Highlighted
ratclma Absent Member.
Absent Member.
816 views

Advice on LDAP profiles


Hi,
We have approximately 60,000 users who we want to migrate to SSPR. All
users (who will be part of the password policy) are in a single OU (the
eDIrectory acts as an LDAP for our NAM protected B2B portal) which is
also a partition.
While it seems to make sense to have the searchbase set to the user OU
we want to rollout gradually over 6-8 weeks and the plan would be to
make SSPR available via country or countries. Would it be best to setup
the LDAP profile to be an OR LDAP search,adding each country group as we
migrate.
e.g
Password Policy Profile Match
LDAP Profile default
LDAP group DN cn=country1,ou=groups,o=company

LDAP Profile default
LDAP GROUP DN cn=country2,ou=groups,o=company

etc. etc.

Or would we be better to create a new boolean attribute e.g.
activateSSPR and add the attribute to users as they are migrated
e.g.
Password Policy Profile Match
LDAP Profile default
LDAP Search Filter (activateSSPR=True)
LDAP Base DN ou=users,o=company

Thanks
Mark


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55910

0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Advice on LDAP profiles

Unless you have a compelling reason to use a new attribute, the existing
attribute would seem to already meet your needs, and using a new attribute
would just mean you're copying what is essentially a group membership into
a boolean indicating they're a member of some group that they already
have, and probably just for this one time (once everybody is activated I
presume you will no longer need this condition).


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Advice on LDAP profiles

ratclma wrote:

> make SSPR available via country or countries. Would it be best to setup
> the LDAP profile to be an OR LDAP search,adding each country group as we
> migrate.
>
> Or would we be better to create a new boolean attribute e.g.
> activateSSPR and add the attribute to users as they are migrated


With just 60.000 users to search I doubt it makes much of a difference,
provided you have your search attributes properly indexed. I'd go with the
first suggestion, and if you are worried, just set up such a profile and test
server load and client performance. Nothing stops you from switching to the
other model in case you run into issues and save the additional work for when
it turns out to be really necessary.

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
ratclma Absent Member.
Absent Member.

Re: Advice on LDAP profiles


lhaeger;267997 Wrote:
> ratclma wrote:
>
> > make SSPR available via country or countries. Would it be best to

> setup
> > the LDAP profile to be an OR LDAP search,adding each country group as

> we
> > migrate.
> >
> > Or would we be better to create a new boolean attribute e.g.
> > activateSSPR and add the attribute to users as they are migrated

>
> With just 60.000 users to search I doubt it makes much of a difference,
> provided you have your search attributes properly indexed. I'd go with
> the
> first suggestion, and if you are worried, just set up such a profile and
> test
> server load and client performance. Nothing stops you from switching to
> the
> other model in case you run into issues and save the additional work for
> when
> it turns out to be really necessary.
>
> --
> http://www.is4it.de/en/solution/identity-access-management/

Thanks Lothar and Aaron


--
ratclma
------------------------------------------------------------------------
ratclma's Profile: https://forums.netiq.com/member.php?userid=7886
View this thread: https://forums.netiq.com/showthread.php?t=55910

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.