Configuring an on-prem LDAP provider
After you create an LDAP identity agent, you can modify some of the settings for the provider.
About this task
Procedure
- Select Authentication > Identity providers
- From the left side menu select your LDAP agent.
- Optional: Change the name your LDAP identity provider
- Optional: Change the name of the provider realm.
- Optional: Select or clear the checkbox to use your LDAP agent for sign-in.
- Optional: Change the password policy. To change from the default password policy, clear the field. Select a different policy from the menu or create a new password policy.Note: You can change the default password policy settings. See Managing password policies.
- Optional: Select Enable password
reset. Select this option so that users can reset their password. It also enables the forgotten password feature.
The Admin initiated password reset selection determines the recipient of the password email after password reset initiation.
- Optional: Select Username recovery. Select this option so that users can recover their username by providing a different attribute. You can specify whether the users must provide one or two attributes to recover their username. If the user details are valid, an email with the username information is sent to the registered email address.Note: You need IBM Security Verify Bridge version 1.0.11 or later to support this feature. See IBM Security Verify Bridge on the App Exchange.
- Optional: Select Just-in-time
provisioning. This option creates and updates the user account in the primary Identity provider realm that is associated with the SAML identity.
- Optional: Specify an attribute that identifies users from
the Identity provider
user registry from the Unique user identifier
menu. If you select Enable identity linking for this identity provider, you must provide the UUID.
- Optional: Select a transformation value to transform the Unique user identifier value or leave the default value as None.
- Optional: Select Enable identity linking for this
identity provider.
- Select the unique identifier that you want to use for the accounts from the Unique User Identifier link. Note: The UUID can be anything in the LDAP claims object that uniquely identifies the user.
- Set the UUID by typing the value in the
External ID attribute field. The default value is sub.
- Select a transformation value to transform the External ID attribute value or leave the default value as None.
- Select the unique identifier that you want to use for the accounts from the Unique User Identifier link.
- Optional: On the Attribute mapping page, map more
attributes from the OIDC provider to Verify attributes.
- Select Add attribute mapping.
- Select an LDAP attribute from the menu. If the LDAP provider has other, non-standard supported attributes, you can type the value in the Select an attribute field.
- Select a Verify attribute from the menu.
- Select how the attribute is used.
- Repeat the process for each attribute that you want to map.
- Optional: If you enabled public preview CI-108233, under
User invitations, select whether to enable user
invitations. Invitations are created and sent by using
POST /v1.0/usc/user/invitation
APIs. See Inviting users. Select the Enable user invitations check box to invite others to register as new users. You can also select a user profile for the user to enter more data as part of accepting the invitation. See Managing user profiles. - Select Save changes.