Onboarding the LDAP Application

Edit online

Provision users from Verify to On-Premises LDAP adapter.

Before you begin

  1. Configure the identity agent for authentication in Verify. See, Configuring through the Verify user interface.
  2. Deploy and configure the IBM® Verify Identity Brokerage On-Premises component.

Procedure

  1. Log in as administrator on Verify.
  2. Select Applications > Applications and click Add application.
  3. Search application type as LDAP from pop up and click Add application.
  4. In the Add applications page, select the General tab specify the required details.
  5. Select the Account lifecycle tab.
  6. Specify the provisioning and deprovisioning policies.
    Parameters Description
    Provision accounts

    Provision accounts is Disabled by default, which means the account creation is performed outside of IBM Verify.

    Select the Enabled option in order to automatically provision an account when the entitlement is assigned to a user. Password generations and email notification features are available for the account created using IBM Verify.
    Deprovision accounts

    Deprovision accounts is Disabled by default which means account removal is performed outside of IBM Verify.

    Select the Enabled option in order to automatically deprovision an account when entitlement is removed from a user.
    Account password
    Sync user's Cloud Directory password
    This option is available if Password sync is enabled on the Cloud Directory. It uses the Cloud Directory password when a regular user is provisioned to the application. Federated users receive a generated password when provisioned to the application.
    Generate password
    This option generates a random password for the provisioned account. The password is based on the Cloud Directory password policy.
    None
    This option provisions the account without a password.
    Send email notification This option is available when you select the Generate password option. When you select the Send email notification option an email notification with the auto generated password is sent to your email address after the account is provisioned successfully.
    Grace period (days) Set the grace period in days for which deprovisioned account will be kept as suspended before deleting it permanently.
    Deprovision action Delete the account. This fields is available only if the deprovision accounts field is enabled.
  7. In General section, select Application profile from the drop-down. If the profile does not exist you must create one, For more information, see Managing identity adapter application profiles.
  8. Specify the API authentication details.
    Parameters Description
    Tivoli Directory Integrator location URL for the IBM Security Directory Integrator instance. For example, rmi://<ip-address>:<port>/ITDIDispatcher, where ip-address is the IBM Security Directory Integrator host and port is the port number for the RMI Dispatcher.
    URL URL of the directory server. For example, ldap://<ldap host>:<port>, where 'ldap host' is the directory server host and port is the port number for the directory server.
    Administrator name The admin user's user name.
    Directory server name
    1. For IBM select first option IBM Directory Server from drop-down.
    2. For Oracle select second option Oracle Directory Server from drop-down.
    3. For any other target select other option from the drop-down.
    User base DN The DN of the container where the users are stored. For example, cn=users,dc=com.
    User RDN Attribute The relative distinguished name attribute for users' LDAP entries. For example, UID or CN.
    Group base DN The DN of the container where the groups are stored. For example, cn=groups,dc=com.
    Group RDN attribute The relative distinguished name attribute for groups' LDAP entries. For example, UID or CN.
    Initial group member The DN of a user that can be a group member when group add operation is performed.
    Password The admin user's password.
    Identity agent Select an Identity Agent of type provisioning from the drop-down using which the application profile has been discovered.
    Description Optional field. Add the description if needed.
    Use SSL Communication with LDAP? Select the checkbox if SSL is used for communication with LDAP.
    Password policy enabled on directory server? Select the checkbox if password policy is enabled on directory server.
    LDAP page size Specify LDAP page size.
    Group object class name Specify the group object class name under which the group is added on the managed resource.
    Group membership attribute Specify the attribute of the group object class on the managed resource that list the users who are members if the group.
  9. Click Test Connection to test the connection to the LDAP adapter on premises. The connection needs to be successful to provision or reconcile accounts on the LDAP application.
  10. Map the target LDAP attributes to the Verify attributes as required. Select the Keep updated check box for the attributes that need to be updated on the target.
  11. Select the Account sync tab.
  12. In the Adoption policy section, add one or more attribute pairs that need to match for the account sync process to assign LDAP accounts to their respective account owners on Verify.
  13. In the Remediation Policies section, choose a remediation policy to remediate non-compliant accounts automatically.
  14. Click Save.
  15. After the application is saved, specify the authorization policy on the Entitlements tab.
    Note:

    The recon failure threshold is set as 15% by default. It ensures that if more than 15% of account found deleted between successive account sync, then the account sync result is discarded, and the operation is halted.

    If there is a higher % of deleted records (typically with smaller data volume- the smaller data change will contribute to higher % deviation), adjust the value appropriately. By setting the failure threshold value to 100%, the % deviation will be ignored, and the account sync operation will be completed.

    You can change failure threshold value by adding environmental variable RECONCILIATION_FAILURETHRESHOLD_VALUE:"100” (the value can range from 0 to 100) under identity-brokerage environments section in docker-compose yml file. Once done, re-spin the container if it is already running.

    For example:

    
identity-brokerage:
image: ibmcom/identity-brokerage
container_name: identity-brokerage
depends_on:
- ib-init
- ibdb
environment:
LICENSE_ACCEPT: "yes"
HOSTNAME: "identity-brokerage"
DB_SERVICE_NAME: "ibdb"
TRACE: "enabled"
SCIM_USER: "<>"
SCIM_USER_PASSWORD: "<>"
RECONCILIATION_FAILURETHRESHOLD_VALUE: "75"