LDAP concerns
The following concerns are specific to all the supported LDAP user registries.
- There are no configuration steps required for Verify Identity Access to support the Password Policy of LDAP. Verify Identity Access does not assume the existence or non-existence of the Password Policy of the LDAP at all.Verify Identity Access enforces its own Password Policy first. Verify Identity Access attempts to update password in LDAP only when the provided password passes Password Policy check of Verify Identity Access.After that, Verify Identity Access tries to accommodate the Password Policy of LDAP to the best of its ability using the return code that it gets from LDAP during a password-related update. If Verify Identity Access can map the return code without any ambiguity with the corresponding Verify Identity Access error code, it does so and returns a proper error message.
- To take advantage of the multi-domain support in Verify Identity Access, you must use an LDAP user registry.
- When using an LDAP user registry, the capability to own global sign-on credentials must be explicitly granted to a user. After this capability is granted, it can be removed.
- Leading and trailing blanks in user names and group names are ignored when using an LDAP user registry in a Verify Identity Access secure domain. To ensure consistent processing regardless of the user registry, define user names and group names without leading or trailing blanks.
- Attempting to add a single duplicate user to a group does not produce an error when using an LDAP user registry.
- The Verify Identity Access authorization API provides a credential attribute entitlements service. This service retrieves user attributes from a user registry. When this service is used with an LDAP user registry, the retrieved attributes can be string data or binary data.