RapidIdentity Product Guide

LDAP

The LDAP interface provides administrators five interfaces to configure LDAP-related settings.

  1. LDAP Servers

  2. LDAP Server Sets

  3. Global Attribute List

  4. User Settings

  5. Group Settings

LDAP_Main_Menu.jpg

LDAP servers and server sets were previously configured in the RapidIdentity Appliance Core Configuration LDAP tab.

GAL, Global Attribute List, Attributes were previously configured in the RapidIdentity Appliance Core Configuration Attributes tab.

User Settings and Group settings were previously configured in the RapidIdentity Appliance Core Configuration Users and Groups tab, respectively.

LDAP Servers

The LDAP Servers interface allows administrators to configure organization-specific LDAP servers to use within RapidIdentity.

Note

Only Active Directory and the Identity Automation distribution of OpenLDAP are supported.

LDAP_Servers.jpg

Many of the fields from the legacy UI are preserved in the new UI. There are several changes to note.

  1. The unique ID of the LDAP Server is not shown.

  2. The Bind Password field is visible after checking the red Update Password box.

  3. The icons to reload, add, remove, and duplicate are updated.

  4. The Show Advanced Options button in the legacy UI is now displayed as a toggle called Advanced Options.

  5. The Connect and Response timeouts in the Advanced Options were previously defined in seconds and are now defined in milliseconds.

  6. The checkbox to Trust All Certificates is moved to the Advanced Options and is not checked automatically when SSL or StartTLS encryption methods are selected.

  7. The Advanced Options contains a new field, Referral Hop Limit.

Table 89. LDAP Options

Field Name

Description

Name

The name of the LDAP server. Used only to allow identification of different server connections within the settings.

Server Address

The server address refers to the server that hosts the LDAP directory. The entry can be a fully qualified domain name (e.g. ldapserver.example.com) or an IP address. It is important to verify that the networking infrastructure (i.e. firewalls, etc) allow communication between the RapidIdentity Portal server and the LDAP server referenced in this field.

Encryption Method

RapidIdentity Portal supports SSL and Start-TLS encryption types. The default setting is no encryption. Note that no certificate verification is performed when an encryption type is verified. This allows the secure use of self-signed certificates. Active Directory environments require encryption to allow password changes to occur.

Port

The port number that the LDAP server is listening on. The default unencrypted port is 389 and the default encrypted port is 636.

Trust All Certificates

This setting tells RapidIdentity to trust any SSL/TLS certificate presented by the LDAP server. Unsetting will require manually verifying that you trust the certificate presented by the LDAP server.

Note

It is strongly recommended that this setting is disabled for production deployments.

After enabling, click Test Connection and Certificate Settings in the bottom Action Bar to validate.

Base DN

Base DN for the LDAP server.

Bind DN or User

The specified user account must have sufficient access to the LDAP tree. This includes authenticating, reading, and writing to any DN specified in the configuration. Almost all LDAP operations are performed as this user.

Note

While write access may not be an absolute requirement some application functionality will be hindered without it.

The built-in object browser makes finding the value required for this field easier.

For Active Directory, this field should be either the userPrincipalName or <domain>/<username> (e.g. what the user would normally use to log in to Windows) rather than the DN.

Update Password / Bind Password

The corresponding password for the Bind User specified above is the Bind Password, and that field displays when users click the Update Password button.

Test Connection and Certificate Settings

This button performs a real-time connection test based on the parameters provided to see if an LDAP connection can be established. A successful test results in a green text box stating "Connect Test Passed".

If encryption is enabled and Trust All Certificates is not enabled, you will also be asked to verify that you trust the certificate (if trust has not already been established for the certificate presented by the LDAP server).

Note

Save all settings before attempting to test the connection.

Save/Cancel

Commit changes or reset the values to default.



Table 90. LDAP Advanced Options

Field Name

Description

Connection Timeout (milliseconds)

The maximum number of seconds that RapidIdentity Portal will wait for a valid connection to be established with the LDAP server. Default = 5000.

Response Timeout (milliseconds)

The maximum number of seconds that RapidIdentity Portal will wait for a valid response from the LDAP server when performing LDAP operations. Default = 10000.

