OpenLDAP Connector - Entitlement Provisioning

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hey Team!

I’ve just started using the OpenLDAP connector in IdentityNow and am now provisioning groups (poxisGroups) on Identities via an Application in IDN.

The provisioning works fine, however the group membership is populated with the identity’s DN and not UID like the entire LDAP is using at this point. I know DN is to be preferred and Sailpoint likes to use DN, but I would need to provision the uid of the identity on the LDAP poxisGroup instead of DN.

Is this possible or is the native provisioning configuration set for DN?

Is it otherwise possible to write some sort of provisioning rule for this and which one would be to prefer?

image

Regards,
Sebastian

2

Hi @Swegmann

Could you try add memberAttribute to set value to uid attribute in source configuration?

You can update source using API REST in the following way:

PATCH  https://sailpoint.api.identitynow.com/v3/sources/:id


[
  {
    "op": "replace",
    "path": "/connectorAttributes/memberAttribute",
    "value": "uid"
  }
]
3

Hey Ismael!

Are you referring to the “groupMemberAttribute” attribute?
I tried setting it to uid but no success! Maybe I have to re-aggregate the groups.
image

4

It’s kind of weird that even though my identifiers are set to uid for account ID and displayName for account name; The equivalent attributes on the actual user accounts in IDN are populated with DN.

image
image1087×228 6.88 KB

image

Also tried setting both to UID via API:

image
image979×347 8.77 KB

Then at least account Name is populated with UID:

image
image1111×211 6.3 KB

Account ID however seems to have some sort of fallback to DN.

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.