LDAP mapping

To bind a user to the LDAP server, the LDAP authentication provider must construct the distinguished name (DN). If the Use external identity property is set to True, it uses the External identity mapping property to try to resolve the user's DN. If it cannot find the environment variable or the DN in the LDAP server, it attempts to use the User lookup property to construct the DN.

If users are stored hierarchically within the directory server, you can configure the User lookup and External identity mapping properties to use search filters. When the LDAP authentication provider performs these searches, it uses the filters that you specify for the User lookup and External identity mapping properties. It also binds to the directory server by using the value you specify for the Bind user DN and password property or by using anonymous if no value is specified.

When an LDAP namespace is configured to use the External identity mapping property for authentication, the LDAP provider binds to the directory server by using the Bind user DN and password or by using anonymous if no value is specified. All users who log on to IBM® Cognos® by using external identity mapping see the same users, groups, and folders as the Bind user.

If you do not use external identity mapping, you can specify whether to use bind credentials to search the LDAP directory server by configuring the Use bind credentials for search property. When the property is enabled, searches are performed by using the bind user credentials or by using anonymous if no value is specified. When the property is disabled, which is the default setting, searches are performed by using the credentials of the logged-on user. The benefit of using bind credentials is that instead of changing administrative rights for multiple users, you can change the administrative rights for the bind user only.

Note: If you use a DN syntax, such as uid=${userID}, ou=mycompany.com, for the properties User lookup, External identity mapping, or Bind user DN and password, you must escape all special characters that are used in the DN. If you use a search syntax, such as (uid=${userID}), for the properties User lookup or External identity mapping, you must not escape special characters that are used in the DN.