Search Page Size

This setting is used to specify the maximum LDAP results per page when using the LDAP Simple Paged Results search request control. Default = 1000.

Referral Hop Limit

This setting determines the number of referrals (i.e. hops) the system will follow in a sequence of referrals from one LDAP server to a subsequent LDAP server. Default = 5.

For example, there are two hops from LDAP Server 1 to LDAP Server 2 to LDAP Server 3.

Follow Referrals

This setting is used to specify whether the system should attempt to follow any referrals generated by the LDAP server during a search.



LDAP Server Sets

The LDAP Server Sets interface allows administrators to configure server set settings.

LDAP_Server_Sets.jpg

An active LDAP Server must be assigned to a server set. The default LDAP Server will initially display under Available Servers and it must be moved into Assigned Servers

Note

All servers within the server set should hold read-write replicas of the same Directory Information Tree (DIT).

To add a new server set, click Add LDAP Server Set at the top right of the screen. The following menu will contain two tabs.

General Tab

The General tab is the basic makeup of the new Server Set. Give the set a Name and click the + signs next to the Available Servers to move them into Assigned Servers.

Table 91. Assign Available Servers to the Server Set
Server_Set_General_Tab_-_Before.jpg
Server_Set_General_Tab_-_After.jpg


The Advanced Options tab has more granular settings that can be configured as explained below.

Server_Set_Advanced_Tab.jpg
Table 92. Advanced Options

Field Name

Description

Initial Connections

This setting is used for LDAP connection pooling and is the specified number of connections that are opened when RapidIdentity Portal starts.

Max Connections

This setting is used for LDAP connection pooling and is the maximum number of connections that RapidIdentity Portal will establish with the LDAP server at any given time.

Authentication Pool Initial Connections

This setting is used to specify the initial size of the authentication LDAP connection pool. Default = 4.

Authentication Pool Max Connections

This setting is used to specify the maximum size of the authentication LDAP connection pool. Default = 20.

Deference Policy

This setting is used to specify the alias deference policy for LDAP searches. Default = NEVER.

Max Search Results

This setting is used to specify the maximum number of results to return for general purpose searches. This is meant to keep rogue requests from overwhelming the server. Default = 1000.

Search Time Limit

This setting is used to specify the maximum LDAP search time limit. Default = 30 seconds.

Capture Search Stats

This setting is used to specify that the server should request search statistics from Active Directory when performing searches. This only works for Active Directory servers and the results will be printed in the logs. This should not be on for general purposes but may be helpful in tracking down why some searches are slow. Default = false. See this page for more info: LDAP_SERVER_GET_STATS_OID.

Domain Scoped

This setting is used to specify that LDAP requests contain the LDAP_SERVER_DOMAIN_SCOPE_OID control which instructs the LDAP server to not generate any referrals when completing a request.

Use Active Directory Fast Bind

This setting is used to specify that Active Directory Fast Bind is used for authenticating user logins.



Global Attribute List

The Global Attribute List (GAL) defines LDAP attributes used in various places within the RapidIdentity UI, and adds type constraints that affect the behavior of RapidIdentity when it interacts with the values of these attributes.

GAL_Attributes.jpg
Table 93. GAL Columns

Column Name

Description

(Checkbox)

Select this checkbox to select a specific GAL item.

Name

The display name of the attribute in RapidIdentity

LDAP Attribute

The LDAP Attribute name

Searchable

Whether this attribute may be included in various basic LDAP searches performed by RapidIdentity

Allow Multiples Values

Whether the attribute should be allowed to have multiple values.

Note

LDAP attributes that are defined as single-valued in the directory schema should never be allowed to have multiple values.

LDAP attributes that are defined as multi-valued in the directory schema may be marked as single-valued in the GAL if RapidIdentity should treat it as single-valued.

Global Filter

Deprecated

Type

Format of the attribute. More information on these is provided in GAL Attribute Types.

Details

Hover over this column or select an attribute, and a Details button will appear. Click this button to access an Edit menu, where many of these settings can be adjusted as needed.

