User records within LDAP must be instances of the object class inetOrgPerson, or a subclass, to function without extra configuration steps. If this is not the case, you must change the attribute mappings and the default search filter. For more information, see “Attribute mapping”, and the ldap.searchFilter property in Table 15-4.
The attributes that are used by default, and replicated into the ACDB from the LDAP data store are:
uid – user ID.
cn – common name; typically, first name and last name.
mail – e-mail address.
telephoneNumber – business telephone number.
givenName – first name.
sn – last name (surname).
LDAP support includes the following functionality and restrictions:
The LDAP authentication delegate replicates a single user record when authenticating a user.
Group entries within the LDAP data store can be mapped to group and role entries within the ACDB.
If a user within the LDAP data store is a member of an LDAP group that has a mapping defined to an ACDB group or role, that membership remains intact when the user is replicated to the ACDB. This is the only membership that is replicated; role membership of groups is not replicated.
Group and role memberships are replicated from the LDAP server to the ACDB; however, the groups and roles themselves are not replicated. It is the administrator’s responsibility to create both the mappable entries in the LDAP data store, and the entries in the ACDB.
Enterprise Security can map LDAP groups to Enterprise Portal groups or roles. To successfully map an LDAP group, it must be an instance of one of the following LDAP object classes:
groupOfNames
groupOfUniqueNames
groupOfURLs
group
For definitions of the groupOfNames, groupOfURLs and groupOfUniqueNames object classes, see RFC 2256 - A Summary of the X.500(96) User Schema for use with LDAPv3. For a definition of the group object class, see the Microsoft Active Directory schema reference on the Microsoft Web site.The mapping is defined internally using DN pairs. If an LDAP DN points to a group, the corresponding ACDB entry is defined by an ACDB DN.
The administrator can add users to the LDAP group by adding their DN to the uniquemember attribute of the LDAP group, or in the case of dynamic groups, by modifying the memberurl attribute to include the appropriate search filter. These tasks are usually accomplished using the tools provided by the LDAP server vendor.
When adding a user as a member of a LDAP group, use correct LDAP terminology for setting the user.
Replication can optionally run at user-defined intervals or times through the use of customized scheduling software. A component method is provided that can be called to replicate users on demand. This method performs no authentication, and does not remove the need to perform an authentication check against the LDAP server the next time the user logs in.
LDAP supports nested groups; however, nested group memberships are ignored by the current delegate implementation.
Role and group memberships within Enterprise Portal can be mapped to the results of an LDAP search filter. This enables you to create default roles for users within a specific organization, or for all users. It also facilitates integration with LDAP servers on which a PSO may not have administrative privileges; for example, a Notes LDAP server, or a public LDAP server.
