On the Home page, click Identity Servers > [cluster name] > User Stores > Plus icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Name |
The name of the user store. |
|
Administrator Name |
The distinguished name of the administrator user of the LDAP directory, or a proxy user with specific LDAP rights to perform searches. For the LDAP extension to work, the proxy user requires write rights on the ACL. Administrator-level rights are required for setting up a user store. This ensures read/write access to all objects used by Access Manager. For more information about this user, see Configuring an Administrator User for the User Store. Each directory type uses a slightly different format for the DN:
|
|
Administrator Password and Confirm Password |
Specify the password for the administrator user and confirm it. |
|
Directory Type |
You can select eDirectory or Active Directory. If you have installed an LDAP server plug-in, you can select the custom type that you have configured it to use. For more information, see LDAP Server Plug-In in the Access Manager 5.0 SDK Guide. If eDirectory has been configured to use Domain Services for Windows, eDirectory behaves like Active Directory. When you configure such a directory to be a user store, its Directory Type must be set to Active Directory for proper operation. |
Under LDAP Timeout Settings, specify the following details:
|
Field |
Description |
|---|---|
|
LDAP Operation |
Specify how long a transaction can take before timing out. |
|
Idle Connection |
Specify how long before connections begin closing. If a connection has been idle for the specified duration, the system creates another connection. |
Specify a server replica.
Under Search Contexts, add a search context.
The search context is used to locate users in the directory when a contract is executed.
If a user exists outside of the specified search context (object, subtree, one level), Identity Server cannot find the user, and the user cannot log in.
If the search context is too broad, Identity Server might find more than one match, in which case the contract fails, and the user cannot log in.
For example, if you allow users to have the same username and these users exist in the specified search context, these users cannot log in if you are using a simple username and password contract. The search for users matching this contract would return more than one match. In this case, you need to create a contract that specifies additional attributes so that the search returns only one match. For information about how to create such contracts, see Authentication Classes and Duplicate Common Names.
IMPORTANT:For Active Directory, do not set the search context at the root level and set the scope to Subtree. This setting can cause serious performance problems. It is recommended that you set multiple search contexts, one for each top-level organizational unit.
Click Save.
If prompted to restart Tomcat, click OK. Otherwise, update Identity Server.