Configure LDAP mappers

After creating an LDAP authentication provider in Access Manager, the system automatically provides a set of built-in mappers for this provider (username, email, first name, and last name). You can create new mappers, update existing ones, or delete them.

Prerequisites

• You have an LDAP/AD authentication provider created in Access Manager. For details, see Configure LDAP/AD as an authentication provider.

Procedure

1. On the left sidebar, click Authentication Providers.

2. Click an LDAP/AD provider.

   The provider’s configuration page opens.

3. Click the Mapper tab.

   The list of automatically created mappers is displayed.

   

4. (Optional) To edit an existing mapper, click it and modify its definitions as appropriate.

5. To create a new mapper, click Create.

   1. Enter a name for the mapper.

   2. Select a mapper type.

      Mapper types

      Use the following table to find the mapper type that suit your needs.

      Mapper type	Use this mapper to
      User Attribute Mapper	Map an LDAP attribute to an attribute of the Platform user. For example, you can configure the LDAP attribute mail to be mapped to the attribute email in the Platform database. For this mapper, only one-to-one mapping is supported.
      FullName Mapper	Map the full name of the user, which is saved in an LDAP attribute (usually cn), to firstName and lastname attributes in the Platform database. It is common that cn contains the full name of user for some LDAP deployments.
      Group Mapper	Map groups from LDAP to the Platform groups. The group mapper can be used to map LDAP groups from a particular branch of an LDAP tree into groups in the Platform. It can also map user-groups from LDAP to user-groups in the Platform.
      Role Mapper	Map a role from LDAP to a Platform role. One role mapper can be used to map LDAP roles (usually groups from a particular branch of an LDAP tree) to the roles of a specified client. If needed, you can configure more role mappers for the same LDAP provider.
      Hardcoded Role Mapper	Map a specified Platform role to each Platform user linked with LDAP.
      MSAD User Account Mapper	Map the state of the Microsoft Active Directory (MSAD) user account to the Platform account state (for example, account enabled or password is expired). It uses the userAccountControl and pwdLastSet LDAP attributes (both are specific to MSAD and are not LDAP standard). For example if pwdLastSet is 0, the Platform user is required to update their password and an UPDATE_PASSWORD required action is added to the user. If userAccountControl is 514 (disabled account), the Platform user is disabled as well.

6. Depending on the mapper type, different settings are required. The following tables contain settings details for the main mapper types.

   User Attribute Mapper

   Use the following table to find details on the fields needed for the user attribute mapper.

   Item	Use this item to
   User Model Attribute	Specify a name of the UserModel attribute to which you map the LDAP attribute. For example, firstName, lastName, email, street, and so on.
   LDAP Attribute	Specify the name of the mapped attribute on the LDAP object. For example, cn, mail, email, street, and so on.
   Always Read Value From LDAP	Select whether to read the value from LDAP. If ON, then during reading of the LDAP, the attribute value will be used instead of the value from the Platform database.

   Group Attribute Mapper

   Use the following table to find details on the fields needed for the group attribute mapper.

   Item	Use this item to
   LDAP Groups DN	Specify the DN of the LDAP groups on the server. For example, ou=groups,dc=example,dc=org.
   Group Name LDAP Attribute	Specify the name of the LDAP attribute that is used in group objects for the name and RDN of group. Usually, it is cn. In this case, the DN of a typical group object may be like cn=Group1,ou=groups,dc=example,dc=org.
   Group Object Classes	Specify the classes of the role object, divided by comma. Typical values: groupOfNames for LDAP group for Active Directory
   Preserve Group Inheritance	Specify whether group inheritance from LDAP is preserved in the Platform: OFF – All LDAP groups are mapped as flat top-level groups in the Platform. ON – Group inheritance is preserved in the Platform, but the group sync might fail if LDAP structure contains recursions or multiple parent groups per child groups.
   Membership LDAP Attribute	Specify the name of the LDAP attribute on group, which is used for the membership mappings. The typical value is member. If the next field, Membership Attribute Type, is set to UID, then the name is usually memberUid.
   Membership Attribute Type	Select the membership attribute type: DN – If the group members are declared as full DN. For example, member: uid=john,ou=users,dc=example,dc=com. UID – If the group members are declared as user uids. For example, memberUid: john.
   Membership User LDAP Attribute	If the previous field, Membership Attribute Type, is set to UID, specify the name of the LDAP attribute on user, that is used for membership mappings. Usually, it is uid. For example, if you enter uid and the LDAP group has memberUid: john, then particular LDAP user should have an attribute uid: john.
   LDAP Filter	Specify an additional custom filter for the query for retrieving LDAP groups. The filter must be entered in parentheses “()”. If you want to import all groups, leave this field empty.
   User Groups Retrieve Strategy	Select how to retrieve user groups: LOAD_GROUPS_BY_MEMBER_ATTRIBUTE – Load all the groups of a user where this user is member. GET_GROUPS_FROM_USER_MEBEROF_ATTRIBUTE – Load the groups of a user based on the memberOf attribute of the user. LOAD_GROUPS_BY_MEMBER_ATTRIBUTE_RECURSIVELY – Active Directory only: load the groups of a user recursively by using the LDAP_MATCHING_RULE_IN_CHAIN extension.
   Mapped Group Attributes	Specify the names of the attributes of an LDAP group (divided by comma), which are mapped as attributes of a group in the Platform. Leave this field empty if no additional attributes are required to be mapped in the Platform.
   Drop non-existing groups during sync	Select which groups should be kept during the sync from LDAP to the Platform: ON – Keep only those Platform groups that still exist in LDAP and delete the rest. OFF – Keep all the groups in the Platform.

7. Save your changes.