LDAP concerns

There are several concerns specific to all supported LDAP user registries.

• There are no configuration steps needed to make Security Verify Access support the password policy of the LDAP. Security Verify Access does not assume the LDAP has its own password policy. Security Verify Access first enforces its own Password Policy. ISAM attempts to update the password in LDAP only if the provided password meets the requirements of the ISAM password policy.
• Next, Security Verify Access implements the password policy of the LDAP using the return code that it gets from LDAP during a password-related update.

• If ISAM can map the return code without ambiguity with the corresponding error code, then it maps the code and returns an error message.

• To take advantage of the multi-domain support in ISAM, use an LDAP user registry.
• When using an LDAP user registry, the capability to own global sign-on credentials must be explicitly granted to a user. After this capability is granted, it can then be removed.
• Leading and trailing blanks in user names and group names are ignored when using an LDAP user registry in an ISAM secure domain. To ensure consistent processing regardless of the user registry, define user names and group names without leading or trailing blanks.
• Attempting to add a single duplicate user to a group does not produce an error when using an LDAP user registry.
• The ISAM authorization API provides a credential attribute entitlements service. This service is used to retrieve user attributes from a user registry. When this service is used with an LDAP user registry, the retrieved attributes can be string data or binary data.

• Modify Sun Java System Directory Server look-through limit
  When the directory server is installed, the default value is 5000. We can modify this value.
• Microsoft Active Directory Lightweight Directory Service (AD LDS) concerns
  The following concerns are specific to Microsoft Active Directory Lightweight Directory Service (AD LDS).
• Federated registry support
  Consider the following points when we configure federated registry support.

Parent topic: User registry differences