Identity Source PropertiesIdentity Source Properties

You specify identity source properties when you add or edit an identity source. The Operations Console organizes the identity source properties in categories.

• Identity Source Basics

• Directory Connection - Primary and Replica

• Directory Settings

• Active Directory Options

• Directory Configuration - User Tracking Attributes

• Directory Configuration - Users

• Directory Configuration - User Groups

Identity Source BasicsIdentity Source Basics

Identity Source Name. Unique name for the identity source. This name is displayed in the Security Console to identify the identity source.

Type. The type of identity source. For example, an LDAP identity source type can be Microsoft Active Directory, Microsoft Active Directory Lightweight Directory Services, Oracle Directory Server, Sun Java System Directory Server, or OpenLDAP. After an identity source is added to the deployment, you cannot change the identity source type. For the supported list of identity sources, see View the Identity Sources in Your Deployment.

Notes. You can use up to 255 characters of text to add a note about the identity source.

Directory Connection - Primary and ReplicaDirectory Connection - Primary and Replica

Directory URL. The URL of the new identity source. If you use the standard SSL-LDAP port 636, specify the value as ldaps://hostname/. For all other ports, you must specify the port number, for example, ldaps://hostname:port/.

Note: An SSL connection is required for password management.

For Active Directory, the Global Catalog can have the same directory URL as another identity source that is not a Global Catalog.

Directory Failover URL. (Optional) The failover directory server is used if the connection with the primary directory server fails. The failover directory server must be a mirror of the primary directory server.

If you want to permit users to change their passwords during authentication, the LDAP directory administrator account must have write privilege for user records in the identity source. If you do not permit password changes, the directory administrator account does not need write privileges.

Directory User ID. The LDAP directory administrator's User ID.

For example, you might enter cn=Administrator,cn=Users,dc=domain,dc=com or Administrator@domain.com.

Directory Password. The LDAP directory administrator's password.

Make sure that this password is kept up-to-date. If this password expires, the connection fails.

Directory SettingsDirectory Settings

Use directory settings to narrow the scope of an identity source so that only a subset of the identity source is used. For more information, see "Identity Source Scope" in the RSA Authentication Manager Administrator's Guide.

If you narrow the scope of an identity source, you must schedule a cleanup job to remove references to unresolvable users and user groups from the internal database. For more information, see Schedule a Cleanup Job.

User Base DN. The base DN for directory user definitions. For example, for Active Directory, you might enter cn=Users, dc=domainName, dc=com.

User Group Base DN. The base DN for directory user group definitions. For example, for Active Directory, you might enter ou=Groups, dc=domain, dc=com.

It is important to follow these practices:

• Do not configure multiple identity sources with overlapping scope. If you have multiple identity sources that point to the same User Base DN or User Group Base DN, ensure that the User Search Filter and User Group Search Filter are configured so that each user and user group appears only in one identity source. Improper configuration may result in unresolvable users and authentication problems.

• If an attribute value contains a comma or an equal sign, you must escape these characters with a backslash. For example, if the attribute ou has the value of A=B, Inc, you must write this out as ou=A\=B\, Inc. If you do not escape these characters in an attribute value, the connection to the identity source fails. This only applies to commas or equal signs used in an attribute value. Do not escape commas separating elements of a distinguished name, for example, cn=Joe Smith, ou=Sales, or equal signs between a moniker and its attribute value, for example, ou=Sales.

• The default organizational unit “Groups” does not exist in the default Active Directory installation. Make sure you specify a valid container for the User Group Base DN.

Search Results Time-out. Limits how long a search will continue. If searches for users or groups are timing out on the directory server, either extend this time, or narrow individual search results. For example, instead of Last Name = *, use Last Name = G*.

User Account Enabled State. Specify where RSA Authentication Manager looks for the enabled/disabled state of user accounts.

• Select Directory to look in the external identity source only.

  If the user account is disabled in the external identity source, the user cannot authenticate. The ability of the user to authenticate is based solely on the User Account Enabled State in the external identity source.

• Select Directory and Internal Database to look in the internal database in addition to the external identity source.

  The user account must be enabled in both the internal database and the external identity source for the user to authenticate. If the user account is disabled in either the internal database or the external identity source, the user cannot authenticate.

Validate Map Against Schema. Validates identity attribute definition mappings to the directory schema when identity attribute definitions are created or modified.

Note: Do not turn on schema validation for an OpenLDAP directory identity source.

