Additional Identity LDAP Operator User Filter

An LDAP search query that is performed to filter the results returned when you import an additional identity from the directory in the MyID Operator Client.

See section 25.2, Setting up additional identities.

Additional Identity LDAP Self-Service User Filter

An LDAP search query that is performed to filter the results returned when you import an additional identity from the directory for your own account in the MyID Operator Client.

You can include substitutions in this query using values from the vPeopleUserAccounts view in the MyID database; this allows you to restrict the available list of additional identities that a person can add to their own account.

See section 25.2, Setting up additional identities.

Allow duplicate DN

Yes

Whether a user can be added if another user with the same DN already exists.

Yes – duplicate DN values are allowed.

No – duplicate DN values are not allowed.

Ask – the operator is warned if a duplicate DN value is entered, but allowed to continue if required.

Allow LDAP Search for devices during Add Devices

No

Set to Yes to allow an operator to add a device from the LDAP directory into the MyID database using the Add Device workflow.

Allow LDAP Search for devices during card requests

No

Set to Yes to allow an operator to add a device from the LDAP Directory into the MyID database when requesting a card.

Assign unmatched new accounts to default directory

No

When a new user account is created in MyID, the user OU may not be able to be matched to a MyID group that is linked to a directory OU; set this option to Yes to link the account to the default directory registered with MyID.

See the MyID configuration options section in the Derived Credentials Self-Service Request Portal guide.

Automatically create MyID groups from the Organizational Unit of imported users

No

If you are using MyID as your primary data source, set this to Yes to automatically create MyID groups with the same names as the organizational units in the LDAP directory when importing users.

Note: If you set this option to No, then move a user in the LDAP to an OU that does not have a corresponding MyID group, MyID displays a warning that the directory and the MyID database are no longer synchronized when you view the user's details in MyID.

Background Update

No

When a record is accessed, MyID automatically checks the directory for any changes to an individual's details, and updates the information held in MyID.

Create OU Chain

No

Whether the containers in the DN of a user account pushed to an LDAP directory will be created if they do not already exist.

Cannot be edited.

Custom LDAP Mappings

No

Set to Yes before you upgrade your system if you want to prevent the installation program from overwriting any custom LDAP mappings.

See the Upgrading systems with custom LDAP mappings section in the Installation and Configuration Guide for details.

Disable on removal from directory

No

Whether user accounts imported from a directory should be disabled if an attempt is made to synchronize the directory with MyID but the user no longer exists in the directory (whether because the directory has been updated independently, or with the Active Directory Deletion Tool). Historic information is retained but you cannot issue devices to this person.

This option also determines whether user accounts imported from a directory should be disabled if the user has been disabled in the directory.

Display person details during confirm job

No

If set to Yes, displays an additional tab on the job confirmation screen of the Collect Card workflow.

Edit Directory Information

Yes

Whether the user is allowed to edit person data retrieved from the directory when Update user information in the directory is not enabled. Changes are stored in the MyID database and may be overwritten with information from the directory if MyID synchronizes with it

Edit DN

No

Whether the DN for a person can be manually edited.

On new installations of MyID, this setting does not appear; by default, it appears only on systems that have been upgraded from a previous version of MyID.

This setting has no effect unless you have installed an additional update to MyID that allows you to edit the Distinguished Name. For more information, contact customer support, quoting reference SUP-322.

Enable ADS Fields

No

Whether to display the Account tab, including the User Principal Name and SAM Account Name fields, during View Person, Add Person and Edit Person.

This option does not affect the MyID Operator Client.

Force NETBIOS name

No

Store the user's NETBIOS name instead of the DNS name.

If you change this to Yes, we recommend you set the Background Update option to Yes to allow existing user accounts to be updated.

When you import someone from an LDAP directory, the DNS-style domain name is shown in the Domain field on the Account tab. When you save the record, the domain name is converted to the NETBIOS-style name.

See section 5.6, Storing the NETBIOS name for a person.

LDAP update cancel card

Used for LDAP updates.

For more information, contact customer support, quoting reference SUP-227.

LDAP update enable card

Used for LDAP updates.

For more information, contact customer support, quoting reference SUP-227.

LDAP update exception groups

Used for LDAP updates.

For more information, contact customer support, quoting reference SUP-227.

LDAP update newissue card

Used for LDAP updates.

For more information, contact customer support, quoting reference SUP-227.

LDAP update permreplaceissue card

Used for LDAP updates.

For more information, contact customer support, quoting reference SUP-227.

LDAP update search attribute

Used for LDAP updates.

For more information, contact customer support, quoting reference SUP-227.

LDAP update tempreplaceissue card

Used for LDAP updates.

For more information, contact customer support, quoting reference SUP-227.

Link to LDAP Groups

No

Allows you to link user roles to groups in the LDAP.

See section 4.4.2, Setting up linked roles for more information about linking user roles to LDAP groups.

Revoke certificates if user is removed or disabled following background directory update

Yes

Whether active certificates for a user are revoked or disabled if an attempt is made to synchronize the directory with MyID but the user no longer exists in the directory. MyID revokes certificates if the user is removed from the directory, and suspends certificates if the user is disabled in the directory.

See also section 5.5, The Batch Directory Synchronization Tool.

Search a Directory

Ask

Whether MyID or an LDAP directory is to be searched when looking for a person.

Yes – restrict the search to the directory

No – restrict the search to MyID

Ask – the person entering the search criteria can choose where to search

If this option is set to Yes, you cannot search the MyID database using, for example, the View Person workflow. If you want to be able to search the MyID database, set this option to Ask or No.

Skip Person Confirmation screen

Yes

Whether to skip the Person Details stage when finding a person.

This stage provides further details but is not needed in your environment if sufficient information is shown in the list of potential matches.

Synchronize new accounts with directory

No

If this option is set to Yes, immediately after importing an unknown user MyID will attempt to pull extended details for that user from LDAP. A match will first be attempted using the DN of the certificate used to make the request. If no match is found, and the certificate contains a UPN, a second attempt will be made to match against the UPN. If both of these fail to match, no further data will be imported for the account.

See the MyID configuration options section in the Derived Credentials Self-Service Request Portal guide.

Track Entrust distinguished name changes

No

Determines whether MyID updates Entrust with changes to the DN.

Not used for PIV systems, which have an alternative method for tracking Entrust DN changes.

See the Tracking Entrust DN changes section in the Entrust CA Integration Guide for details.

Update group information in the directory

No

Controls whether group details are pushed back to the directory when changes are made in MyID.

Note: If this is set to No and Background Update is set to Yes, any changes may be overwritten if the directory has not been updated.

Update user information in the directory

No

Controls whether user details are pushed back to the directory when changes are made in MyID.

Note: If this is set to No and Background Update is set to Yes, any changes may be overwritten if the directory has not been updated.