> Resources > Directories. The Directories
List page appears.
Configure an LDAP directory to on-board users and groups that are stored in an LDAP directory other than Active Directory. When configured, users can use their LDAP directory password for first-factor authentication.
Add an LDAP directory
1. Click
> Resources > Directories. The Directories
List page appears.
2. Click 
and
select LDAP Directory (on-premise) from the
drop-down list. The General Settings page appears.
3. Enter a Directory Name to identify your Directory.
4. In the Connection Settings section, do the following:
a. Enter your directory administrator Username and Password.
b. Select Use SSL if you want secure communication to the directory. This setting controls which protocol to use when talking to the default domain controller. While optional, it is highly recommended that you use an SSL connection.
c. To add more Directory Servers, click Add. The Directory Server dialog box appears.
Note: Explicit directory servers are optional. Only specify these if you need to manually control which domain controllers LDAP directory needs to connect to and in which order of preference.
d. In the Hostname field, enter the host name the AD server. The hostname can be either a hostname or IP address.
e. In the Port field, enter the port the directory communicates on.
f. Optional: Select Use SSL if you want secure communication to the directory. While optional, it is highly recommended that you use an SSL connection. Password reset, password change, and password unlock are only allowed over an SSL connection.
5. Set the SearchBases and Group Filters as follows:
6. In the SearchBases & Group Filters section, specify which users and groups are synchronized. These settings are optional.
a. Enter the Root Domain Naming Context (for example, DC=AnyCorp,DC=biz). SearchBases are combined with your Root Domain Naming Context. For example, the SearchBase DC=Users would combine with the Root Domain Naming Context DC=AnyCorp,DC=biz to form DC=Users,DC=AnyCorp,DC=biz.
– If you do not specify any SearchBases then all search bases under the root context are searched for users.
– If you do specify SearchBases, then only those search bases under the root context are searched for users.
b. Click Add to add SearchBases.
When specifying a SearchBase, by default
(Include subtree) is selected. When Include Subtree is
selected, all subtrees under your SearchBase are searched for users. Click
to exclude the subtree. When Exclude Subtree is selected, then only entries
immediately in your SearchBase are searched. For example, if you have
SearchBase ou= department
and subtree ou= sales
and subtree ou= marketing,
then all users in ou= department
and the subtrees ou= sales
and ou= marketing
are synchronized.
c. Click Add to add more SearchBases.
d. Optional. Under Group Filters, click Add.
e. In the Group Filter field enter the name of the group that you want to filter. For example, enter Sales to sync all users in the Sales Department. By default all groups are synchronized.
Note: If there are no group
filters set, all users are imported. If there is more than one group filter
set, the user must belong to one of the groups identified by the group
filters. Only enter one value per Group Filter
text box.
The Group Filter includes the main group and any subgroups and their subgroups.
For example, a group called Administrator with
a subgroup called Identity as a Service that
contains two subgroups called Auditors
and Users would filter for users in the Administrator, the Identity
as a Service subgroup and the Identity as a Service Auditor
and Users subgroups.
f. Optional: Click Add to add more group filters.
7. In the Attributes Mappings section, map directory attributes in your LDAP directory to Identity as a Service attributes. You must at a minimum map the mandatory system attributes. They are flagged with an asterisk (*). You can also add custom user attributes (see Create and manage user attributes).
Note: The Security ID is an optional system attribute that uniquely identifies users in a Microsoft Windows environment. Leave this field empty.
Note: Set the State attribute to ensure that users in LDAP in an inactive state are disabled in Identity as a Service after synchronization. For non-boolean state attributes, you can specify the value and attribute that corresponds to the disabled user. For example, userState=-1.
8. In the Synchronization section, do the following:
a. From the Synchronization Agent drop-down list, select the Gateway Agent used to connect to the directory and sync users.
Note: For LDAP directory sync, you require a Gateway version of 5.15 or higher.
b. In the Page Size field, enter the number of results on a page. The minimum is 10 and the maximum is 1000.
c. In the Crawl Frequency field, enter the rate at which Active Directory (AD) is queried. The maximum is 24 hours (86400000 ms).
Note: To disable crawling, set the Crawl Frequency to 0. This feature is available with Gateways 5.4 or later. For Gateways prior to 5.4, the default setting of 1 hour is used.
Tip: Click the time option, for example, hr to select to enter the Crawl Frequency rate in milliseconds, seconds, minutes, or hours.
d. In the User Object Class field, enter the object class names that define your users in your on-premise directory. For LDAP directory users, the User Object Class is usually user or person, which is the Identity as a Service default value.
Depending on the type of directory you are configuring, valid values can include
– person
– inetOrgPerson
– person,inetOrgPerson
– person,inetOrgPerson
e. For LDAP groups, the Group Object Class can be a number of possible values. To cover the possible values, the default in Identity as a Service is group, groupOfNames, and groupOfUniqueNames.
Depending on the type of directory you are configuring, valid values can include:
– group
– groupOfNames
– groupOfUniqueNames
– group,groupOfNames,groupOfUniqueNames
– group,groupOfNames,groupOfUniqueNames
f. From the Group Synchronization drop-down list, select the groups that you want to add to Identity as a Service. Only groups with users synced to Identity as a Service are created. The group synchronization options include:
– All groups—All groups from users synced to Identity as a Service are added.
– Groups Matching Group Filter—Only groups matching the filter are added to Identity as a Service.
– No Groups—No groups are added to Identity as a Service.
g. The Group Name Attribute is entered by default. This is the name of the attribute from which Identity as a Service obtains the group name.
h. Select the User Desynchronization Policy from the drop-down list. This policy determines what happens to user accounts in Identity as a Service that are no longer found in the directory or no longer match the filters.
9. Click Add. When synchronization completes, the new directory appears on the Directories List page.
In some LDAP directories, if an account becomes locked due to too many incorrect password attempts, the account unlock feature may return an error preventing the user from unlocking their account. If this occurs, use one of the following workarounds:
1. Disable the User Unlock Account setting and enable the Enable Forgot Password setting in the Identity as a Service Password Authenticator Settings (Policies >Authenticators >Password). Doing this allows users to complete the reset password flow and clears the account lock after the password has been successfully reset. See Modify password authenticator settings.
2. Modify your LDAP schema to update the pwdAccountLockedTime attribute to remove the NO-USER-MODIFICATION flag to allow the pwdAccountLockedTime attribute to be removed without requiring a user's password to be changed or reset.