The Identity Manager Driver for LDAP synchronizes data between an Identity Vault and LDAP-compliant directories. The driver can run anywhere that a Metadirectory server or Identity Manager Remote Loader is running. See Section 1.2.1, Local and Remote Platforms.
The driver uses the Lightweight Directory Access Protocol to bidirectionally synchronize changes between an Identity Vault and the connected LDAP-compliant directory.
Because of this flexible model for communicating, the driver can synchronize with LDAP-compliant directories running on platforms (for example, HP-UX, OS/400, and OS/390) that are not supported by an Identity Vault.
The driver can use either of two publication methods to recognize data changes and communicate them to an Identity Vault through Identity Manager:
This method is preferred when a change log is available. Change logs are found on the following:
Critical Path InJoin Directory
IBM SecureWay Directory
IBM Tivoli Directory
iPlanet Directory Server
Isode M-Vault
Netscape Directory Server
Oracle Internet Directory
Sun Java System Directory
Some servers don't use the changelog mechanism. The LDAP-search method enables the LDAP driver to publish data about the LDAP server to an Identity Vault by searching for changes in predefined contexts in the LDAP directory.
The LDAP-search method synchronizes changes that occur from one poll to the next.
Channels, filters, and policies control data flow.
The LDAP driver supports Publisher and Subscriber channels:
The Publisher channel reads information from the LDAP directory change log or an LDAP search and submits that information to an Identity Vault via the Metadirectory engine.
By default, the Publisher channel checks the log every 60 seconds, processing up to 1000 entries at a time, starting with the first unprocessed entry.
The Subscriber channel watches for additions and modifications to Identity Vault objects and issues LDAP commands that make changes to the LDAP directory.
Identity Manager uses filters to control which objects and attributes are shared. The default filter configurations for the LDAP driver allow objects and attributes to be shared, as illustrated in the following figure:
Figure 1-1 LDAP Driver Filters
Policies are used to control data synchronization between the driver and an Identity Vault.
The following table provides information on default policies. These policies and the individual rules they contain can be customized as explained in Section 6.0, Synchronizing Data.
Table 1-1 Default Policies