Generic LDAP directories for IAM
This section describes how generic LDAP directories can be used in Airlock IAM (for the MS Active Directory, see Microsoft Active Directory for IAM).
IAM supports LDAP directories in two configurations:
- LDAP as password service only
Here, LDAP is used exclusively for password operations (validation, reset and change). All other data, such as failure counters, timestamps, second factors, and user persistence, is managed in the IAM relational database.
This is the recommended approach. - LDAP as password service and user data repository
LDAP is used both for password management and primary user data store, replacing the internal IAM user database table. In this case, - The LDAP schema must be extended with custom attributes such as
failedTokenCounts. - A database is still required for data that LDAP cannot store, such as information on second factor authentication, risk-based authentication, and consent management. If you only wish to use LDAP without any DB, only a limited part of the IAM features is supported.
- The LDAP schema must be extended with custom attributes such as
We recommend using the LDAP directory as a password service only.
Known issues with load-balancing
Using load balancers between Airlock IAM and the LDAP server can cause issues when modifying passwords. In some cases, Airlock IAM may regard the password change as successful because no exceptions or abnormal behavior occur, even though the modification has not been persisted in the LDAP server. If this happens, try disabling the load balancer to identify the cause of the issue.
Required user data source
How you use LDAP also influences the required user data source in your IAM setup:
- If you use LDAP as password service only, your user data source will be a user database.
- The corresponding setting for the User Data Source plugin in the Config Editor is Database User Store
(Main Settings >> Data Sources >> User Data Source property)
- The corresponding setting for the User Data Source plugin in the Config Editor is Database User Store
- If you wish to use LDAP as password service and user data repository, your user data source will be an LDAP directory.
- The corresponding setting for the User Data Source plugin in the Config Editor is LDAP Connector
(Main Settings >> Data Sources >> User Data Source property)
- The corresponding setting for the User Data Source plugin in the Config Editor is LDAP Connector
LDAP plugins
IAM provides several LDAP plugins to connect to and extract data from the LDAP directory. Which data can be accessed depends on the plugin settings. See Available plugins for more information.