RSA AM 8.4 Identity Source - LDAP query/fetch

Discussion created by Dana Burton on Dec 17, 2020
Latest reply on Dec 17, 2020 by Jay Guillette

Like • Show 0 Likes0
Comment • 2

The question is when does RSA AM does the LDAP query/fetch to an Windows AD identity source? and is it a preset interval

Outcomes

2 Replies

Jay Guillette Dec 17, 2020 5:38 PM
AM looks to AD in real time.
The AM Operations Console configures External LDAP Identity Sources, up to 29 of them, each of which point to a User and a Group Base DN. A top level scope would see every UserID in a Domain, and possibly every item in AD. However it is scoped, when an AM Admin uses the Security console it is searching LDAP whenever it is displaying UserIDs from an external Identity Source.
When a user from AD authenticates to AM, AM looks up that user in real time. If the user does not exist in AD or the internal database you would see a logon failure due to 'failed to resolve user'. However if your connection from AM to AD breaks (you should configure a failover URL to another Domain Controller) every UserID in that Identity Source will fail with 'failed to resolve user'.

For sites with 10s of thousands of users, or more, it could be beneficial to configure a Global Catalog connection in addition to your Administrative Identity Source. GCs are used just for Authentication user lookups, not Admin work in the Security Console.
Like • Show 1 Like1
Actions
- Jay Guillette @ Jay Guillette on Dec 17, 2020 5:41 PM
  There is a PowerPoint overview of LDAP external Identity Sources, which you can download from the following Knowledge Base article
  000033238 - How to create an external LDAP identity source in RSA Authentication Manager 8.1 SP1 or later
  I can't attach files here, otherwise I would have.
  Like • Show 0 Likes0
  Actions

RSA AM 8.4 Identity Source - LDAP query/fetch

Outcomes

Related Content

Recommended Content