30.3 LDAP page (Operation Settings)

Setting

Additional Identity LDAP Operator User Filter

Default value

 

Description

An LDAP search query that is performed to filter the results returned when you import an additional identity from the directory in the MyID Operator Client.

Further information

See section 25.2, Setting up additional identities.

 

Setting

Additional Identity LDAP Self-Service User Filter

Default value

 

Description

An LDAP search query that is performed to filter the results returned when you import an additional identity from the directory for your own account in the MyID Operator Client.

You can include substitutions in this query using values from the vPeopleUserAccounts view in the MyID database; this allows you to restrict the available list of additional identities that a person can add to their own account.

Further information

See section 25.2, Setting up additional identities.

 

Setting

Allow duplicate DN

Default value

Yes

Description

Whether a user can be added if another user with the same DN already exists.

Yes – duplicate DN values are allowed.

No – duplicate DN values are not allowed.

Ask – the operator is warned if a duplicate DN value is entered, but allowed to continue if required.

Further information

 

 

Setting

Allow LDAP Search for devices during Add Devices

Default value

No

Description

Set to Yes to allow an operator to add a device from the LDAP directory into the MyID database using the Add Device workflow.

Further information

 

 

Setting

Allow LDAP Search for devices during card requests

Default value

No

Description

Set to Yes to allow an operator to add a device from the LDAP Directory into the MyID database when requesting a card.

Further information

 

 

Setting

Assign unmatched new accounts to default directory

Default value

No

Description

When a new user account is created in MyID, the user OU may not be able to be matched to a MyID group that is linked to a directory OU; set this option to Yes to link the account to the default directory registered with MyID.

Further information

See the MyID configuration options section in the Derived Credentials Self-Service Request Portal guide.

 

Setting

Automatically create MyID groups from the Organizational Unit of imported users

Default value

No

Description

If you are using MyID as your primary data source, set this to Yes to automatically create MyID groups with the same names as the organizational units in the LDAP directory when importing users.

Note: If you set this option to No, then move a user in the LDAP to an OU that does not have a corresponding MyID group, MyID displays a warning that the directory and the MyID database are no longer synchronized when you view the user's details in MyID.

Further information

 

 

Setting

Background Update

Default value

No

Description

When a record is accessed, MyID automatically checks the directory for any changes to an individual's details, and updates the information held in MyID.

Further information

 

 

Setting

Create OU Chain

Default value

No

Description

Whether the containers in the DN of a user account pushed to an LDAP directory will be created if they do not already exist.

Further information

Cannot be edited.

 

Setting

Custom LDAP Mappings

Default value

No

Description

Set to Yes before you upgrade your system if you want to prevent the installation program from overwriting any custom LDAP mappings.

Further information

See the Upgrading systems with custom LDAP mappings section in the Installation and Configuration Guide for details.

 

Setting

Disable on removal from directory

Default value

No

Description

Whether user accounts imported from a directory should be disabled if an attempt is made to synchronize the directory with MyID but the user no longer exists in the directory (whether because the directory has been updated independently, or with the Active Directory Deletion Tool). Historic information is retained but you cannot issue devices to this person.

This option also determines whether user accounts imported from a directory should be disabled if the user has been disabled in the directory.

Further information

 

 

Setting

Display person details during confirm job

Default value

No

Description

If set to Yes, displays an additional tab on the job confirmation screen of the Collect Card workflow.

Further information

 

 

Setting

Edit Directory Information

Default value

Yes

Description

Whether the user is allowed to edit person data retrieved from the directory when Update user information in the directory is not enabled. Changes are stored in the MyID database and may be overwritten with information from the directory if MyID synchronizes with it

Further information

 

 

Setting

Edit DN

Default value

No

Description

Whether the DN for a person can be manually edited.

Further information

On new installations of MyID, this setting does not appear; by default, it appears only on systems that have been upgraded from a previous version of MyID.

This setting has no effect unless you have installed an additional update to MyID that allows you to edit the Distinguished Name. For more information, contact customer support, quoting reference SUP-322.

 

Setting

Enable ADS Fields

Default value

No

Description

Whether to display the Account tab, including the User Principal Name and SAM Account Name fields, during View Person, Add Person and Edit Person.

