Common attribute mappings

The User DN Attribute, User ID Attribute, and Attribute Mappings must be set appropriately for the configured LDAP server schema. This is especially important in deployments with existing user registries.

Default attribute mappings

The default mapping that ships out-of-the-box makes several assumptions:

  1. User DNs are set using the cn attribute.
  2. There exists a user ID attribute called uid.
  3. The username attribute is populated in the LDAP attribute cn, and the password in userPassword.

These assumptions may not be correct depending on the LDAP server that is used. The following sections describe some common deployments that require modifications to the default configuration.

User Registries with users created by pdadmin

pdadmin may populate the cn attribute with extra entries which can cause issues when the default SCIM attribute mappings are configured. The following configuration settings must be updated so that the SCIM mapping is correct:
  • User DN Attribute: cn
  • User ID Attribute: uid
  • Attribute Mappings:

    userName: uid

The crucial variation from the default SCIM Attribute Mappings is changing the userName to map to the uid LDAP attribute. If this mapping is not changed, multiple entries may be returned via the SCIM API for a single user.

Active Directory User Registry

Active Directory does not have an attributed named uid and uses different LDAP attributes to store the username and password. The username and password attributes (userPrincipalName and unicodePwd) do not exist in the default object class schema, so the object class configuration must also be modified.
  • User DN Attribute: cn
  • User ID Attribute: userPrincipalName
  • Object classes = top, organizationalPerson, person, user
  • Attribute Mappings:

    userName: userPrincipalName

    password: unicodePwd