1.1 Driver Concepts

1.1.1 Synchronizing Data

The Identity Manager Driver for LDAP synchronizes data between an Identity Vault and LDAP-compliant directories. The driver can run anywhere that a Metadirectory server or Identity Manager Remote Loader is running. See Section 1.2.1, Local and Remote Platforms.

The driver uses the Lightweight Directory Access Protocol to bidirectionally synchronize changes between an Identity Vault and the connected LDAP-compliant directory.

Because of this flexible model for communicating, the driver can synchronize with LDAP-compliant directories running on platforms (for example, HP-UX, OS/400, and OS/390) that are not supported by an Identity Vault.

1.1.2 Publication Methods

The driver can use either of two publication methods to recognize data changes and communicate them to an Identity Vault through Identity Manager:

Changelog Method

This method is preferred when a change log is available. Change logs are found on the following:

  • Critical Path InJoin Directory

  • IBM SecureWay Directory

  • IBM Tivoli Directory

  • iPlanet Directory Server

  • Isode M-Vault

  • Netscape Directory Server

  • Oracle Internet Directory

  • Sun Java System Directory

LDAP-Search Method

Some servers don't use the changelog mechanism. The LDAP-search method enables the LDAP driver to publish data about the LDAP server to an Identity Vault by searching for changes in predefined contexts in the LDAP directory.

The LDAP-search method synchronizes changes that occur from one poll to the next.

1.1.3 How the LDAP Driver Works

Channels, filters, and policies control data flow.

Publisher and Subscriber Channels

The LDAP driver supports Publisher and Subscriber channels:

  • The Publisher channel reads information from the LDAP directory change log or an LDAP search and submits that information to an Identity Vault via the Metadirectory engine.

    By default, the Publisher channel checks the log every 60 seconds, processing up to 1000 entries at a time, starting with the first unprocessed entry.

  • The Subscriber channel watches for additions and modifications to Identity Vault objects and issues LDAP commands that make changes to the LDAP directory.

Filters

Identity Manager uses filters to control which objects and attributes are shared. The default filter configurations for the LDAP driver allow objects and attributes to be shared, as illustrated in the following figure:

Figure 1-1 LDAP Driver Filters

Policies

Policies are used to control data synchronization between the driver and an Identity Vault.

The following table provides information on default policies. These policies and the individual rules they contain can be customized as explained in Section 6.0, Synchronizing Data.

Table 1-1 Default Policies

Policy

Description

Schema Mapping

Maps the Identity Vault User object and selected properties to an LDAP inetOrgPerson.

Maps the Identity Vault Organizational Unit to an LDAP organizationalUnit.

By default, more than a dozen standard properties are mapped.

Publisher Create

Specifies that in order for a User to be created in an Identity Vault, the cn, sn, and mail attributes must be defined. In order for an Organization Unit to be created, the OU attribute must be defined.

Publisher Placement

Specifies that new User objects created in the LDAP directory are placed under a specified Identity Vault container in the same structure that mirrors the object's LDAP container structure. In other words, an Identity Vault container (defined during creation of the driver) becomes the root container in which the LDAP objects are mirrored exactly as they exist in the LDAP directory.

Matching

Specifies that a user object in an Identity Vault is the same object as an inetOrgPerson in the LDAP directory when the e-mail attributes match.

Subscriber Create

Specifies that in order for a user to be created in the LDAP directory, the CN, Surname, and Internet Email Address attributes must be defined. In order for an Organization Unit to be created, the OU attribute must be defined.

Subscriber Placement

Specifies that new User objects created in the Identity Vault are placed under a specified LDAP container in the same structure that mirrors the object's Identity Vault container structure. In other words, an LDAP container (defined during creation of the driver) becomes the root container in which the Identity Vault objects are mirrored exactly as they exist in the Identity Vault.