Available plugins
Airlock IAM provides several LDAP plugins to connect to and extract data from the LDAP directory. This includes the following information:
- Password check, reset and change
- User information (user profile, login statistics, password information, etc.)
- Credential data, matrix card data
LDAP can only store the above types of information. To store additional information, e.g., on second factor authentication, risk-based authentication, and consent management, an additional database is required.
Note that if you wish to use LDAP only without any additional DB, only a limited part of the IAM features is supported.
The following LDAP plugins are available:
- LDAP Connector
Reads and writes user- and password related data; facilitates token storage for one user-related token. Note that the plugin only supports a limited credential model and can therefore only be used to store simple token types, such as mTANs. - LDAP Token List Persister
Reads and writes matrix card related information. - LDAP Password Self-Service Token Persister
Reads and writes data related to password self service tokens.
Each plugin defines the exact data to be accessed in the LDAP directory. Each attribute that is set in the plugin should correspond with an attribute in the LDAP directory.
However, the LDAP schema supports only a few attributes by default, such as user ID (uid), common name (cn) or user password (userPassword). To extract more data from the LDAP directory, you may have to add additional custom attributes to your schema.
If you use an LDAP directory as primary User Data Source, adding the failedTokenCounts attribute to the LDAP schema is mandatory. Otherwise, failed authentication attempts may not be counted, making brute force attacks possible. This poses a security risk.
Note that IAM does not provide schema extension files. In case you need help, please contact Airlock support: Techzone - Airlock support process.
Supported LDAP plugins
The following table gives an overview of the supported LDAP plugins, including (per plugin):
- Plugin usage
- Whether you have to add IAM-specific attributes to existing LDAP entries.
- The relevant entry object class (
ObjectClass). Usually, these arepersonorinetOrgPerson. However, you may also use or define other object classes and configure the LDAP plugins accordingly.
For detailed information about the plugins, see the Plugin Documentation in the Config Editor.
Plugin | Usage | Requires extra attributes | Typically based on object class |
|---|---|---|---|
LDAP Connector | Use this whenever possible. Connects to LDAP directories and offers the following features: | ||
LDAP directory as user data repository (User Store, User Iterator, Extended User Persister) | Yes |
| |
LDAP directory as password service (check password, reset password, change password) | Yes/No* |
| |
LDAP directory as token storage for one user-related token (e.g., by using the mobile number attribute) | No |
| |
LDAP Token List Persister | Used to read and write matrix card (also “token list” or “grid card”) related information. | Yes |
|
LDAP Password Self-Service Token Persister | Used to read and write data related to password self service tokens. | Yes |
|
Plugin | Usage | Requires extra attributes | Typically based on object class |
|---|---|---|---|
LDAP User Persister | Legacy - use the “LDAP Connector” instead.Used to read and write user information. | see LDAP Connector | |
LDAP Credential Persister | Legacy - use the “LDAP Connector” instead. Used to read and write credential-related information (e.g. MTAN tokens, OTP token, Client Certificates). Credentials are stored with the user. | see LDAP Connector | |
LDAP Password Authenticator | Legacy - use the “LDAP Connector” instead. Used to verify, change and reset passwords. | see LDAP Connector | |
* Password service features can be used in a limited way without adding extra attributes.
Attributes for IAM LDAP plugins
The following sections contain tables with (custom) attributes (to be) included in the LDAP schema that can be used by the IAM LDAP plugins. They are ordered per category, such as user attributes or password-related attributes.
The tables show for each attribute:
- Name
Note that the attribute names are configurable. The displayed attribute names are therefore examples. - Usage
- Type
- Per LDAP plugin: whether the attribute is required by the plugin.