5 Using an LDAP directory

By default, MyID is set as your primary data source. You can import information into MyID from a directory and use it as a basis for your records, and all user selections are performed against data held in the MyID database. Any changes you make to the information in MyID will not be replicated in the directory by default and, if you want to keep the information synchronized, you will have to update the directory separately.

MyID is capable of using an LDAP directory as the primary data source for user records. In this case, user selection in most workflows will perform an LDAP search against the configured directory or directories rather than the MyID database. A copy of the data found is cached in the internal MyID database, but the latest data from the directory is used in preference to any cached data.

If you are using an LDAP directory as your primary data source, and you do not set Update user information in the directory to Yes, you will not be able to find any manually added users unless you change the configuration settings to allow a choice of search modes; see section 5.4, Using an LDAP directory as the primary data source for details of the Search a Directory option.

MyID can communicate with directory services using either standard or secure LDAP (Lightweight Directory Access Protocol). MyID has been successfully integrated with various directories; for a full list of those currently supported, see the Directories section in the Installation and Configuration Guide.

Note: When MyID is installed, it is preconfigured to operate with Microsoft Active Directory Domain Services (AD DS). This includes the use of attributes that do not exist in other LDAPv3-compliant directories. Integration with AD DS is automatic, with MyID set as the primary data source. You can integrate other LDAPv3-compliant directory providers with MyID; this requires additional configuration of MyID. For information on custom LDAP mappings and search filters, contact customer support quoting reference SUP-223.

Warning: You must specify a Distinguished Name (DN) for a person if you are going to issue certificates through MyID. One way to do this is to import the user from an LDAP directory.

Settings that determine how MyID and an LDAP directory interact are found on the LDAP page in the Operation Settings workflow (in the Configuration category). You can choose to update the information stored in MyID from an LDAP directory, and to update information in the directory based on details entered into MyID.

The Add Person workflow adds a new person record to the MyID database. To prevent someone being added directly to the MyID database, prevent anyone accessing the Add Person workflow (see section 4.1.1, Change an existing role).

A user's details can be imported from an LDAP directory as a result of automatic import because an LDAP directory has been set as the primary data source. When a user's details have been imported, the data held in MyID and the LDAP directory are synchronized in the following ways:

Note: You must configure your directory connection with appropriate write permissions to update it from information entered into MyID.

Processes within MyID may be triggered by changes to directory information. For example, certificates may be revoked when an account is disabled.

Warning: Integration with Active Directory and the option to use the directory as the primary data source are selected by default during the installation of MyID.

If you do not want to use an LDAP directory as your primary data source, follow the instructions in section section 5.4, Using an LDAP directory as the primary data source.

Note: This chapter assumes that you understand the concepts of an LDAP directory and have access to the documentation provided with the directory you are using.