Configuring custom LDAP servers

If you chose Custom as directory type and not one of the predefined LDAP servers, define manually the mapping of entity types to corresponding object classes and the attribute name that is used to determine group membership.

Procedure

Set the object class for an entity type.
If you chose Custom as directory type and not one of the predefined LDAP servers, you must manually specify the object classes that are used in your LDAP server for the entity types PersonAccount and Group. A PersonAccount represents a user, whereas a Group represents a group of users.
1. On the configuration page of your LDAP repository in the Additional Properties area, click Federated repositories entity types to LDAP object classes mapping.
2. Click New to define a new entity type to class mapping.
3. Specify a mapping for the PersonAccount entity type. As object classes, specify the object classes that are mapped to this entity type. Multiple object classes are delimited by a semicolon (;). For example, enter PersonAccount in the Entity type field, and enter iNetOrgPerson in the Object classes field to define that LDAP entries that have the object class iNetOrgPerson are mapped to the PersonAccount entity type.
4. Click Apply and then Save.
5. Specify a mapping for the Group entity type. As object classes, specify the object classes that are mapped to this entity type. Multiple object classes are delimited by a semicolon (;). For example, enter Group in the Entity type field, and enter groupOfNames in the Object classes field to define that LDAP entries that have the object class groupOfNames are mapped to the Group entity type.
6. Click Apply and then Save.

Define group membership attribute

If you chose Custom as directory type and not one of the predefined LDAP servers, you must manually configure how group membership is modeled in your LDAP server. Model the group membership in the Group attribute definition properties of the repository. There are two main ways of specifying group membership. Configure the group membership depending on which group membership definition is supported by your LDAP server:

Option Description

Static group membership that is defined in Group entity.

Option	Description
Static group membership that is defined in Group entity.	The `Group` entity has an attribute, for example member, which points to its members. The member attribute in this example is called the group member attribute. All LDAP server implementations support static group membership. If the group member attribute of the group is used, specify the name of the object class, and the attribute name that is used to indicate the group membership in Group attribute definition -> Member attributes. If the group `objectclass` for the user is `groupOfUniquePersons`, and within that `objectclass` members are listed as `persons`, then the static group `Member` `attributes` property is set as follows: On the configuration page of your LDAP repository in the Additional Properties area, click Group attribute definition. Under Additional properties, click Member attributes. Click New to specify a new member attribute. Set the Name of member attribute field to `persons`. Set the Object class field to `groupOfUniquePersons`. Click Apply and then Save.
Direct group membership.	The `PersonAccount` entity has an attribute, for example, `memberof`, which points to the groups that this person belongs. The `memberof` attribute in this example is called the group membership attribute. Some LDAP servers support this kind of linking user objects to the groups to which they belong, for example Microsoft Active Directory Server. Use direct group membership if it is supported by the LDAP server. If the group membership attribute in the `PersonAccount` entity is used, specify the group membership attribute in Group attribute definition -> Name of group membership attribute. For example, if a `PersonAccount` entity (that is, a user) contains attributes called `ingroup` that contain each group membership, then you specify the direct group membership as follows: On the configuration page of your LDAP repository in the Additional Properties area, click Group attribute definition. Set the Name of group membership attribute field to `ingroup`. Click Apply and then Save.

The Group entity has an attribute, for example member, which points to its members. The member attribute in this example is called the group member attribute. All LDAP server implementations support static group membership.

If the group member attribute of the group is used, specify the name of the object class, and the attribute name that is used to indicate the group membership in Group attribute definition -> Member attributes. If the group objectclass for the user is groupOfUniquePersons, and within that objectclass members are listed as persons, then the static group Member attributes property is set as follows:

On the configuration page of your LDAP repository in the Additional Properties area, click Group attribute definition.
Under Additional properties, click Member attributes.
Click New to specify a new member attribute. Set the Name of member attribute field to persons. Set the Object class field to groupOfUniquePersons.
Click Apply and then Save.

Direct group membership.

The PersonAccount entity has an attribute, for example, memberof, which points to the groups that this person belongs. The memberof attribute in this example is called the group membership attribute. Some LDAP servers support this kind of linking user objects to the groups to which they belong, for example Microsoft Active Directory Server.

Use direct group membership if it is supported by the LDAP server. If the group membership attribute in the PersonAccount entity is used, specify the group membership attribute in Group attribute definition -> Name of group membership attribute. For example, if a PersonAccount entity (that is, a user) contains attributes called ingroup that contain each group membership, then you specify the direct group membership as follows:

On the configuration page of your LDAP repository in the Additional Properties area, click Group attribute definition.
Set the Name of group membership attribute field to ingroup.
Click Apply and then Save.