Edit_GAL_Item.jpg


GAL Attribute Types

When setting up an Attribute in the Global Attribute List, you will need to define an Attribute Type. These provide a level of detail that associate attributes with various forms of validation and display formats. The Attribute Type selected needs to align with the associated directory attribute value.

Note

If a directory attribute is expecting a DN type, make sure you select the DN type for that attribute in the GAL to avoid having issues later on. The GAL does not value the types and requires awareness of the underlying directory schema configuration.

Boolean: The attribute can be set as TRUE, FALSE. Some cases allow NULL, which is equivalent to FALSE.

Date: Stores a Date value as a timestamp in ISO-8601 date string format (Example: 2020-10-31).

Date (Legacy): Stores a DateTime value as a timestamp in milliseconds, as recognized by various programming languages (Example: 1604352328032). (Not recommended - use DateTime or Date instead.)

Date Time: Stores a DateTime value as a timestamp in ISO-8601 date string format. This includes a Time component to add to the Date component (Example: 20201031152521Z)

DN: The full Distinguished Name. This aligns with directory attributes that expect to have a DN value stored. If you create a GAL item with this type and try to store a string instead of the DN for a user, you will get an LDAP error.

Note

This attribute has an additional, optional configuration: When you select a DN type, a new field appears in the configuration called Display Template. This allows administrators to formally define how this value is presented in the UI. These allow a DN (e.g., cn=4ed4f8cd-7dd6-4ae3-bde6-0c64a60a6a50,ou=Employees,ou=Workforce,ou=Internal,ou=Accounts,dc=meta) to be replaced with one or more values like first and last name (e.g., Display Template =%givenName% %sn% and transformed value John Smith). Display Template syntax will vary by directory type.

Email Address: An email address.

Note

Selecting this attribute type makes that attribute value clickable in the UI and enables the sendto: capability for launching an email client.

Image - Binary: Stores the actual image in the directory attribute in a binary format.

Image - URL: Stores the URL provided for the image in the attribute value.

Dynamic List: List populated via a Connect Action Set that allows for dynamic data. See Configuring a Dynamic List Attribute for more details.

List: Static list of key-value pairs that are defined when the GAL item is created.

String: Any characters needed to satisfy the requirement.

Note

This attribute type uses a text field and may constrains the displayed value based on the LDAP directory's configuration of the specific associated LDAP attribute. This is not recommended for attributes with long descriptions.

Multi-Line String: Multiple lines of string types are allowed in this attribute.

Note

This attribute type provides a better display handling of attributes with lots of text, as it does not constrain displayed values like the String type does. It also enables word wrap in a text area when editing.

Password: This value is stored encrypted in the directory.

Phone Number: This value represents a phone number and formats accordingly, i.e., (XXX) YYY-ZZZZ.

Null: Represents a null value.

Note

This attribute type is used in areas where a GAL item must be selected but has no value.

Configuring a Dynamic List Attribute

A dynamic list attribute allows an administrator to pass a RapidIdentity Connect Action Set result into an attribute. The result of this Action Set populates a drop-down list to enable a delegate to select from a list of attribute values.

To pass the Action Set result into a defined attribute, the Action Set must act as a programming function.

The RapidIdentity Connect Action Set result must produce a JSON string containing two fields:

  1. success (boolean)

  2. listItems (array)

  3. First, create and save the Action Set in the RapidIdentity Connect instance listed in the RapidIdentity Appliance Core Configuration Integration tab.

    response = createRecord(false)
    addRecordFieldValue(response, "success", true, false)
    listItems = createArray()
    listItem = createRecord(false)
    addRecordFieldValue(listItem, "displayName", "Item 1", false)
    addRecordFieldValue(listItem, "value", "1", false)
    appendArrayItem(listItems, listItem)
    listItem = createRecord(false)
    addRecordFieldValue(listItem, "displayName", "Item 2", false)
    addRecordFieldValue(listItem, "value", "2", false)
    appendArrayItem(listItems, listItem)
    addRecordFieldValue(response, "listItems", listItems, false)
    return JSON.stringify(response)

If this Action Set enables the log action and is subsequently run, the JSON response appears as follows.  