This option does not affect the MyID Operator Client.

Further information

 

 

Setting

Force NETBIOS name

Default value

No

Description

Store the user's NETBIOS name instead of the DNS name.

If you change this to Yes, we recommend you set the Background Update option to Yes to allow existing user accounts to be updated.

When you import someone from an LDAP directory, the DNS-style domain name is shown in the Domain field on the Account tab. When you save the record, the domain name is converted to the NETBIOS-style name.

Further information

See section 5.6, Storing the NETBIOS name for a person.

 

Setting

LDAP update cancel card

Default value

 

Description

Used for LDAP updates.

Further information

For more information, contact customer support, quoting reference SUP-227.

 

Setting

LDAP update enable card

Default value

 

Description

Used for LDAP updates.

Further information

For more information, contact customer support, quoting reference SUP-227.

 

Setting

LDAP update exception groups

Default value

 

Description

Used for LDAP updates.

Further information

For more information, contact customer support, quoting reference SUP-227.

 

Setting

LDAP update newissue card

Default value

 

Description

Used for LDAP updates.

Further information

For more information, contact customer support, quoting reference SUP-227.

 

Setting

LDAP update permreplaceissue card

Default value

 

Description

Used for LDAP updates.

Further information

For more information, contact customer support, quoting reference SUP-227.

 

Setting

LDAP update search attribute

Default value

 

Description

Used for LDAP updates.

Further information

For more information, contact customer support, quoting reference SUP-227.

 

Setting

LDAP update tempreplaceissue card

Default value

 

Description

Used for LDAP updates.

Further information

For more information, contact customer support, quoting reference SUP-227.

 

Setting

Link to LDAP Groups

Default value

No

Description

Allows you to link user roles to groups in the LDAP.

Further information

See section 4.4.2, Setting up linked roles for more information about linking user roles to LDAP groups.

 

Setting

Revoke certificates if user is removed or disabled following background directory update

Default value

Yes

Description

Whether active certificates for a user are revoked or disabled if an attempt is made to synchronize the directory with MyID but the user no longer exists in the directory. MyID revokes certificates if the user is removed from the directory, and suspends certificates if the user is disabled in the directory.

Further information

See also section 5.5, The Batch Directory Synchronization Tool.

 

Setting

Search a Directory

Default value

Ask

Description

Whether MyID or an LDAP directory is to be searched when looking for a person.

Yes – restrict the search to the directory

No – restrict the search to MyID

Ask – the person entering the search criteria can choose where to search

Further information

If this option is set to Yes, you cannot search the MyID database using, for example, the View Person workflow. If you want to be able to search the MyID database, set this option to Ask or No.

 

Setting

Skip Person Confirmation screen

Default value

Yes

Description

Whether to skip the Person Details stage when finding a person.

This stage provides further details but is not needed in your environment if sufficient information is shown in the list of potential matches.

Further information

 

 

Setting

Synchronize new accounts with directory

Default value

No

Description

If this option is set to Yes, immediately after importing an unknown user MyID will attempt to pull extended details for that user from LDAP. A match will first be attempted using the DN of the certificate used to make the request. If no match is found, and the certificate contains a UPN, a second attempt will be made to match against the UPN. If both of these fail to match, no further data will be imported for the account.

Further information

See the MyID configuration options section in the Derived Credentials Self-Service Request Portal guide.

 

Setting

Track Entrust distinguished name changes

Default value

No

Description

Determines whether MyID updates Entrust with changes to the DN.

Further information

Not used for PIV systems, which have an alternative method for tracking Entrust DN changes.

See the Tracking Entrust DN changes section in the Entrust CA Integration Guide for details.

 

Setting

Update group information in the directory

Default value

No

Description

Controls whether group details are pushed back to the directory when changes are made in MyID.

Note: If this is set to No and Background Update is set to Yes, any changes may be overwritten if the directory has not been updated.

Further information

 

 

Setting

Update user information in the directory

Default value

No

Description

Controls whether user details are pushed back to the directory when changes are made in MyID.

Note: If this is set to No and Background Update is set to Yes, any changes may be overwritten if the directory has not been updated.

Further information