There are several LDAP plugins. The following table gives an overview of the supported plugins related to data storage and authentication.
The table also explains what the plugins require on the LDAP directory:
- "Requires Extra Attributes": You have to add IAM-specific attributes to existing LDAP entries (e.g. to the User entries).
- "Typically based on ObjectClass": Usually entries are usually based on the specified ObjectClasses (with extra IAM attributes added). However, you may also use or define other ObjectClasses and configure the LDAP plugins accordingly. "IAM custom node" means that you have to create extra nodes/trees and cannot re-use well-known ObjectClasses.
For detailed information about the plugins, please refer to help in the Config Editor.
Plugin | Usage | Requires Extra Attributes | Typically based on ObjectClass |
---|---|---|---|
LDAP Connector | Use this whenever possible. Connects to LDAP directories and offers the following features: | ||
LDAP directory as user data repository (User Persister, User Iterator, Extended User Persister) | Yes | person inetOrgPerson | |
LDAP directory as password service (check password, reset password, change password) | Yes/No* | person | |
LDAP directory as token storage for one user-related token (e.g. using the mobile number attribute) | No | person inetOrgPerson | |
LDAP Token List Persister | Used to read and write matrix card (also "token list" or "grid card") related information. | Yes | person |
LDAP Password Self-Sevice Token Persister | Used to read and write data related to password self service tokens. | Yes | person |
Plugin | Usage | Requires Extra Attributes | Typically based on ObjectClass |
---|---|---|---|
LDAP User Persister | Legacy - use the "LDAP Connector" instead.Used to read and write user information. | see LDAP Connector | |
LDAP Credential Persister | Legacy - use the "LDAP Connector" instead. Used to read and write credential-related information (e.g. MTAN tokens, OTP token, Client Certificates). Credentials are stored with the user. | see LDAP Connector | |
LDAP Password Authenticator | Legacy - use the "LDAP Connector" instead. Used to verify, change and reset passwords. | see LDAP Connector |
* Password service features can be used in a limited way without adding extra attributes.