LDAP concerns

There are several concerns specific to all supported LDAP user registries.

• There are no configuration steps needed to make Security Verify Access support the password policy of the LDAP. Security Verify Access does not assume that the LDAP has its own password policy. Security Verify Access first enforces its own Password Policy. Security Verify Access attempts to update the password in LDAP only if the provided password meets the requirements of the Security Verify Access password policy.
• Next, Security Verify Access implements the password policy of the LDAP by using the return code that it gets from LDAP during a password-related update.
• If Security Verify Access can map the return code without ambiguity with the corresponding error code, then it maps the code and returns an error message.
• To take advantage of the multi-domain support in Security Verify Access, you must use an LDAP user registry.
• When using an LDAP user registry, the capability to own global sign-on credentials must be explicitly granted to a user. After this capability is granted, it can then be removed.
• Leading and trailing blanks in user names and group names are ignored when using an LDAP user registry in a Security Verify Access secure domain. To ensure consistent processing regardless of the user registry, define user names and group names without leading or trailing blanks.
• Attempting to add a single duplicate user to a group does not produce an error when using an LDAP user registry.
• The Security Verify Access authorization API provides a credential attribute entitlements service. This service is used to retrieve user attributes from a user registry. When this service is used with an LDAP user registry, the retrieved attributes can be string data or binary data.