Skip to end of metadata
Go to start of metadata

Send feedback Questions or comments? Send feedback about this page

Integration with Active Directory is available if you are using a standalone IMS appliance installed on your own network (only).

Active Directory provides an implementation of LDAP directory services.

When a user logs in, IMS checks its own database, then if required queries LDAP.

  • If a valid record is found in LDAP, IMS creates a permanent user in its own database and flags it as an LDAP user.
  • When the user logs in, their password is revalidated against LDAP each time.
  • Deleting the LDAP account automatically disables the IMS account
  • Changing the LDAP password automatically updates IMS.
  • IMS uses a single LDAP, low-privilege account to attach to the directory and perform these functions, compatible with Windows 2003 Server.

Additionally, if the user account in LDAP is associated with an Active Directory Group, then it is possible for IMS to connect the user automatically to their equivalent IMS group during the initial login procedure.

The grouping functionality works as follows.

  • When an LDAP user logs in, IMS checks the LDAP directory for the LDAP groups that the LDAP user is a member of.
  • If the IMS user is in an IMS group that is bound to an LDAP group, then IMS checks that the LDAP user is still a member of the LDAP group.
  • If they are, no further action is taken.
  • If they are not, then the user is moved out of that group.
  • If the user is not now in a group (either because they have never been added to a group, or because they have just been removed), then IMS checks its internal groups for bindings to one of the LDAP groups that the user is a member of.
  • If it finds such a group, then the user is moved into it.
  • The result of this is that removing a user from a group in Active Directory causes them to be removed from the corresponding IMS group, while adding a user to a group in Active directory causes them to be added to that group in IMS only if they are not in another group.

LDAP users added to non-LDAP groups are not affected, and non-LDAP users can be managed within LDAP groups exactly as they can with normal groups.

LDAP IMS users in more than one LDAP IMS group will be automatically added to the first of these specified in the LDAP user's 'memberOf' field. Such users can be manually moved between the groups of which they are members in LDAP, and such changes are not undone.

LDAP IMS users cannot be added to LDAP IMS groups of which they are not a member in Active Directory, they are automatically removed from the group when they next log in.

LDAP IMS users that are not associated with an IMS group are assigned the access rights of the auto user preset

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.