3.1 Configuring LDAP Settings

SSPR allows you to configure settings to control interactions of SSPR with the back-end LDAP directory. You can select a template to configure the settings. SSPR provides templates to set default settings for your back-end directories. Changing the template will only affect values that are at their default. You can change the template at any time. Changing a template does not affect the modified settings.

SSPR provides the following templates for supported directories:

  • NetIQ eDirectory

  • Active Directory

  • Oracle Directory Server

  • NetIQ Identity Manager/ OAuth Integration

Before configuring LDAP directory settings, you must import the corresponding LDAP server certificates.

3.1.1 Configuring Global Settings for LDAP Directory

The Global settings control the interaction with an LDAP directory. These settings are not applicable for the user's LDAP profile. To configure settings for the LDAP profile, see LDAP > LDAP Directories > Default. For more information about configuring LDAP for a profile refer, Configuring LDAP Directory Profile.

To configure LDAP settings, perform the following steps:

  1. In Configuration Editor, click Configuration Home and select required template.

    NOTE:If you select NetIQ eDirectory, you can configure NMAS settings. See, Configuring NetIQ eDirectory Settings.

    If you have selected Active Directory - Store responses in a database, you must configure the database also. See Configuring Database.

  2. Click LDAP > General LDAP Settings.

  3. Configure the following settings:

    Field

    Description

    LDAP Idle Timeout

    Specify the time how long an LDAP session can remain inactive before the session times out and the user must authenticate again.

    If you specify zero, the LDAP connection does not time out in the http session unless you close it.

    User Object Class

    Specify object classes of user entries in your LDAP directory.

    Follow LDAP Referrals (Advanced)

    Select this check box if you want SSPR to follow the referral LDAPs.

    LDAP Duplicate Mode

    Select the appropriate mode that provides solution for searching the appropriate user from the list of multiple users.

    For multiple user matches found, you can control the user authentication. Select any one of the following options from the list:

    • No duplicates permitted: Select this option if you want the application to fail whenever duplicate users are found in any context or profile.

    • Match first ldap profile: Select this option if you want the application to use the first user that is discovered in the first profile that has only a single match.

    • Match first user: Select this option if you want the application to authenticate the first user that is discovered in any context or profile. This option ignores any duplicate user in the search result.

    User Selectable LDAP Context/Profile

    Select appropriate option from the following list to control the use of LDAP profiles and LDAP contexts during identification such as, login, forgotten password, and so on:

    • Show the ldap profile

    • Show the ldap profile and ldap contexts

    • Do not show

    Ignore Unreachable LDAP Profiles (Advanced)

    Select this option if you want to ignore the profiles that are unreachable. This option is used when there are multiple LDAP profiles.

    A directory unavailable error message is displayed for the user when there is only a single configured LDAP Profile or all LDAP Profiles are unreachable.

    Enable LDAP Wire Trace (Advanced)

    Select this check box to log all LDAP events to the TRACE logging level.

    WARNING:Enabling this option may allow user passwords and other sensitive data to be written to the log files.

  4. Click the Save icon.