Active Directory OptionsActive Directory Options

Global Catalog. Select this if the identity source is an Active Directory Global Catalog.

User Authentication. Select one of the following as the source for user authentication:

• Authenticate users to this identity source. Select this option if the identity source is not associated with a Global Catalog. If no Global Catalogs are configured as identity sources, this option is selected automatically.

• Authenticate users to a global catalog. Select this option if the identity source is associated with a Global Catalog, and select a Global Catalog from the drop-down menu.

Directory Configuration - User Tracking AttributesDirectory Configuration - User Tracking Attributes

User ID. Select one of the following to map the User ID:

• Maps to. Select this option to map the User ID to a specified attribute.

• Uses the same mapping as E-mail. Select this option to map the User ID to the e-mail attribute. If you choose this option, the User ID and e-mail fields have the same value. The e-mail attribute must already be defined in the directory.

When you change the User ID mapping, make sure that the new field is unique for all users and does not overlap with the old field. This prevents administrative data from being associated with the wrong user records for some users. For example, if the old mapping has the User ID “jdoe,” the new mapping should not contain the User ID “jdoe.” To ensure a smooth transition from the old User ID mapping to the new, you need to clean up unresolvable users to update the internal user records with the new User IDs. Perform this task immediately after you change the mapping. For more information, see Schedule a Cleanup Job.

Unique Identifier. A unique identifier to help the Security Console find users whose DNs have changed.

The following table lists the recommended default value for the Unique Identifier for each supported LDAP directory identity source.

LDAP Directory Identity Source	Unique Identifier Default Value
Microsoft Active Directory	ObjectGUID
Sun Java System Directory Server	nsUniqueID
Oracle Directory Server	nsUniqueID
OpenLDAP	entryUUID

You must specify the Unique Identifier before you move or rename LDAP directory users who are viewed or managed through the Security Console. Otherwise, the system creates a duplicate record for the users that you move or rename, and disassociates them from data the system has stored for them.

Enter an attribute from your directory that meets these requirements:

• The attribute must contain unique data for each user. For example, an employee ID number or badge number that is unique for each user in the deployment.

• The attribute must contain data for each user. The value cannot be empty.

• The attribute value cannot change. If the value for a user changes, Authentication Manager cannot track the user. You cannot map any other fields to the attribute that you map to the Unique Identifier.

• The attribute name can contain up to 64 characters.

• The attribute value can contain up to 42 characters.

Note: RSA does not recommend using the default value if you are using third-party directory management tools that handle moving users from one DN to another by deleting the users and adding them back to the directory.

Directory Configuration - UsersDirectory Configuration - Users

First Name. The directory attribute that maps to the first name attribute. By default, First Name maps to “givenName.”

Middle Name. The directory attribute that maps to the middle name attribute. By default, Middle Name maps to “initials.”

Last Name. The directory attribute that maps to the last name attribute. By default, Last Name maps to “sn.”

E-mail. The directory attribute that maps to the e-mail attribute. By default, E-mail maps to “mail.”

Certificate DN. Reserved for future use. By default, it is mapped to “comment.” Do not map certificate to critical fields, such as “cn” or “sAMAccountName.”

Password. The directory attribute that maps to the password attribute. By default, Password maps to “unicodePwd.”

Search Filter. The filter that specifies how user entries are distinguished in the LDAP directory, such as a filter on the user object class. Any valid LDAP filter for user entries is allowed, for example, (objectclass=inetOrgPerson).

Search Scope. The scope of user searches in the LDAP tree.

Object Classes. The object class of users in the identity source that are managed using the Security Console, for example, user,organizationalPerson,person.

Directory Configuration - User GroupsDirectory Configuration - User Groups

User Group Name. The directory attribute that maps to the user group name attribute. For example, the User Group Name might map to cn.

Search Filter. An LDAP filter that returns only group entries, such as a filter on the user group object class, for example, (objectclass=group).

Search Scope. The scope of user group searches in the LDAP tree.

Object Classes. The object class of user groups that are created or updated using the Security Console.

Membership Attribute. The attribute that contains the DNs of all the users and user groups that are members of a user group.

Use MemberOf Attribute. Enables the system to resolve membership queries by using the value specified for the MemberOf attribute.

Note: For an OpenLDAP directory identity source, do not select the User MemberOf Attribute.

MemberOf Attribute. The attribute of users and user groups that contains the DNs of the user groups to which they belong.