MKE integration with LDAP¶
To control the integration of MKE with LDAP, you create user searches. For
these user searches, you use the MKE web UI to specify multiple search
configurations and specify multiple LDAP servers
with which to integrate. Searches start with the
Base DN, the Distinguished
Name of the node in the LDAP directory tree in which the search looks
MKE to LDAP synchronization workflow
The following occurs when MKE synchronizes with LDAP:
MKE creates a set of search results by iterating over each of the user search configurations, in an order that you specify.
MKE choses an LDAP server from the list of domain servers by considering the
Base DNfrom the user search configuration and selecting the domain server with the longest domain suffix match.
If no domain server has a domain suffix that matches the
Base DNfrom the search configuration, MKE uses the default domain server.
MKE creates a list of users from the search and creates MKE accounts for each one.
If you select the Just-In-Time User Provisioning option, user accounts are created only when users first log in.
Consider an example with three LDAP domain servers and three user search configurations.
The example LDAP domain servers:
LDAP domain server name
The example user search configurations:
User search configurations
For this search configuration,
For this search configuration, two of the domain servers have a
domain that is a suffix of this
For this search configuration, no server with a domain specified is a
suffix of this
Whenever user search results contain
username collisions between the
domains, MKE uses only the first search result, and thus the ordering of the
user search configurations can be important. For example, if both the first and
third user search configurations result in a record with the username
jane.doe, the first has higher precedence and the second is ignored. As
such, it is important to implement a
username attribute that is unique for
your users across all domains. As a best practice, choose something that is
specific to the subsidiary, such as the email address for each user.