3.1 Planning Considerations

The LDAP Driver for Identity Manager works with most LDAP v3 compatible LDAP servers. The driver is written to the RFC 2251 specification for LDAP. For information on compatibility issues, see Section 5.3, LDAP v3 Compatibility.

3.1.1 Where to Install the LDAP Driver

An Identity Manager driver can be installed on the same computer where an Identity Vault and the Metadirectory engine are installed. This installation is referred to as a local configuration.

In a local configuration, you install the LDAP driver on the computer where an Identity Vault and the Metadirectory engine are installed, as shown in the following figure:

Figure 3-1 A Local Configuration

If platform or policy constraints make a local configuration difficult, an Identity Manager driver can be installed on the computer hosting the target application. This installation is referred to as a remote configuration.

Although it is possible to install the LDAP driver in a remote configuration, it provides little additional flexibility because of the following:

  • The driver can run on any Identity Vault platform.

  • The driver communicates with the LDAP server on any platform across the wire via the LDAP protocol.

3.1.2 Upgrading to Identity Manager 3

During an Identity Manager installation, you can install the Driver for LDAP (along with other Identity Manager drivers) at the same time that the Metadirectory engine is installed. See the Identity Manager 3.0.1 Installation Guide. You can upgrade from DirXML 1.1a or Identity Manager 2 to Identity Manager 3.

3.1.3 Information to Gather

During installation and setup, you are prompted for information such as the following:

  • Whether to use the Flat or Mirror option for synchronizing hierarchical structure. See Policies.

  • The Identity Vault and LDAP directory containers that you want to hold synchronized objects.

  • The Identity Vault User object to assign as a security equivalent for the driver and the objects to exclude from synchronization.

  • The LDAP object and password used to provide driver access to the LDAP directory.

See the table in Importing the Sample Driver Configuration File.

3.1.4 Assumptions about the LDAP Data Source

If you are using the Publisher channel to send data to an Identity Vault about changes in the LDAP directory, you must understand the two methods that the driver uses to publish data:

  • The changelog method

    The change log is a mechanism in an LDAP directory. The change log can provide LDAP event information for the driver. This method is preferred when a change log is available.

  • The LDAP-search method

    This method enables the LDAP driver to publish to an Identity Vault data about the LDAP servers that don’t use change logs.