any superclass value. For example, if only the inetOrgPerson object should be synchronized, but the superclasses (person, organizationalperson, and top) of inetOrgPerson should be filtered out, only inetOrgPerson should be listed here. All objects in LDAP are derived subclasses of top. Therefore, top should never be listed. Otherwise, no object can be filtered.
        Attributes to Synchronize	Name of the attribute to be synchronized. When this option is set, if updates in the change log do not update any named attributes, these updates are ignored. For example, if only department is listed, only changes that affect department are processed and all other updates are ignored. If you leave it blank (default setting), all changes are processed.
        Filter change mode	Directory administrator name (DN) used to filter changes. Filters all changes whose modifiersName attributes match the entries in the list. To avoid loops, the standard value is set to the administrator name used by the adapter. The entry should be in the cn=Directory Manager format.
        AD Filter for Accounts to Synchronize	Optional LDAP filter used for synchronizing objects. Because the change log applies to all objects, this filter updates only the objects that meet the specified filter criteria. If a filter is specified, the object is synchronized only when the object meets the filter conditions and contains the synchronized object class.
        Change Log Block Size	Number of change log entries obtained by each query.
        Change Number Attribute	The name of the change number attribute in the change log entry.
        Filter with Or Instead of And	Typically, the filter used to obtain change log entries is to retrieve change entries over a period of time based on the AND condition. If this attribute is set, the filter filters with the OR condition instead with the required number of changes.
        Remove Log Entry Object Class from Filter	If this attribute is set (default), the filter used to obtain change log entries will not contain the changeLogEntry object class because the change log should not contain entries of other object classes.
        Password Attribute to Synchronize	Name of the password attribute to be synchronized during password synchronization.
        Status Management Class	Class used to manage the enabling/disabling status. If no class is specified, identity status management cannot be performed.
        Retrieve Passwords with Search	Whether to retrieve the user password during search. Default value: No.
        DN Attribute	DN attribute name of an item. The default value is entryDN.
        LDAP Filter	Optional LDAP filter that controls the groups returned from LDAP resources. If no filter is specified, only groups containing all specified object classes are returned.
        Read Timeout (ms)	Time for waiting for a response. If no response is received within the specified time, the read attempt is aborted. If the value is 0 or less than 0, there is no limit.
        Connection Timeout (ms)	Waiting time for opening a new server connection. The value 0 indicates that the TCP network timeout will be used, which may be several minutes. If the value is less than 0, there is no limit.
        Account DN Prefix	The default value is cn. You can also set it to another attribute name used as the DN prefix, such as uid.

      • Advanced Settings: Policies for mapping top-level organizations, organizations, and users.

        Table 3 Advanced settings

        Parameter	Description
        Scheduled Synchronization	Time for scheduled synchronization every day.
        Organization	Parent organization in OneAccess to which organizations will be synchronized from your LDAP server. A new top-level organization will be automatically created if this parameter is not set.
        Deletion Threshold	The default value is 20%. This is a customizable protection mechanism provided by the platform. When the number of data records disabled or deleted by the upstream identity source application exceeds the threshold, the platform will not disable or delete the data synchronously after receiving the instruction.
        Organization Matching	Organization mapping rules for OneAccess to synchronize organization data from your LDAP server. For example, OneAccess has an organization attribute Code and your AD has a similar attribute Organization Code. Organizations in your LDAP will be mapped to OneAccess, and their codes in the LDAP will be identified as organization codes in OneAccess.
        Create Organization	Enabled by default, indicating that OneAccess will automatically create organizations that do not match any organizations in OneAccess. To ensure data integrity, enable this option.
        Update Organization	Enabled by default, indicating that organizations in OneAccess that match those synchronized from the identity source will be updated. To ensure data accuracy, keep this option enabled.
        Delete Organization	After organization data is synchronized from the LDAP to OneAccess, if you want to delete organizations from the LDAP, OneAccess compares the number of deleted organizations with the configured deletion threshold. If the ratio of the number of deleted organizations to the total number of data records synchronized last time is greater than the threshold, the deletion fails; if the ratio of the number of deleted organizations to the total number of data records synchronized last time is less than the threshold, the deletion is successful.
        User Matching	User mapping rules for OneAccess to synchronize user data from your LDAP server. For example, OneAccess has a user attribute User ID and your LDAP has a similar attribute Employee ID. Users in your LDAP will be mapped to OneAccess, and their employee IDs in the LDAP will be identified as user IDs in OneAccess.
        Create User	Enabled by default, indicating that OneAccess will automatically create users that do not match any users in OneAccess. To ensure data integrity, enable this option.
        Update User	Enabled by default, indicating that users in OneAccess that match those synchronized from the identity source will be updated. To ensure data accuracy, keep this option enabled.
        Delete User	After LDAP user data is successfully synchronized to OneAccess, if you want to delete a user from LDAP, OneAccess compares the number of deleted users with the configured deletion threshold. If the ratio of the number of deleted users to the total number of users synchronized last time is greater than the threshold, the deletion fails; if the ratio of the number of deleted users to the total number of data records synchronized last time is less than the threshold, the deletion is successful.

3. (Optional) Set the object models.
   Click the Object Models tab. Then add, modify, or delete user and organization attributes and mapping rules.

   Table 4 Object model parameters

   Parameter		Description
   User Object	Attributes	User attributes in the LDAP identity source.
   	Mappings	Data conversion rules for synchronizing user data from your LDAP server to OneAccess. Script-based conversion is supported.
   Organization Object	Attributes	Organization attributes in the LDAP identity source.
   	Mappings	Data conversion rules for synchronizing organization data from LDAP to OneAccess. Script-based conversion is supported.

   • Add an attribute.
     1. On the Attribute tab page, click Add. The Add Attribute dialog box is displayed.

        

     2. Select the optional attributes of the identity source, and enter the display tag and description.
     3. Select a type. When Type is set to Text, you need to set Format.
     4. Set whether the attribute is mandatory and click OK. The attribute is added.
   • Set the mapping rule.

     On the Mapping Definition tab page, click Modify. Set the conversion mode, script expression mode, execution mode, and system user for the mapping rule.

     

• Scheduled synchronization: If you have configured the time for scheduled synchronization in the Advanced Settings section of the Import Settings tab page, view the records on the Scheduled Synchronization page.