4.1 Configuring LDAP Directory Profile

Self Service Password Reset allows you to configure multiple LDAP directory profiles depending on your environment. During the Configuration Guide process, you defined the default profile for your environment. You can change the information for the default profile or create new profiles. If you are manually configuring Self Service Password Reset, you must create an LDAP directory profile.

NOTE:You can create as many LDAP directory profiles that you need, however, the profiles must be of the same type. For example, they must be all eDirectory or all Active Directory.

Each LDAP profile defines a unique LDAP data environment that depends on the directory type and configuration. Each profile can have multiple redundant servers defined that must be shared on all the servers. For more information on creating an additional profile, see Configuring Profiles. The following steps explain how to edit or create the default profile.

Gather the following information before configuring the default LDAP profile or creating a new LDAP profile.

Table 4-1 Required Information to Create an LDAP Profile

 

Information

Description

LDAP URLs

Obtain the secure URL of the LDAP server you want to use. If there is more than one server,

LDAP Certificates

Self Service Password Reset imports the LDAP server certificate from the LDAP server during the Configuration Guide process. The Configuration Editor imports a certificate for you at any time if you do not use the Configuration Guide.

LDAP Proxy User and Password

Create a user in your LDAP directory that Self Service Password Reset uses to access the LDAP directory. The user must have the following rights:

  • Browse users and manage password attributes of the user object

  • Create object rights in the new user container (if enabled)

Base Contexts for the LDAP Directory

Obtain the fully qualified distinguished name (FDN) for the root context where the users reside. You can have one or more contexts for contextless login for your users. However, do not add many contexts because Self Service Password Reset searches each context serially and it will impact the performance of Self Service Password Reset.

LDAP Test User

Create an LDAP test user account that Self Service Password Reset uses to validate the health of the LDAP server. The new test user account must have the same privileges and policies as any other users in the system.

LDAP User Attributes

You must define what LDAP user attributes Self Service Password uses for user names, GUID, naming attribute (cn or uid), last password, group, email address, SMS destination address, password history, and an attribute that stores the response information from the challenge-response.

Before configuring the default LDAP profile or creating a new profile, ensure that you gather the information listed above in Table 4-1.

To configure LDAP profiles:

  1. Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.

  2. In the toolbar, click your name.

  3. Ensure that you have gathered the information listed in Table 4-1.

  4. Click Configuration Editor.

  5. To define the connection to the LDAP directory:

    1. Click LDAP > LDAP Directories > default > Connection.

    2. Use the help instructions to define the LDAP connection to Self Service Password Reset.

    3. Click Test LDAP Profile to test if Self Service Password Reset is able to read the data of the users in this LDAP profile.

  6. To configure the login setup:

    1. Click LDAP > LDAP Directories > default > Login Setup.

    2. Use the help instructions to define the user name search filter, the user selectable login contexts, and the LDAP profile display name.

  7. To configure the user attributes for the LDAP directory:

    1. Click LDAP > LDAP Directories > default > User Attributes.

    2. Use the help instructions to define the user attributes Self Service Password Reset uses in your LDAP directory.

  8. In the toolbar, click Save changes.