Integrate LDAP for HID CMS

This tutorial guides you through the process of integrating LDAP directory service for HID CMS with the Unifyia platform to leverage centralized user and identity management.

Integrating a directory for an external CMS such as HID CMS enables seamless synchronization between actions performed on a user's identity in the external Credential Management System (CMS) and the Unifyia platform. This integration ensures that any updates, such as user profile changes, role assignments, and identity lifecycle events, are accurately reflected across both systems through user federation. By utilizing federation, user data is efficiently managed, providing a unified identity experience. This ensures precise control over identities and credentials throughout their lifecycle, balancing security, consistency, usability, and compliance across both the sytems.

Prerequisites

  • An LDAP v3 compliant directory services server.
  • Allows inbound network access through the firewall (to the LDAP server).
  • The external IP address or fully-qualified domain name of the LDAP server.
  • For multiple domains, network access for each domain controller.
  • An LDAP user to perform binds and queries from the platform to your LDAP directory. This user must be able to look up users, groups, and user attributes in the Directory Information Tree (DIT).
  • A read/write on-demand access to the LDAP account of your choice.
  • HID CMS must be configured.

Integration Steps

This section details the exact parameters required to set up a new LDAP configuration required to integrate with the HID CMS. Follow these steps:

  1. Log in to the Unifyia platform with administrator credentials.
  2. Navigate Integrations > Data Sources > Directory.
  3. Select + Add New Directory and choose LDAP. You will find two tabs- Directory Settings and Mappers
  4. Under the Directory Settings tab, you will find three sections - Connection and Authentication Settings, LDAP Searching and Updating Settings, and Synchronization Settings. You need to provide all the relevant details as explained below to complete the configuration.
  5. Name: Enter a display name for the LDAP provider.
  6. Vendor: Select Active Directory.
  7. In the Connection and Authentication Settings section, provide the following information:
    1. Connection URL: Enter the LDAP Connection URL of the directory service you want to access. The format is ldaps://server_IP_address:port or ldaps://hostname:port. For example, ldaps://34.237.137.227:636 or ldaps://utopia-test.utopia.net:636
    2. Use Truststore SPI: Choose the option Only for LDAPs.
    3. Connection Timeout: The recommended minimum is 120000. Specify the value in milliseconds. This set value determines the maximum duration the LDAP client will wait to establish a connection with the LDAP server.
    4. Select Test Connection to check if you can connect to the directory.
    5. Bind Type: Select as Simple.
    6. Bind DN: Enter the Distinguished Name (DN) corresponding to a user or service account within the directory. For example, the LDAP Admin.
    7. Bind Credentials: Enter the password corresponding to the user or service account mentioned in the Bind DN.
    8. Select Test Authentication to check if you can authenticate to the directory.
  8. In the LDAP Searching and Updating section, enter the following information to define the settings for searching and updating the LDAP directory.
    1. Edit Mode: Choose Writable.
    2. Users DN: Provide the users distinguished name format in the directory. For example, ou=people,dc=utopia,dc=net
    3. Username LDAP Attribute: Enter sAMAccountName.
    4. RDN LDAP Attribute: Keep the default value - cn.
    5. UUID LDAP Attribute: Keep the default value - objectGUID.
    6. User Object Classes: Keep the default value – person, organizationalPerson, user
    7. Search Scope: Choose subtree.
  9. In the Synchronization Settings, enter the following information to configure how to import the LDAP users and how often to synchronize user data between the LDAP and Unifyia platform:
    1. Import Users: Enable this option.
    2. Sync Registrations: Enable this option.
  10. Select Add to save the configuration.

The next step is to configure the required LDAP mappers. You will find a set of predefined mappers once you have completed the Directory settings under the Mappers tab. The predefined mappers must not be deleted however, you can edit them.

Mappers

  1. If you need to add additional mappers, select + Add Mapper provide a name for the mapper define the required mappers, and select Save to save the mapper configuration.
  2. If you need to edit and existing mapper, select the Edit icon edit the parameters as required, and select Update to save the mapper configuration. You cannot edit the name and mapper type. Following sections specify the list of predefined mapper that must be edited to enable integration with the HID CMS and the mappers that must be newly created.

Edit Predefined Mappers

Edit the following predefined mappers:

Edit Predefined Mappers for HID CMS
Mapper Name Predefined Mapper Attributes
first name Always Read Value From LDAP: Disable this option.
last name Always Read Value From LDAP: Disable this option.

Add New Mappers

Below is the list of all mapper types available in the Unifyia platform that you can set as per your organization's requirements.

Additional Mappers for HID CMS
Mapper Name Mapper Attributes
displayName
  • Name: Enter name as Display Name.
  • Mapper Type: Select mapper type as user-attribute-ldap-mapper.
  • User Model Attribute: Enter value as firstName
  • LDAP Attribute: Enter value a displayName.
  • Is Mandatory in LDAP: Enable this option.
username-cn
  • Name: Enter name as username-cn.
  • Mapper Type: Select mapper type as user-attribute-ldap-mapper.
  • User Model Attribute: Enter value as username
  • LDAP Attribute: Enter value a cn.
  • Is Mandatory in LDAP: Enable this option.
userPrincipleName
  • Name: Enter name as userPrincipleName.
  • Mapper Type: Select mapper type as user-attribute-ldap-mapper.
  • User Model Attribute: Enter value as
  • LDAP Attribute: Enter value as userPrincipleName.
  • Always Read Value From LDAP: Enable this option.
  • Force a Default Value: Enable this option.
pwdLastSet
  • Name: Enter name as pwdLastSet.
  • Mapper Type: Select mapper type asuser-attribute-ldap-mapper.
  • User Model Attribute: Enter value as pwdLastSet.
  • LDAP Attribute: Enter value as pwdLastSet.
  • Is Mandatory in LDAP: Enable this option.
  • Force a Default Value: Enable this option.
  • Attribute Default Value: Enter the value as -1.
userAccountControl
  • Name: Enter name as userAccountControl.
  • Mapper Type: Select mapper type as user-attribute-ldap-mapper.
  • User Model Attribute: Enter value as userAccountControl.
  • LDAP Attribute: Enter value as userAccountControl.
  • Is Mandatory in LDAP: Enable this option.
  • Force a Default Value: Enable this option.
  • Attribute Default Value: Enter the value as 544.
jpegPhoto
  • Name: Enter name as 'jpegPhoto.
  • Mapper Type: Select mapper type as user-attribute-ldap-mapper.
  • User Model Attribute: Enter value as jpegPhoto.
  • LDAP Attribute: Enter value as jpegPhoto.
  • Always Read Value From LDAP: Enable this option.
  • Is Binary Attribute: Enable this option.

You have configured the LDAP directory for HID CMS.


Back Next
On this page
Related Links
How-To-Guides