SSPR allows you to configure settings to control interactions of SSPR with the back-end LDAP directory. You can select a template to configure the settings. SSPR provides templates to set default settings for your back-end directories. Changing the template will only affect values that are at their default. You can change the template at any time. Changing a template does not affect the modified settings.
SSPR provides the following templates for supported directories:
NetIQ eDirectory
Active Directory
Oracle Directory Server
NetIQ Identity Manager/ OAuth Integration
Before configuring LDAP directory settings, you must import the corresponding LDAP server certificates.
The Global settings control the interaction with an LDAP directory. These settings are not applicable for the user's LDAP profile. To configure settings for the LDAP profile, see LDAP > LDAP Directories > Default. For more information about configuring LDAP for a profile refer, Configuring LDAP Directory Profile.
To configure LDAP settings, perform the following steps:
In Configuration Editor, click Configuration Home and select required template.
NOTE:If you select NetIQ eDirectory, you can configure NMAS settings. See, Configuring NetIQ eDirectory Settings.
If you have selected Active Directory - Store responses in a database, you must configure the database also. See Configuring Database.
Click LDAP > General LDAP Settings.
Configure the following settings:
Field |
Description |
---|---|
LDAP Idle Timeout |
Specify the time how long an LDAP session can remain inactive before the session times out and the user must authenticate again. If you specify zero, the LDAP connection does not time out in the http session unless you close it. |
User Object Class |
Specify object classes of user entries in your LDAP directory. |
Follow LDAP Referrals (Advanced) |
Select this check box if you want SSPR to follow the referral LDAPs. |
LDAP Duplicate Mode |
Select the appropriate mode that provides solution for searching the appropriate user from the list of multiple users. For multiple user matches found, you can control the user authentication. Select any one of the following options from the list:
|
User Selectable LDAP Context/Profile |
Select appropriate option from the following list to control the use of LDAP profiles and LDAP contexts during identification such as, login, forgotten password, and so on:
|
Ignore Unreachable LDAP Profiles (Advanced) |
Select this option if you want to ignore the profiles that are unreachable. This option is used when there are multiple LDAP profiles. A directory unavailable error message is displayed for the user when there is only a single configured LDAP Profile or all LDAP Profiles are unreachable. |
Enable LDAP Wire Trace (Advanced) |
Select this check box to log all LDAP events to the TRACE logging level. WARNING:Enabling this option may allow user passwords and other sensitive data to be written to the log files. |
Click the Save icon.