LDAP Directory as Data Source

Purpose

User Management Engine (UME) can use an LDAP directory as its data source for user management data.

Prerequisites

UME supports specific hierarchies of users and groups in the LDAP directory. These are:

·       Groups as tree

·       Flat hierarchy

For more information, see Organization of Users and Groups in LDAP Directory.

Constraints

·       The Distinguished Names (DNs) of user and group objects must not be longer than 240 characters.

·       You should not create groups with the names of the default groups, that is Everyone,  Authenticated Users, and Anonymous Users. If you create a group with one of these names through the native user interface of your LDAP directory, you will not get an error message, and your user management will no longer function correctly. If you try to create a group with one of these names through the user management administration console, you will get an error message.

·       Similarly, you should not create users with the same user ID as one of the service users used internally. The service users adhere to the naming convention XXX_service, where XXX is the name of the corresponding application. Again, if you use the native user interface of your LDAP directory, you will not get a message, and your user management will no longer function correctly.

·       If user management is set up with write access to an LDAP directory, the following restriction applies: When assigning members to a group that is stored in the LDAP directory, you can only assign users or groups that are also stored in the LDAP directory. You cannot assign users or groups from the database to groups from the LDAP directory. 

You can, however, assign users and groups stored in the LDAP directory to a group in the database.