Returning_Dynamic_List_Attribute.png

Next, navigate to the RapidIdentity Configuration > LDAP > Global Attributes List module and click the plus icon to configure a new attribute in the Global Attribute List.

Select Dynamic List as the attribute Type.  

New_Dynamic_List_Attribute_Type.png

The RapidIdentity Connect Action is required and is the Action Set described above, which in this case would be Dynamic List Attribute.

Action Set parameters (RapidIdentity Connect Action Set Input Properties) are not required to configure a Dynamic List attribute.

One use case in which parameters can be used in a dynamic list attribute is to allow users to select their primary Email address from all possible Email addresses associated with their user account in the user's RapidIdentity Portal My Profile delegation. This Action Set would need to connect to the system(s) associating the user with their possible Email addresses, which is likely to be a directory service or database. Subsequently, the Action Set would need to compile the Email addresses as listItems and return the JSON value.

The only two parameters that will work for this particular use case are shown below.

Table 94. Action Set Parameters

Parameter

Description

target_id

The idautoID of the target of the operation

perp_id

The idautoID of the perpetrator of the operation (who's performing the operation)



LDAP User Settings

The User Settings interface allow administrators to define what types of directory objects RapidIdentity should consider Users and which LDAP attributes RapidIdentity should use when working with User objects. 

LDAP_User_Settings.jpg

The available attributes in each drop-down box are based upon those attributes configured in the Global Attribute List. The Mobile Number Attribute must be defined here for SMS Authentication to be available.

If User Base DN is unknown, clicking the magnifying glass generates the LDAP directory tree. 

LDAP_Directory_Tree.jpg

If the User filter is unknown, clicking the magnifying glass generates the LDAP criteria builder.  

LDAP_Builder.jpg
Table 95. LDAP User Settings

Field

Description

Username Attribute

The name of the GAL attribute assigned to Username in the system

First Name Attribute

The name of the GAL attribute assigned to First Name in the system

Last Name Attribute

The name of the GAL attribute assigned to Last Name in the system

Email Address Attribute

The name of the GAL attribute assigned to Email Address in the system

Distinguishing Attribute

The name of the GAL attribute assigned to an attribute that must be unique for each user in the system. Used to detect name collisions

Mobile Number Attribute

The name of the GAL attribute assigned to Mobile Number in the system

User Profile Image

If checked, this enables a field with available GAL attributes to point to a Profile Image attribute if one exists

User Base DN

The base DN in the LDAP tree for users. RapidIdentity will not be able to find or operate on User objects outside of this sub tree

User Object Class

The LDAP object class for User objects

User Filter

The base LDAP filter to use when searching for User objects



LDAP Group Settings

The Group Settings interface allows administrators to define what types of directory objects RapidIdentity should consider Groups and which LDAP attributes RapidIdentity should use when working with Group objects.

LDAP_Group_Settings.jpg
Table 96. Group Settings

Field Name

Description

Name Attribute

The attribute from the global attribute list that is used to display group names.

Description Attribute

The attribute from the global attribute list that is used to display group descriptions, usually as tooltips.

Group Base DN

The base DN in the LDAP tree for Groups. RapidIdentity will not be able to find or operate on Group objects outside of this sub tree.

The built-in object browser makes finding the value required for this field easier.

Group Object Class

The LDAP object class for Group objects.

Base Group Filter

The base LDAP filter to use when searching for Group objects.

Support Nested Groups

Allows groups to contain other groups as members. This is a powerful feature, however, enabling this functionality will impact performance resulting in slower lookup operations for all groups.

Groups Back Referenced on User Object

In eDirectory and OpenLDAP environments, it is possible for a user object to be a member of a group object and that membership not be reflected on the user object itself. Not accounting for this behavior can result in unexpected results. To account for this RapidIdentity Portal, by default, will always validate user group membership.

For eDirectory, if your tree is managed in such a way as to ensure that all group membership is reflected in attributes on the user objects directly, enabling this option can result in a performance increase for group lookups.



In this section: