RapidIdentity Product Guide

Latest Default Configuration

The default configuration is available for idauto-openldap Docker Images and Appliances running RapidIdentity 2019.x and newer. 

  • OpenLDAP version: 2.4.46

  • OpenLDAP Root Admin DN: cn=root, dc=system

    • default password: secret

      • not disclosed to Cloud customers

    • full administrative access to OpenLDAP

  • RapidIdentity Service Account DN: cn=rapididentity, dc=system

    • default password: secret

      • not disclosed to Cloud customers

    • administrative access to only dc=meta and o=changelog

  • RapidIdentity Admin DN: cn=Admin,ou=Service,ou=Accounts,dc=meta

    • default password: secret

      • currently deleted during initial Cloud configuration

    • administrative access to only dc=meta and o=changelog

  • Changelog DN: o=changelog

  • Schemas:

    • OpenLDAP provided schemas:

      • core

      • cosine

      • inetorgperson

      • ppolicy

    • RapidIdentity:

      • idauto-core - the schema required by all RapidIdentity components

      • idauto-arms - additional schema required by Portal

      • idauto-extra - all additional schema from the online schema manager tool as of 11 Dec 2018

    • Other standard schemas:

  • Directory Hierarchy:

    • Root DSE

      • cn=config - online configuration partition

      • o=changelog - changelog partition

      • cn=monitor - monitor partition

      • dc=system - system users partition

        • cn=root - OpenLDAP Root Admin account

        • cn=rapididentity - RapidIdentity Service Account

        • cn=ldapadmins - Delegated OpenLDAP Admins group

      • dc=meta - MetaDirectory data partition

        • ou=Accounts

          • ou=Internal

            • ou=Students

            • ou=Workforce

              • ou=Sponsored

              • ou=Employees

          • ou=External

            • ou=Customers

            • ou=Guardians

          • ou=Service

            • cn=Admin - Rapididentity Admin account (non-Cloud)

        • ou=Groups

          • cn=Admins - RapidIdentity System Admins group (non-Cloud)

          • cn=MetaAdmins - Delegated MetaDirectory Admins group (primarily for Connect connects)

        • ou=system

          • ou=policies

            • cn=default - Default Password Policy

              • pwdAllowUserChange: TRUE

              • pwdAttribute: userPassword

              • pwdCheckQuality: 1

              • pwdExpireWarning: 600

              • pwdFailureCountInterval: 30

              • pwdGraceAuthNLimit: 5

              • pwdInHistory: 0

              • pwdLockout: TRUE

              • pwdLockoutDuration: 0

              • pwdMaxAge: 0

              • pwdMaxFailure: 5

              • pwdMinAge: 0

              • pwdMinLength: 5

              • pwdMustChange: TRUE

              • pwdSafeModify: FALSE

  • MetaDirectory indexes:

    • objectClass, o, ou, cn, mail, sn, givenname, uid, member, uniqueMember, memberof, manager, entryCSN, entryUUID, l, title, employeeType, idautoID, idautoRequestAssociations, idautoGroupOwners, idautoGroupCoOwners, idautoGroupLastSynced, idautoPersonStatusStaff, idautoPersonStatusStudent, idautoGroupDeprovisionDate, idautoCourseDeprovisionDate, idautoPersonOffice365ID, idautoPersonTeacherEla, idautoPersonTeacherMath, idautoPersonTeacherScience, idautoPersonTeacherSS, idautoPersonGoogleAddress, idautoPersonFacStatusCode, idautoPersonFacCode, idautoPersonBadgeStatus, idautoPersonBarcodeNumber, idautoPersonBadgeID, idautoPersonSponsorEmail, idautoPersonStorageQuota, idautoPersonCompanyCode, idautoPersonDivisionCode, idautoPersonBusinessUnitCode, idautoPersonCostCenterCode, idautoPersonTimeclockCode, idautoPersonTempEmplID, idautoPersonMatchFlag, idautoPersonMatchStatus, idautoPersonStatusCode, idautoPersonToMutipleSystems, idautoPersonPwdExpDateRaw, idautoGroupToSystem5, idautoPersonDoNotDeprovision, idauto-pwdPrivateTS, idautoPersonCertifiedCode, idautoPersonDegree, idautoPersonGuardianID, idautoCourseCompanionTeacherCode, idautoCourseCompanionStudentCode, idautoPersonUserNameMV, idautoPersonStuGT, idautoPersonStu504, idautoPersonStuAtRisk, idautoPersonStuBilingual, idautoPersonStuESL, idautoPersonStuLEP, idautoPersonStuCATE, idautoPersonStuTitle1, idautoSCIMExternalId, idautoGroupDistrictID, idautoPersonSocialAuthMethodFlag, idautoPersonPAMEligible, idautoPersonRiskScore, idautoPersonForceDisable, idautoPersonClaimCode, idautoPersonDeptDescr, idautoPersonDeptCodes, idautoPersonJobCode, idautoPersonPriLocCode, idautoStatus, idautoPersonAffiliations

  • Overlays:

    • accesslog - changelog support

    • ppolicy -  password policy

      Note

      See slapo-ppolicy for information on password policy options and user attributes related to password management.

    • idautopwd - password sync support

    • refint - referential integrity

      • configured attributes

        • aliasedObjectName seeAlso pwdPolicySubentry member owner roleOccupant manager documentAuthor secretary associatedName idautoDelegateSourceBaseDN idautoDelegateTargetBaseDN idautoGroupCoOwners idautoGroupIncludeBaseDN idautoGroupOwners idautoGroupStaticExcludes idautoGroupStaticIncludes idautoResourceCategoryACL idautoResourceACL idautoResourceAppOwnerApprover idautoResourceCategories idautoResourceConflicts idautoResourceDataClassification idautoResourceDependencies idautoResourceEntitlement idautoResourceManualProvisioner idautoResourceOwner idautoResourcePRD idautoResourceRevokePRD idautoResourceSecurityApprover idautoACL idautoRoleAssociatedResources idautoGroupExcludeBaseDN idautoPersonStudents idautoPersonTeachers idautoCourseTeacherDN idautoPersonStuTeachers

      • null reference - cn=null

    • sssvlv - server-side sort and virtual list view support

    • syncprov - replication support

    • unique - unique attribute enforcement

      • configured attributes

        • idautoid

        • idautoPersonUserNameMV

    • memberof

      • causes read-only operational attribute memberof to be added to group members

In this section: