LDAP Integration
ID-Synch® is tightly integrated with LDAP directories, as follows:
- Directory integration:
ID-Synch is normally configured to automatically define its own users based on the users that exist in an authoritative directory, which can be an LDAP directory. There is no need for duplicate administration or reconciliation of ID-Synch, separately from LDAP.
Users can be excluded from ID-Synch by virtue of group membership in LDAP or wild-card string matches on short or fully qualified login names.
- User profile storage:
All user profile data, including a list of login IDs per user, Q-A (Question-and-Answer) data used to authenticate users during P-Synch® self-service password resets and other user attributes, can be managed by ID-Synch directly in an LDAP directory. This means that searches for user data first go to LDAP and retrieved data is temporarily stored in the ID-Synch identity cache. Updates to user profile data are written to both the identity cache and to LDAP.
- Transparent password synchronization:
P-Synch can be configured to intercept native password changes on LDAP directories from Microsoft, Sun, Oracle and IBM and:
- Apply a supplementary password policy beyond the one built into the LDAP server and potentially reject the initial password change.
- Automatically synchronize the user's other passwords, on other systems, to the new LDAP password value.
This optional process requires a shared object library or DLL to be installed on each LDAP server -- this can be done centrally in an automated fashion from the P-Synch server.