Mapping Between LDAP Objects And Base Security Objects

An LDAP store consists of multiple entries. Each entry represents an object in the directory that is identified by a Distinguished Name (DN) and may contain one or more attributes. In a typical LDAP store there is usually an entry for users and an entry for groups. The connection between users and groups may be implemented in two different ways:

• The users belonging to a group are defined in a special multiple-value attribute on the Group entry.
• The groups to which a user belongs are defined in a special multiple-value attribute on the User entry.

The mapping between LDAP security objects and base security objects is stored in an XML document that can be processed by the XAI service. As part of setting up your system for LDAP import, you need to define this mapping. The base package comes with a sample mapping file that can be used when your LDAP store is a Microsoft Active Directory Server (ADS). You can use this file as the basis for creating your own mapping file if you are using a different LDAP store (e.g., Novell Directory Server).

Attribute mappings are defined in the XML parameter information file under the LDAPImportAdapter section. Note that the mapping itself is in an external file that is included in the XML parameter information file.

The XML structure:

• Maps LDAP Entries to system objects
• Maps attributes in the LDAP entry to attributes in the system object
• Describes objects linked to the LDAP entry