LDAP concerns

There are several concerns specific to all supported LDAP user registries.

• There are no configuration steps needed to make Verify Identity Access support the password policy of the LDAP. Verify Identity Access does not assume that the LDAP has its own password policy. Verify Identity Access first enforces its own Password Policy. Verify Identity Access attempts to update the password in LDAP only if the provided password meets the requirements of the Verify Identity Access password policy.
• Next, Verify Identity Access implements the password policy of the LDAP by using the return code that it gets from LDAP during a password-related update.
• If Verify Identity Access can map the return code without ambiguity with the corresponding error code, then it maps the code and returns an error message.
• To take advantage of the multi-domain support in Verify Identity Access, you must use an LDAP user registry.
• When using an LDAP user registry, the capability to own global sign-on credentials must be explicitly granted to a user. After this capability is granted, it can then be removed.
• Leading and trailing blanks in user names and group names are ignored when using an LDAP user registry in a Verify Identity Access secure domain. To ensure consistent processing regardless of the user registry, define user names and group names without leading or trailing blanks.
• Attempting to add a single duplicate user to a group does not produce an error when using an LDAP user registry.
• The Verify Identity Access authorization API provides a credential attribute entitlements service. This service is used to retrieve user attributes from a user registry. When this service is used with an LDAP user registry, the retrieved attributes can be string data or binary data.